My asa 5510 config part:
description local network interface
ip address 192.168.15.31 255.255.255.0
ip address x.x.x.20 255.255.255.248
nat (localnet) 1 192.168.15.0 255.255.255.0
route localnet 192.168.1.0 255.255.255.0 192.168.15.1 1
route localnet 192.168.11.0 255.255.255.0 192.168.15.1 1
route localnet 192.168.168.0 255.255.255.0 192.168.15.1 1
I want vpn connect to asa from "localnet" (from 192.168.1.0 network) interface using vpn wizard:
access-list CiscoASA_splitTunnelAcl standard permit any
username vpnuser password xxx encrypted privilege 0
username vpnuser attributes
ip local pool vpnpool 192.168.87.1-192.168.87.20
group-policy CiscoASA internal
group-policy CiscoASA attributes
split-tunnel-network-list value CiscoASA_splitTunnelAcl
dns-server value 192.168.15.33
wins-server value 192.168.15.33
default-domain value dssa.ru
tunnel-group CiscoASA type ipsec-ra
tunnel-group CiscoASA general-attributes
tunnel-group CiscoASA ipsec-attributes
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map localnet_dyn_map 20 set pfs group2
crypto dynamic-map localnet_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map localnet_map 65535 ipsec-isakmp dynamic localnet_dyn_map
crypto map localnet_map interface localnet
after it i can connect to asa using cisco vpn client, but i can't access anywhere, no LAN no internet no asa...
How can i acces?
thx for any answers
after connect vpn client statistics:
Local LAN: disabled
but i check "Allow local LAN access" ...
Assuming that your isakmp entries are correct (that you can establish connection)
1) Do not use "any" statements in ACLs that define networks, like split tunneling. Issue the following
no access-list CiscoASA_splitTunnelAcl standard permit any
access-list CiscoASA_splitTunnelAcl permit ip 192.168.15.0 255.255.255.0 192.168.87.0 255.255.255.224
2)issue the following command
crypto isakmp nat-traversal 20
3) There is really no sense in terminating the VPN connection at the "localnet" interface which has the highest security level
Add the following
access-list inside_na0_outbound permit ip 192.168.15.0 255.255.255.0 192.168.87.0 255.255.255.224
nat (localnet) 0 access-list inside_nat0_outbound
after your hepl i can access localLAN 192.168.15.0))))
but one problem exist(((
asa device is the gateway to inet for computers from 192.168.15.0 network
how can i through vpn (from IP 192.168.87.1) go to inet through asa?
Nice to hear that your problem is resolved, and thanks for rating.
I have a question before answering your question. Termianting VPN at inside interface as you do now is not a common practise. Do you have a specific reason for this?
i have next reason: my pc have ip 192.168.1.7 from 192.168.1.0/24 network and default gateway 192.168.1.1 - through it i go to inet, i need go to inet through asa (other inet connection)
I didnt understand this actually, your inside users can already set the ASA as gateway and connect to internet via it. VPN is usually users which are outside of your infrastructrue.
No, between my localnet part and asa's locanet part placed 3 switch and 2 from it has DG 192.168.1.1, only last switch has DG 192.168.15.1.