Cisco ASA remote access VPN - NO INTERNET

Unanswered Question
Nov 21st, 2012

*

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
mali1977us Wed, 11/21/2012 - 11:19

Two things first.  Do you want to do split tunneling where the remote users can get to the internet via their own local internet or do you want them to get to the internet via the VPN?

Split Tunneling = you will have to under group policy choose the option to "Tunnel only Networks Below" and define an ACL for them

Tunnel All = you will have to make sure that traffic can make a U turn i.e come in "outside" interface and go out the same.

martin.ostberg Fri, 03/01/2013 - 01:35

Hey Mohammad! I would really appreciate if you could tell me how to do a "U-turn" without split tunneling and go out through the same interface I came in on.

I

I assume you'd have to do some double nat of some sort?

My config looks like this

hostname e2-asa

enable password 8Ry2YjIyt7RRXU24 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool vpn_pool 10.10.10.1-10.10.10.10 mask 255.255.255.0

ip local pool Local 192.168.1.10-192.168.1.20 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!            

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

boot system disk0:/asa911-k8.bin

boot system disk0:/asa901-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network vpn_pool

subnet 10.10.10.0 255.255.255.0

description VPN-Pool

object network e2-desktop-192.168.1.3

host 192.168.1.3

object service Utorrent_Tcp

service tcp source eq 24564 destination eq 24564

object service Utorrent_Udp

service udp source eq 24564 destination eq 24564

description Utorrent_UDP

object network e2-desktop1

host 192.168.1.3

description UDP

object network Inside_network

subnet 192.168.1.0 255.255.255.0

object network vpn_local

range 192.168.1.10 192.168.1.20

object-group network obj_any

object-group network NETWORK_OBJ_10.10.10.0_28

object-group network NETWORK_OBJ_192.168.1.0_24

object-group network e2-utorrent

object-group network e2_ftp

object-group service FTP_TLS

object-group service ftp_passive_range

object-group service Utorrent1 tcp-udp

port-object eq 24564

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service FTP

access-list outside_access_in extended permit icmp any4 any4

access-list outside_access_in extended permit object-group TCPUDP any4 192.168.1.0 255.255.255.0 object-group Utorrent1

access-list inside_access_in extended permit ip any4 any4

access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list global_access extended permit object-group TCPUDP any4 any4 eq domain

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (outside,any) source static vpn_local vpn_local destination static Inside_network Inside_network no-proxy-arp

!

object network obj_any-01

nat (inside,outside) dynamic interface

object network e2-desktop-192.168.1.3

nat (inside,outside) static interface service tcp 24564 24564

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map dyno 10 set pfs group1

crypto dynamic-map dyno 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map dyno 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map vpn 20 ipsec-isakmp dynamic dyno

crypto map vpn interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=e2-asa

proxy-ldc-issuer

crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint0

certificate 821fa150

    3082022c 30820195 a0030201 02020482 1fa15030 0d06092a 864886f7 0d010105

    05003028 310f300d 06035504 03130665 322d6173 61311530 1306092a 864886f7

    0d010902 16066532 2d617361 301e170d 31323131 31323137 34343032 5a170d32

    32313131 30313734 3430325a 3028310f 300d0603 55040313 0665322d 61736131

    15301306 092a8648 86f70d01 09021606 65322d61 73613081 9f300d06 092a8648

    86f70d01 01010500 03818d00 30818902 81810087 c1938552 e5909bd4 efd7d503

    4d67355e a78c4376 51dbb9a3 70d56b8d 7dd42e5d 5522c9bc 0be44ab8 d8a11025

    d386a752 db0462f5 3e683a03 900d824f a4013aa3 58c9460d 2cc6164e 910996a1

    95c75a84 ecd12fdd ec73cf2e b4a413ff 27495508 9cf4bf4b c342d115 38a825bd

    3fbf6e40 63275355 431a5685 8fe48e31 ffebcf02 03010001 a3633061 300f0603

    551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06

    03551d23 04183016 801419e3 ccd8350a 931cfd4f 6b9c4af6 9b755de0 bb37301d

    0603551d 0e041604 1419e3cc d8350a93 1cfd4f6b 9c4af69b 755de0bb 37300d06

    092a8648 86f70d01 01050500 03818100 1205944a 88b3ded4 023f478d 2b54dc3e

    e6e1eb0b 98283ce1 5e8d6e1d 0de9285c 023fed0e 0db80c0a 522ff403 81dae9cb

    2bb5a2bc 62b084d6 85bddfa2 1e639232 bfc75d40 843ac789 8bb74573 fe00c849

    47f1298c ab7801e4 24647ebf cfc50971 e3fe6583 ccf58f7e 392cc4d0 33d27426

    0f95701e 306b5400 2d842652 4e29f05f

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2   

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2   

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 20

ssh timeout 20

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.100 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.157.38.60 source outside prefer

ssl trust-point ASDM_TrustPoint0 inside

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-3.1.02040-k9.pkg 1

anyconnect profiles default disk0:/default.xml

anyconnect enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 81.26.226.3 81.26.228.3

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

group-policy DfltGrpPolicy attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

ipv6-split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value e2.local

webvpn

  url-list value e2-portal

username e2n password ITMoM.NSLkPPgA0/ encrypted privilege 15

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool Local

tunnel-group DefaultWEBVPNGroup ipsec-attributes

ikev1 pre-shared-key *****

!

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:1c426af49974563e1f7ff9bd6a07cd41

: end

Cheers!

Jouni Forss Fri, 03/01/2013 - 01:43

Hi,

You probably need to add one command and do NAT configuration for the Internet trafffic of the VPN Client

The command

same-security-traffic permit intra-interface

That will allow traffic to enter and leave the same interface

And the NAT configuration for the VPN pool

object-group network VPN-POOL

network-object

nat (outside,outside) after-auto source VPN-POOL interface

I would recommend using some other network other than your current LAN as the VPN Pool.

- Jouni

martin.ostberg Fri, 03/01/2013 - 05:47

Thanks! I got it working by adding

same-security-traffic permit intra-interface

and

nat (outside,outside) after-auto source static vpn_pool interface no-proxy-arp

I also changed to another pool.

Cheers!

Ahmed Alzaeem Fri, 03/07/2014 - 23:54

hi all ,

ive also asking the same thing ,

i have

LAN1======asa1-----internet-----------asa2---------LAN2

Now , Lan1 can see lan2

i hve site-site vpn ikev1 ,

i want LAN1 to use internet thorugh asa2

the question is :

what do i need to modify on asa1 so that lan1 go internet by asa2 ??

Actions

Login or Register to take actions

This Discussion

Posted November 21, 2012 at 5:23 AM
Stats:
Replies:5 Avg. Rating:5
Views:1122 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard