03-31-2009 12:03 PM - edited 03-11-2019 08:12 AM
I have already set VPNs in ASA 5510, VPNs clients can access to local network without problem, my issue is that any users can not acces to internet when they are connected to local network via VPN client.
what could it be the problem??
I show the current configuration in ASA.
ip local pool IPPOOL x.x.x.x - x.x.x.x.x
access-list nat1 extended permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
nat (inside) 0 access-list nat1
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto dynamic-map DYNMAP 30 set transform-set MYSET
crypto map MYMAP 20 ipsec-isakmp dynamic DYNMAP
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
group-policy REMOTO internal
group-policy REMOTO attributes
username cisco password cisco
tunnel-group REMOTO type remote-access
tunnel-group REMOTO general-attributes
address-pool IPPOOL
tunnel-group REMOTO ipsec-attributes
pre-shared-key xxxxxx
thanks in advance,
03-31-2009 02:25 PM
my issue is that any users can not acces to internet when they are connected to local network via VPN client
Filberto, if I understand correctly, your ra vpn is created, RA vpn pool have access to local LAN, but RA vpn users once connected cannot access internet..if this is your issue you can resolve it by having your vpn RA pool nework as full tunnel and pat them through your global outside interface for internet access... please correct me if I have missed understood to assist you better.
you may use VPN Client for Public Internet VPN on a Stick Configuration.
This will allow RA VPN full tunnel internet access through your ASA firewall as suppose to split tunnel.
typical config scenario for RA VPN full tunnel internet access
same-security-traffic permit intra-interface
global (outside) 1 interface
nat (outside) 1
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml
regards
04-01-2009 09:41 AM
Hi Jorge,
I really appreciate your help, you understood my issue very well.
The problem still remain even though I added the commands you recommend.
I show you the complete config so that you can verify if something is wrong or left.
Thanks again for your help
ASA# sh run
: Saved
:
ASA Version 8.0(3)
!
hostname ASA
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 201. X . X . X 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172 . X . X . X 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server x.x.x.x
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service V-Harvest tcp-udp
description Lector de Huellas
port-object eq 10001
access-list outside extended permit icmp any any
access-list outside extended permit tcp any host x.x.x.x eq www
access-list outside extended permit tcp any host x.x.x.x eq ftp
access-list outside extended permit tcp any any eq pop3
access-list outside extended permit tcp any any eq 135 inactive
access-list outside extended permit tcp any any eq 26
access-list outside extended permit tcp any any eq 25000
access-list outside remark Lector de Huellas
access-list outside extended permit tcp any any object-group V-Harvest
access-list outside extended permit tcp any any eq smtp
access-list vpn1 extended permit ip 172.16.0.0255.255.255.0 172.16.1.0 255.255.255.0
access-list NAT0 extended permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NAT0 extended permit ip 172.16.0.0 255.255.255.0 192.168.100.0 255.255.255.0
ip local pool IPPOOL 192.168.100.10-192.168.100.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
global (outside) 1 interface
nat (inside) 0 access-list NAT0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp x.x.x.x www x.x.x.x www netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
dynamic-access-policy-record DfltAccessPolicy
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto ipsec transform-set CLIENT esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 20 set transform-set MYSET CLIENT
crypto map MYMAP 10 match address vpn1
crypto map MYMAP 10 set peer x.x.x.x
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP 20 ipsec-isakmp dynamic DYNMAP
crypto map MYMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
threat-detection basic-threat
threat-detection statistics
group-policy COMPANY internal
group-policy COMPANY attributes
split-tunnel-policy tunnelall
username cisco password Cisco encrypted privilege 15
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *********
tunnel-group COMPANY type remote-access
tunnel-group COMPANY general-attributes
address-pool IPPOOL
default-group-policy COMPANY
tunnel-group COMPANY ipsec-attributes
pre-shared-key **********
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
04-01-2009 01:02 PM
Hi Filberto, apologies for late reply.. did you add this statment bellow to your config.. seems you did not based on output of the config, could you ensure it is added.
nat (outside) 1 192.168.100.0 255.255.255.0
also in your tunnel group COMANY policy you may need to define DNS entries for your RA VPN network to quary dns, ensure tunnel policy is full tunnel
tunnel-group COMPANY general-attributes
dns-server value
split-tunnel-policy tunnelall
if still no joy load asdm real time log to see when RA vpn user tries accessing internet to see what is blocking it, post that log.
regards
03-31-2009 09:26 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: