I changed the ACL, but I still can not access Campus LAN from LAN2.

Does Campus LAN have route back towards LAN2 subnet? It needs to be routed back towards ASA2 outside interface.

Yes, this was a problem!

Thank you!

Does this configuration work if the Internet connection was on ASA1? I mean, the users of 10.10.16.128/26 be NAT'd on ASA1 in order to access Internet?

Thanks

Hi,

I am having something similar issue that we are using site to site vpn, in one of the remote site they are unable to browse internet in a normal way, but if they connect through browser proxy then they get internet but the same time they cannot access to the vpn private network.. I guess I need to tweak something on the configuration level.,

The Local Network: 10.4.131.0/24

VPN: 172.16.0.0/16

---

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name s5ame.com

enable password NuLKvvWGg.x9HEKO encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.4.131.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group moedng1

ip address pppoe setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa8-2.bin

ftp mode passive

clock timezone GST 4

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 172.16.2.20

domain-name s5ame.com

access-list inside_access extended permit ip any any

access-list outside_1_cryptomap extended permit ip 10.4.131.0 255.255.255.0 172.16.0.0 25

5.255.0.0

access-list inside_nat0_outbound extended permit ip 10.4.131.0 255.255.255.0 172.16.0.0 2

55.255.0.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1452

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.10.0 255.255.255.0 inside

http 10.4.131.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 195.229.214.33

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.4.131.0 255.255.255.0 inside

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

vpdn group moedng1 request dialout pppoe

vpdn group moedng1 localname moedng1

vpdn group moedng1 ppp authentication pap

vpdn username moedng1 password ********* store-local

dhcpd auto_config outside

!

dhcpd address 10.4.131.50-10.4.131.250 inside

dhcpd dns 172.16.2.20 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password 7KKG/zg/Wo8c.YfN encrypted privilege 15

username cisco password 3USUcOPFUiMCO4Jk encrypted

tunnel-group 195.229.214.xx type ipsec-l2l

tunnel-group 195.229.214.xx ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:8afd258803311449fb4476babd7e8030

: end

Please help me to sort out this issue!

Regards,

I guess this site that you have posted the configuration is working fine, right?

Can you post the remote site configuration where the issue is.

thats the configuration file that i am having the issue now. however I have noticed one more thing that its not resolving dns for the private network servers(that is we have an application server that hosted in HQ and I am unable to access this server from the remote site, but I can access through the ip address)

In that case, you would need to specify your internal dns server on your actual host so it resolves to internal ip address. If accessing via ip address works, that means there is no issue with the VPN.