ASA 5505 & Windows 7 VPN

Unanswered Question
Apr 10th, 2010
User Badges:

I have one windows 7 PC that is able to connect and authenticate, but cannot ping any host on the remote network.


Any help is appreciated, I have been unable to generate a deny msgs from any ping/tracert or rdp connections.


My sh run.



cerberus(config)# sh run

: Saved

:

ASA Version 8.2(2)

!

hostname cerberus

domain-name arcadia.com

enable password xxx encrypted

passwd xxx.xx encrypted

names

name 10.42.42.21 media_center description media center pc

!

interface Vlan11

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan21

nameif inside

security-level 100

ip address 10.42.42.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 11

!

interface Ethernet0/1

switchport access vlan 21

!

interface Ethernet0/2

switchport access vlan 21

!

interface Ethernet0/3

switchport access vlan 21

!

interface Ethernet0/4

switchport access vlan 21

!

interface Ethernet0/5

switchport access vlan 21

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name arcadia.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RDP

description remote desktop

service-object tcp eq 3389

service-object tcp eq 8080

service-object tcp-udp eq domain

object-group service bittorrent

service-object tcp-udp eq 62774

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list public_traffic extended permit object-group RDP any interface outside

access-list public_traffic extended permit object-group bittorrent any interface outside

access-list public_traffic extended permit object-group TCPUDP any interface outside eq www

access-list nonat standard permit 10.42.42.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging asdm warnings

mtu outside 1500

mtu inside 1500

ip local pool sct_vpn 10.42.42.55-10.42.42.60 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0 dns

static (inside,outside) tcp interface 3389 media_center 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 8080 media_center 8080 netmask 255.255.255.255

static (inside,outside) tcp interface 62774 media_center 62774 netmask 255.255.255.255

static (inside,outside) tcp interface www media_center www netmask 255.255.255.255

access-group public_traffic in interface outside

timeout xlate 3:00:00

timeout conn 12:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

webvpn

  file-browsing enable

aaa authentication ssh console LOCAL

http server enable

http 10.42.42.0 255.255.255.0 inside

snmp-server group Authentication&Encryption v3 priv

snmp-server location xxx

snmp-server contact [email protected]

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set aes-md5 esp-aes esp-md5-hmac

crypto ipsec transform-set aes-md5 mode transport

crypto ipsec transform-set 3des_md5 esp-3des esp-md5-hmac

crypto ipsec transform-set 3des_md5 mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA TRANS_ESP_3DES_SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 aes-md5 3des_md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh scopy enable

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

dhcp-client client-id interface outside

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd lease 24000

dhcpd domain arcadia.com

!

dhcpd address 10.42.42.20-10.42.42.40 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd lease 24000 interface inside

dhcpd domain arcadia.com interface inside

dhcpd enable inside

!


priority-queue outside

threat-detection basic-threat

threat-detection scanning-threat shun duration 3600

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics host number-of-rate 3

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 131.216.22.17 source outside prefer

ntp server 131.216.22.15 source outside

tftp-server inside media_center TFTP-Root

webvpn

csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg

csd enable

group-policy DfltGrpPolicy attributes

banner value Welcome to SocalTrails!

vpn-tunnel-protocol IPSec l2tp-ipsec

ip-comp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value nonat

username jzakhar password xxx nt-encrypted privilege 15

username andy password xxx nt-encrypted

tunnel-group DefaultRAGroup general-attributes

address-pool sct_vpn

authentication-server-group (outside) LOCAL

authorization-server-group LOCAL

authorization-server-group (outside) LOCAL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

authentication ms-chap-v2

!

class-map CM_HTTP

match port tcp eq www

class-map CM_RDP

match port tcp eq 3389

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map PM_RDP

class CM_HTTP

  priority

class CM_RDP

  priority

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect ip-options

!

service-policy global_policy global

service-policy PM_RDP interface outside

prompt hostname context

Cryptochecksum:e2c8434ca3438eb01a3e4256ec9ea646

: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sat, 04/10/2010 - 16:53
User Badges:
  • Cisco Employee,

You would need to configure NAT exemption as follows:


access-list inside-nonat permit ip any 10.42.42.0 255.255.255.0

nat (inside) 0 access-list inside-nonat


To ping, you would need to add the following:

policy-map global_policy

   class inspection_default

     inspect icmp


I would recommend that you change the ip pool to a different subnet to your internal network if the above doesn't work, and configure the NAT exemption access-list accordingly.


Hope that helps.

jzakhar_sdenter... Sat, 04/10/2010 - 20:11
User Badges:

Still no luck over here on the Windows 7 pc.

The asa cannot ping the win7 host either with the vpn connected.


I did take your advice and added a new ip pool for vpn users, I am assuming the router will add the route automagically ?


I noticed the access-list isnt getting any hits. This used to be so much easier on the IOS routers


As always any help is much appreciated.




cerberus(config)# sh ipsec sa

interface: outside

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 99.178.130.201


      local ident (addr/mask/prot/port): (99.178.130.201/255.255.255.255/17/1701)

      remote ident (addr/mask/prot/port): (172.28.42.19/255.255.255.255/17/1701)

      current_peer: 172.28.42.19, username: jzakhar

      dynamic allocated peer ip: 10.42.44.20


      #pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 32

      #pkts decaps: 124, #pkts decrypt: 124, #pkts verify: 124

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 32, #pkts comp failed: 0, #pkts decomp failed: 0

      #post-frag successes: 0, #post-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 99.178.130.201, remote crypto endpt.: 172.28.42.19


      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 37700603

      current inbound spi : D20471BE


    inbound esp sas:

      spi: 0xD20471BE (3523506622)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Transport, }

         slot: 0, conn_id: 139264, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (kB/sec): (212388/3204)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x37700603 (930088451)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Transport, }

         slot: 0, conn_id: 139264, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (kB/sec): (212400/3204)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

cerberus(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list public_traffic; 8 elements; name hash: 0xf094d274
access-list public_traffic line 1 extended permit object-group RDP any interface outside 0xd2b9655e
  access-list public_traffic line 1 extended permit tcp any interface outside eq 3389 (hitcnt=1) 0x9417248c
  access-list public_traffic line 1 extended permit tcp any interface outside eq 8080 (hitcnt=7) 0xedc4ec63
  access-list public_traffic line 1 extended permit tcp any interface outside eq domain (hitcnt=0) 0xca8eac53
  access-list public_traffic line 1 extended permit udp any interface outside eq domain (hitcnt=0) 0x02c766ae
access-list public_traffic line 2 extended permit object-group bittorrent any interface outside 0x388d441c
  access-list public_traffic line 2 extended permit tcp any interface outside eq 62774 (hitcnt=271) 0xa5a716ab
  access-list public_traffic line 2 extended permit udp any interface outside eq 62774 (hitcnt=0) 0x0fad6bbe
access-list public_traffic line 3 extended permit object-group TCPUDP any interface outside eq www 0x458c5836
  access-list public_traffic line 3 extended permit udp any interface outside eq www (hitcnt=0) 0x7f8dfb3a
  access-list public_traffic line 3 extended permit tcp any interface outside eq www (hitcnt=6) 0x74ee7a01
access-list inside-nonat; 1 elements; name hash: 0x1746e206
access-list inside-nonat line 1 extended permit ip any 10.42.44.0 255.255.255.0 (hitcnt=0) 0x8e9c9907






sh run :


cerberus(config)# sh run

: Saved

:

ASA Version 8.2(2)

!

hostname cerberus

domain-name arcadia.com

enable password xx encrypted

passwd xx encrypted

names

name 10.42.42.21 media_center description media center pc

!

interface Vlan11

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan21

nameif inside

security-level 100

ip address 10.42.42.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 11

!

interface Ethernet0/1

switchport access vlan 21

!

interface Ethernet0/2

switchport access vlan 21

!

interface Ethernet0/3

switchport access vlan 21

!

interface Ethernet0/4

switchport access vlan 21

!

interface Ethernet0/5

switchport access vlan 21

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name arcadia.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RDP

description remote desktop

service-object tcp eq 3389

service-object tcp eq 8080

service-object tcp-udp eq domain

object-group service bittorrent

service-object tcp-udp eq 62774

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list public_traffic extended permit object-group RDP any interface outside

access-list public_traffic extended permit object-group bittorrent any interface outside

access-list public_traffic extended permit object-group TCPUDP any interface outside eq www

access-list inside-nonat extended permit ip any 10.42.44.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging asdm warnings

mtu outside 1500

mtu inside 1500

ip local pool sct 10.42.44.20-10.42.44.25 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

nat (inside) 0 access-list inside-nonat

nat (inside) 101 0.0.0.0 0.0.0.0 dns

static (inside,outside) tcp interface 3389 media_center 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 8080 media_center 8080 netmask 255.255.255.255

static (inside,outside) tcp interface 62774 media_center 62774 netmask 255.255.255.255

static (inside,outside) tcp interface www media_center www netmask 255.255.255.255

access-group public_traffic in interface outside

timeout xlate 3:00:00

timeout conn 12:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

webvpn

  file-browsing enable

aaa authentication ssh console LOCAL

http server enable

http 10.42.42.0 255.255.255.0 inside

snmp-server group Authentication&Encryption v3 priv

snmp-server location Clairemont

snmp-server contact [email protected]

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set aes-md5 esp-aes esp-md5-hmac

crypto ipsec transform-set aes-md5 mode transport

crypto ipsec transform-set 3des_md5 esp-3des esp-md5-hmac

crypto ipsec transform-set 3des_md5 mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA TRANS_ESP_3DES_SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 aes-md5 3des_md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh scopy enable

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

dhcp-client client-id interface outside

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd lease 24000

dhcpd domain arcadia.com

!

dhcpd address 10.42.42.20-10.42.42.40 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd lease 24000 interface inside

dhcpd domain arcadia.com interface inside

dhcpd enable inside

!


priority-queue outside

threat-detection basic-threat

threat-detection scanning-threat shun duration 3600

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics host number-of-rate 3

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 131.216.22.17 source outside prefer

ntp server 131.216.22.15 source outside

tftp-server inside media_center TFTP-Root

webvpn

csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg

csd enable

group-policy DfltGrpPolicy attributes

banner value Welcome to SocalTrails!

vpn-tunnel-protocol IPSec l2tp-ipsec

ip-comp enable

split-tunnel-policy tunnelspecified

username jzakhar password xx nt-encrypted privilege 15

username andy password xx nt-encrypted

tunnel-group DefaultRAGroup general-attributes

address-pool sct

authentication-server-group (outside) LOCAL

authorization-server-group LOCAL

authorization-server-group (outside) LOCAL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

authentication ms-chap-v2

!

class-map CM_HTTP

match port tcp eq www

class-map CM_RDP

match port tcp eq 3389

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map PM_RDP

class CM_HTTP

  priority

class CM_RDP

  priority

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

service-policy PM_RDP interface outside

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:2b7fff22d00ccacd1854e00dd5a55822

: end

cerberus(config)#

jzakhar_sdenter... Sat, 04/10/2010 - 20:14
User Badges:

This doesnt seem right for the route



cerberus(config)# sh route


Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route


Gateway of last resort is 99.178.128.1 to network 0.0.0.0


C    99.178.128.0 255.255.252.0 is directly connected, outside

C    10.42.42.0 255.255.255.0 is directly connected, inside

S    10.42.44.20 255.255.255.255 [1/0] via 99.178.128.1, outside

d*   0.0.0.0 0.0.0.0 [1/0] via 99.178.128.1, outside


cerberus(config)# sh ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

Vlan11                   outside                99.178.130.201  255.255.252.0   DHCP

Vlan21                   inside                 10.42.42.1      255.255.255.0   CONFIG

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

Vlan11                   outside                99.178.130.201  255.255.252.0   DHCP

Vlan21                   inside                 10.42.42.1      255.255.255.0   CONFIG

Jennifer Halim Sat, 04/10/2010 - 20:19
User Badges:
  • Cisco Employee,

The routes look correct. The IP Pool should be routed out off the outside interface, which is correct.


You seem to have lost your split tunnel access-list.


Please configure the following:

access-list split-acl standard permit 10.42.42.0 255.255.255.0

group-policy DfltGrpPolicy attributes
    split-tunnel-network-list value split-acl

Actions

This Discussion

Related Content