Cisco ASA 5505 - VPN Configuration

Answered Question

I am trying to setup a VPN connection to allow clients to access the internal network. I have tried using the VPN wizard time & time again but client will connect but can get out to the internet & communicate with any host on the network. I have tried using a dhcp vpn pool in either the 192.x.x.x or the 10.10.1.X network but no luck.


Any comments or suggestions appreciated.



Attachment: 
Correct Answer by Marwan ALshawi about 8 years 7 months ago

whats the reason of those commands?


nat (Outside) 0 access-list policyPAT

nat (Outside) 5 10.10.1.0 255.255.255.0


if not spicific reason remove them

and put the foolowing command:

sysopt connection permit-ipsec


in global configuration mode to allow the VPN traffic to bypass interface access lists


good luck


if helpful Rate

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Marwan ALshawi Tue, 09/16/2008 - 22:09
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

to solve ur problem u need split tunneling

with split tunneling u gonna include what should be tunnled over vpn any thing else will go t the normal client setting like defualt gateway for internet

do:


access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0


group-policy VPNT attributes

split-tunnel-policy tunnelspecified


split-tunnel-network-list value Split_Tunnel_List


so only traffic included in ACL Split_Tunnel_List will be included in the VPN tunnel anything else as mentioned will use normal PC seeting


use the following link as a refrence:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml


good luck


if helpful rate


Hi Marwan,


The commands that you suggested did work work out great! When I VPN into the ASA, I am able to get out to the internet. The only other issue is that I can not ping or access any of the host on the 192.168.1.0 network. How do I go about doing this? What I want to accomplish is access some network drives on a Microsoft Windows 2003 server.


Thanks in advance.

Manny


Thanks.

Correct Answer
Marwan ALshawi Wed, 09/17/2008 - 21:52
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

whats the reason of those commands?


nat (Outside) 0 access-list policyPAT

nat (Outside) 5 10.10.1.0 255.255.255.0


if not spicific reason remove them

and put the foolowing command:

sysopt connection permit-ipsec


in global configuration mode to allow the VPN traffic to bypass interface access lists


good luck


if helpful Rate

Hi Marwan,


Your suggestions worked out great & am able to access the internet & network drives on the 192.168.1.0 network . I removed the 2 commands & inserted the sysopt connection permit-ipsec command. It worked without the sysopt command but I inserted it anyways because from my understanding it permits IPsec traffic without checking the ACL's?


Anyways thank you so much for all your help.

Manny

Actions

This Discussion