04-03-2008 04:39 AM - edited 02-21-2020 03:39 PM
Hello!
My asa 5510 config part:
interface Ethernet0/0
description local network interface
nameif localnet
security-level 100
ip address 192.168.15.31 255.255.255.0
!
interface Ethernet0/1
nameif external
security-level 0
ip address x.x.x.20 255.255.255.248
.....
nat (localnet) 1 192.168.15.0 255.255.255.0
.....
route localnet 192.168.1.0 255.255.255.0 192.168.15.1 1
route localnet 192.168.11.0 255.255.255.0 192.168.15.1 1
route localnet 192.168.168.0 255.255.255.0 192.168.15.1 1
I want vpn connect to asa from "localnet" (from 192.168.1.0 network) interface using vpn wizard:
access-list CiscoASA_splitTunnelAcl standard permit any
username vpnuser password xxx encrypted privilege 0
username vpnuser attributes
vpn-group-policy CiscoASA
ip local pool vpnpool 192.168.87.1-192.168.87.20
group-policy CiscoASA internal
group-policy CiscoASA attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CiscoASA_splitTunnelAcl
dns-server value 192.168.15.33
wins-server value 192.168.15.33
default-domain value dssa.ru
tunnel-group CiscoASA type ipsec-ra
tunnel-group CiscoASA general-attributes
default-group-policy CiscoASA
address-pool vpnpool
tunnel-group CiscoASA ipsec-attributes
pre-shared-key CisCo
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map localnet_dyn_map 20 set pfs group2
crypto dynamic-map localnet_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map localnet_map 65535 ipsec-isakmp dynamic localnet_dyn_map
crypto map localnet_map interface localnet
after it i can connect to asa using cisco vpn client, but i can't access anywhere, no LAN no internet no asa...
How can i acces?
thx for any answers
04-03-2008 05:21 AM
after connect vpn client statistics:
Bytes
received: 0
sent: 22722
Local LAN: disabled
but i check "Allow local LAN access" ...
04-03-2008 09:49 AM
Hi Sergey,
Assuming that your isakmp entries are correct (that you can establish connection)
1) Do not use "any" statements in ACLs that define networks, like split tunneling. Issue the following
no access-list CiscoASA_splitTunnelAcl standard permit any
access-list CiscoASA_splitTunnelAcl permit ip 192.168.15.0 255.255.255.0 192.168.87.0 255.255.255.224
2)issue the following command
crypto isakmp nat-traversal 20
3) There is really no sense in terminating the VPN connection at the "localnet" interface which has the highest security level
Regards
04-03-2008 11:06 PM
04-03-2008 11:43 PM
04-04-2008 03:32 AM
Sergey,
Add the following
access-list inside_na0_outbound permit ip 192.168.15.0 255.255.255.0 192.168.87.0 255.255.255.224
nat (localnet) 0 access-list inside_nat0_outbound
04-04-2008 06:14 AM
very thanks!!!
after your hepl i can access localLAN 192.168.15.0))))
but one problem exist(((
asa device is the gateway to inet for computers from 192.168.15.0 network
how can i through vpn (from IP 192.168.87.1) go to inet through asa?
04-04-2008 06:27 AM
Sergey,
Nice to hear that your problem is resolved, and thanks for rating.
I have a question before answering your question. Termianting VPN at inside interface as you do now is not a common practise. Do you have a specific reason for this?
Regards
04-04-2008 06:41 AM
Huseyin,
i have next reason: my pc have ip 192.168.1.7 from 192.168.1.0/24 network and default gateway 192.168.1.1 - through it i go to inet, i need go to inet through asa (other inet connection)
04-04-2008 01:11 PM
I didnt understand this actually, your inside users can already set the ASA as gateway and connect to internet via it. VPN is usually users which are outside of your infrastructrue.
04-06-2008 08:51 PM
No, between my localnet part and asa's locanet part placed 3 switch and 2 from it has DG 192.168.1.1, only last switch has DG 192.168.15.1.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide