Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

I am Having issue with my configuration on my ASA 5505

I am doing VPN and NAT services with my ASA 5505 but I have configured the device but my VPN clients can't surf the internet through my network...I can't also access Local resources on my network...

This is my Configurations...

ASA Version 8.4(7)
!
hostname CiscoWorks
domain-name gift.com
enable password xxxxx encrypted
passwd xxxxxx encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 63
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.20.250 255.255.255.0
!
interface Vlan63
 nameif outside
 security-level 0
 ip address 41.184.64.174 255.255.255.252
!
ftp mode passive
dns server-group DefaultDNS
 domain-name gift.com
object network NETWORK_OBJ_192.168.61.0_27
 subnet 192.168.61.0 255.255.255.224
object network ins
 subnet 192.168.0.0 255.255.0.0
object network nat
 subnet 192.168.62.0 255.255.255.0
object network vpn
 subnet 192.168.62.0 255.255.255.0
access-list 101 extended permit ip any any
access-list 108 extended permit udp any host 10.10.1.1 eq isakmp
pager lines 24
logging enable
logging console debugging
mtu inside 1500
mtu outside 1500
ip local pool pool 192.168.62.1-192.168.62.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any pat-pool interface
nat (inside,outside) source static vpn vpn
access-group 108 in interface outside
route outside 0.0.0.0 0.0.0.0 41.184.44.173 1
route inside 192.168.4.0 255.255.255.0 192.168.20.1 1
route inside 192.168.30.0 255.255.255.0 192.168.20.1 1
route inside 192.168.60.0 255.255.255.0 192.168.20.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
http 192.168.60.0 255.255.255.0 inside
http 192.168.30.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set tset esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set tset mode transport
crypto ipsec ikev1 transform-set RA-AES256SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map map 10 set ikev1 transform-set tset
crypto dynamic-map map 10 set nat-t-disable
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map map_outside 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto isakmp identity address
crypto isakmp nat-traversal 1500
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet 192.168.20.0 255.255.255.0 inside
telnet 192.168.30.0 255.255.255.0 inside
telnet 192.168.60.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
l2tp tunnel hello 100

!
tls-proxy maximum-session 24
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy test internal
group-policy test attributes
 split-tunnel-policy tunnelall
group-policy DfltGrpPolicy attributes
 dns-server value 4.2.2.2
 vpn-tunnel-protocol l2tp-ipsec
 user-authentication enable
group-policy GoPolicy internal
group-policy GoPolicy attributes
 vpn-tunnel-protocol ikev1
 address-pools value pool
username Admin password .xxxx encrypted
username adminuser password xxxxx encrypted
username dhns password xxxxx encrypted
username dhns attributes
 vpn-tunnel-protocol l2tp-ipsec
username dhns3 password 8e2siTxkT5phoJNBUQigeQ== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
 strip-realm
 strip-group
tunnel-group test type remote-access
tunnel-group test general-attributes
 password-management password-expire-in-days 20
tunnel-group test ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group GGroup type remote-access
tunnel-group GGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group BestIPsec type remote-access
tunnel-group BestIPsec general-attributes
 default-group-policy GoPolicy
tunnel-group BestIPsec ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:411a0970217bd6fb16f3c014889fab66
: end
CiscoWorks#

Everyone's tags (1)
1 REPLY
Hall of Fame Super Silver

Your NAT entries:nat (inside

Your NAT entries:

nat (inside,outside) source dynamic any pat-pool interface
nat (inside,outside) source static vpn vpn

...are incorrect. You need to:

1. reorder them so the VPN exemption comes first, and

2. add an entry for VPN client traffic coming from outside and being back outside for Internet access while on VPN (often referred to as "hairpinning". that would look something like the example in this related post.

118
Views
0
Helpful
1
Replies