Junaid Abbas Tue, 08/31/2010 - 01:37
User Badges:

Your configuration looks fine, I am using ASA software version 7.0(7)

Device Manager version 5.0(7)

My device is not getting some commands, from

  • Issue this command:

    ASA-AIP-CLI(config)#tunnel-group hillvalleyvpn ipsec-ra
  • to onward, 
  • Please advise
    Jennifer Halim Tue, 08/31/2010 - 04:48
    User Badges:
    • Cisco Employee,

    There is typo in the document.

    The following line:

    tunnel-group hillvalleyvpn ipsec-ra

    should say:
    tunnel-group hillvalleyvpn type ipsec-ra

    Junaid Abbas Tue, 08/31/2010 - 20:32
    User Badges:

    Yes you are right, I already found the correct command with the keyword (type), now I am facing a problem, my internal network is not accessible via vpn connection,

    I connect using cisco VPn client and it connects successfully, but It is not accessing my application or ping my internal network, maybe here split tunneling is required.. what do u say ?

    I found a document perhaps specified by you, ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example,, I followed the steps specified in this document but there is no effect,

    In the standard ACL, I replaced the example ip with my servers vlan network i.e. but it doesn't work, then I also permitted my vpnpool ip subnet, but the result is same,,,

    My ASA is configured with 3 interfaces, inside, outside and DMZ, server are in DMZ,,

    DMZ security level 50

    Inside security level 100

    outside security level 0

    outside network ip

    DMZ network

    My objective is to access the servers in DMZ interface.

    Please advise




    Jennifer Halim Tue, 08/31/2010 - 20:35
    User Badges:
    • Cisco Employee,

    You would also need to configure NAT exemption for DMZ as follows:

    access-list dmz-nonat permit ip

    nat (DMZ) 0 access-list dmz-nonat

    Hope that resolves it.

    Junaid Abbas Tue, 08/31/2010 - 21:12
    User Badges:

    Yes,, Its working fine right now,,,my internal network is accessible now,  thanks again,,,,

    Now I am concerned with my NAT rule, which I was previously using in my Cisco Router 2811, VPN Clients were also connecting with 2811, now I have removed it and using ASA as gateway and VPN clients are connecting with ASA,,

    The NAT rule which I was using in Cisco Router 2811

    ip nat inside source static tcp 80 interface FastEthernet0/1 80

    by using this command, I was able to use my web application, Now I want to use it with ASA,

    Please advise,,




    Jennifer Halim Tue, 08/31/2010 - 21:17
    User Badges:
    • Cisco Employee,

    What public ip address do you want to use to NAT Would it be the ASA outside interface ip adddress?

    If it is, then you would need to configure the following:

    static (DMZ,outside) tcp interface 80 80 netmask

    And on the outside interface, you would need to configure ACL to allow TCP/80 in.

    Junaid Abbas Tue, 08/31/2010 - 21:24
    User Badges:

    ASA outside interface is a private ip ,,

    Above then ASA, I am using a internet link load balancing device Tp-link TL-R488T, I have configured its 3 interfaces with 3 internet connections having different live ip subnets,

    TP-link local interface ip

    Junaid Abbas Tue, 08/31/2010 - 21:48
    User Badges:

    I am looking to nat the server at all my three available internet connections live ips,




    all three internet links are configured on TP-link and internet link load balancing is performing,

    Tp-link's local Ip connected with ASA is

    My users will access the web application via internet by entering any of above mentioned live ip address.. when they will enter any live ip in browser, they will be redirected to my server placed in DMZ

    Junaid Abbas Tue, 08/31/2010 - 22:32
    User Badges:

    Thanks dear,

    Your advised NAT command is working perfectly, My web application server is accessible now from internet,

    Now I am concerned with my ACL placed in outside interface

    access-list outside_to_dmz extended permit ip any any

    access-list outside_to_dmz extended permit tcp any any

    access-group outside_to_dmz in interface outside

    by applying this acl, all ports are open for every kind of traffic, I want to restrict it only for VPN, TCP 80, TCP Remote Desktop 3389 only,,

    Please advise which ports should be open for VPN client...




    Jennifer Halim Tue, 08/31/2010 - 22:38
    User Badges:
    • Cisco Employee,

    Since the VPN is terminated on the ASA itself, you do not need to open any specific ports. The ASA will automatically allow the VPN ports since it's terminated on itself.

    Junaid Abbas Tue, 08/31/2010 - 23:02
    User Badges:


    I have applied an access-list to restrict some users to go over the internet

    access-list Internet extended permit ip any

    access-list Internet extended permit ip any

    access-group Internet out interface outside

    this acl should allow only two hosts to exit over the internet while all other local ips should be denied, but when I apply this acl to outside out interface, my internet stops working on allowed ips,

    whats the issue?

    This is my last query, I am very thankful to you,




    Jennifer Halim Tue, 08/31/2010 - 23:52
    User Badges:
    • Cisco Employee,

    Please apply the access-list in the inbound direction on the internal interface.

    Assuming that the user is on inside interface, pls apply as follows:

    access-group Internet in interface inside

    Junaid Abbas Wed, 09/01/2010 - 00:07
    User Badges:


    By applying this ACL, all other applications has stopped working, Inside yours are unable to access resources in DMZ,

    I want, inside users to give access to only DMZ but they should not pass outside interface

    Jennifer Halim Wed, 09/01/2010 - 01:00
    User Badges:
    • Cisco Employee,

    For inside to DMZ access, you would also need to add the following ACL:

    access-list Internet extended permit ip

    Junaid Abbas Wed, 09/01/2010 - 20:03
    User Badges:

    And where, which interface in/out this ACL will be applied? DMZ ?

    Can you please explain if we apply an ACL at outside interface out like

    access-list Internet extended permit ip host any

    and apply it

    access-group Internet out interface outside

    by applying only this acl should allow only host to go over the Internet and all the others should be denied by implicit deny,,

    what do u say ?

    Secondly, VPN connection speed is very slow, It was quite excellent while I was using on Cisco 2811 router,

    Junaid Abbas Thu, 09/02/2010 - 21:02
    User Badges:

    The application over VPN connection is very slow, and the delay in ping is 700ms ,, what is the issue ?


    This Discussion