ASA 5520 VPN question

Unanswered Question
Apr 16th, 2009
User Badges:

I have the VPN groups setup and can VPN in from the outside of the network. When I do I get assigned an address from the address pool that I setup, but I cannot access the internet, or ping anything on the outside (example yahoo.com). I believe it may be a routing issue, but I cannot figure it out. Any help would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Thu, 04/16/2009 - 19:24
User Badges:
  • Green, 3000 points or more

If your RA tunnel is configured as full tunnel and want to have VPN network access to internet you need couple of config statements to accomplish that.


See this link Public Internet VPN on a Stick Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml


Exmaple:


Your RA VPN Pool net 192.168.10.0/24


same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 192.168.10.0 255.255.255.0




Regards


milldarr Fri, 04/17/2009 - 07:12
User Badges:

Thank you for the reply. Here is the config from the ASA, there are other config lines in it because I use it as a main firewall also. I am currently trying to get the vpncity group to work at first. I will send it in two or three parts. Thank you for your help.


ASA Version 7.0(6)

!

hostname COP-ASA

domain-name cityofpocatello.org

enable password 1aGFu1LmnjZMjYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 74.81.5.2 255.255.255.224

!

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 10.2.0.253 255.255.254.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

nameif DMZeng

security-level 50

ip address 67.129.130.22 255.255.255.248

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

passwd 1aGFu1LmnjZMjYOU encrypted

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

object-group service LicenseServerIPRange tcp

description ESRI License server ports

port-object range 27000 27010

access-list inside-to-engdmz extended permit ip any 67.129.130.16 255.255.255.248

access-list inside-to-engdmz extended permit ip any 10.2.0.128 255.255.255.248

access-list inside-to-engdmz extended permit ip any 10.2.0.144 255.255.255.240

access-list inside-to-engdmz extended permit ip 10.2.0.0 255.255.254.0 10.2.0.144 255.255.255.240

access-list acl-dmzeng extended permit tcp host 67.129.130.20 host 10.2.0.24 eq 1433

access-list acl-dmzeng extended permit tcp host 67.129.130.20 host 10.2.0.24 eq 5151

access-list acl-dmzeng extended permit tcp host 67.129.130.20 host 10.2.0.24 eq 5152

access-list acl-dmzeng extended permit tcp host 67.129.130.20 host 10.2.0.24 eq 5153

access-list acl-dmzeng extended permit tcp host 67.129.130.20 host 10.2.0.24 object-group License

verIPRange

access-list acl-dmzeng extended permit tcp host 67.129.130.20 host 10.2.0.24 eq 135

access-list acl-dmzeng extended permit icmp host 67.129.130.20 10.2.0.0 255.255.0.0

access-list acl-dmzeng extended permit icmp host 67.129.130.20 any

access-list acl-dmzeng extended permit tcp any any eq www

access-list acl-dmzeng extended permit tcp any any eq 8080

access-list acl-dmzeng extended permit udp any any eq domain

access-list acl-dmzeng extended permit udp any any eq 443

access-list out-acl remark *** DMZeng ***

access-list out-acl extended permit tcp any host 67.129.130.20 eq www

access-list out-acl extended permit tcp host 204.134.195.24 host 67.129.130.20 eq 5151

access-list out-acl extended permit tcp host 204.134.195.24 host 199.104.18.19 eq 5151

access-list out-acl remark *** end DMZeng ***

access-list out-acl extended permit icmp any any echo-reply

access-list out-acl extended permit icmp any any time-exceeded

access-list out-acl extended permit icmp any any unreachable


milldarr Fri, 04/17/2009 - 07:14
User Badges:

tunnel-group vpntest type ipsec-ra

tunnel-group vpntest general-attributes

address-pool Address_Pool

default-group-policy vpntest

tunnel-group vpntest ipsec-attributes

pre-shared-key *

tunnel-group vpncity type ipsec-ra

tunnel-group vpncity general-attributes

address-pool (Inside) Address_Pool

address-pool Address_Pool

authentication-server-group Radius

authentication-server-group (Inside) Radius

default-group-policy vpncity

tunnel-group vpncity ipsec-attributes

pre-shared-key *

peer-id-validate cert

: end

Actions

This Discussion