Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
5
Helpful
8
Replies

Internal network and Internet access problem when VPN. Please assist. Tx

Go to solution
lansingschools_ops
Level 1
Level 1

‎03-27-2008 08:15 AM - edited ‎03-11-2019 05:22 AM

We are having problem accessing servers/machines- i.e. map and access files on the inside network when connected via vpn. The other problem with access to the Internet through the VPN tunnel- I know it has something to do with split-tunneling but I cannot figure out the problem. When I connect via SSL VPN I can shared files on the DMZ and inside with no problem at all. Please assist. I greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jesse Wiener
Level 4
Level 4

‎03-28-2008 07:52 AM

Are you trying to get to the inside or the dmz or both?

Right now you are not doing any kind of split tunneling. You are tunneling everything, per this acl.

"access-list testvpn_splitTunnelAcl extended permit ip any any"

If you only wanted to tunnel to the inside 192.168.0.0/16 and the 10.0.0.0/8. Remove that acl and enter these 2 lines.

access-list testvpn_splitTunnelAcl standard 192.168.0.0 255.255.0.0

access-list testvpn_splitTunnelAcl standard 10.0.0.0 255.0.0.0

then you also need a nat 0

access-list Nat0 extended permit ip 10.0.0.0 255.0.0.0 172.16.100.0 255.255.255.0

access-list Nat0 extended permit ip 192.168.0.0 255.255.0.0 172.16.100.0 255.255.255.0

nat (Inside) 0 access-list Nat0.

If you are trying to tunnel internet traffic through the vpn then read this link

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jesse Wiener
Level 4
Level 4

‎03-27-2008 03:00 PM

You need make sure you are tunneling the networks that you need access to and that you have nonat setup for those as well.

Can you ping them? The config off the device would help to see how things are setup

NoNat http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530

0 Helpful

Go to solution
lansingschools_ops
Level 1
Level 1
In response to Jesse Wiener

‎03-28-2008 07:13 AM

Attached is the config with the public IP ommitted. Please let me know if you need anything else. Thanks. Your help is greatly appreciated.

Preview file
7 KB
0 Helpful

Go to solution
lansingschools_ops
Level 1
Level 1
In response to Jesse Wiener

‎03-28-2008 07:17 AM

I cannot ping server on the DMZ or machines on the inside. The only thing I can ping is my interfaces on the ASA.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to lansingschools_ops

‎03-28-2008 07:36 AM

To get access to inside from vpn.

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip any 172.16.100.0 255.255.255.0

To get access to dmz from vpn.

nat (DMZ1) 0 access-list dmz_nat0_outbound

access-list dmz_nat0_outbound extended permit ip any 172.16.100.0 255.255.255.0

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to acomiskey

‎03-28-2008 07:40 AM

For split tunneling...

change...

access-list testvpn_splitTunnelAcl extended permit ip any any

to...

access-list testvpn_splitTunnelAcl extended permit ip 10.0.0.0 255.0.0.0 172.16.100.0 255.255.255.0

access-list testvpn_splitTunnelAcl extended permit ip 192.168.0.0 255.255.0.0 172.16.100.0 255.255.255.0

access-list testvpn_splitTunnelAcl extended permit ip 172.16.1.0 255.255.255.0 172.16.100.0 255.255.255.0

Go to solution
lansingschools_ops
Level 1
Level 1
In response to acomiskey

‎03-28-2008 11:16 AM

It works. Thank you very much. I greatly appreciate your assistance.

0 Helpful

Go to solution
Jesse Wiener
Level 4
Level 4

‎03-28-2008 07:52 AM

Are you trying to get to the inside or the dmz or both?

Right now you are not doing any kind of split tunneling. You are tunneling everything, per this acl.

"access-list testvpn_splitTunnelAcl extended permit ip any any"

If you only wanted to tunnel to the inside 192.168.0.0/16 and the 10.0.0.0/8. Remove that acl and enter these 2 lines.

access-list testvpn_splitTunnelAcl standard 192.168.0.0 255.255.0.0

access-list testvpn_splitTunnelAcl standard 10.0.0.0 255.0.0.0

then you also need a nat 0

access-list Nat0 extended permit ip 10.0.0.0 255.0.0.0 172.16.100.0 255.255.255.0

access-list Nat0 extended permit ip 192.168.0.0 255.255.0.0 172.16.100.0 255.255.255.0

nat (Inside) 0 access-list Nat0.

If you are trying to tunnel internet traffic through the vpn then read this link

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

0 Helpful

Go to solution
lansingschools_ops
Level 1
Level 1
In response to Jesse Wiener

‎03-28-2008 11:17 AM

Tunneling internet traffic is working along with inside and dmz access. Thank you very much. I greatly appreciate your assistance.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card