Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5520 VPN question

I have the VPN groups setup and can VPN in from the outside of the network. When I do I get assigned an address from the address pool that I setup, but I cannot access the internet, or ping anything on the outside (example yahoo.com). I believe it may be a routing issue, but I cannot figure it out. Any help would be appreciated.

3 REPLIES

Re: ASA 5520 VPN question

If your RA tunnel is configured as full tunnel and want to have VPN network access to internet you need couple of config statements to accomplish that.

See this link Public Internet VPN on a Stick Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

Exmaple:

Your RA VPN Pool net 192.168.10.0/24

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 192.168.10.0 255.255.255.0

Regards

New Member

Re: ASA 5520 VPN question

Thank you for the reply. Here is the config from the ASA, there are other config lines in it because I use it as a main firewall also. I am currently trying to get the vpncity group to work at first. I will send it in two or three parts. Thank you for your help.

ASA Version 7.0(6)

!

hostname COP-ASA

domain-name cityofpocatello.org

enable password 1aGFu1LmnjZMjYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 74.81.5.2 255.255.255.224

!

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 10.2.0.253 255.255.254.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

nameif DMZeng

security-level 50

ip address 67.129.130.22 255.255.255.248

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

passwd 1aGFu1LmnjZMjYOU encrypted

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

object-group service LicenseServerIPRange tcp

description ESRI License server ports

port-object range 27000 27010

access-list inside-to-engdmz extended permit ip any 67.129.130.16 255.255.255.248

access-list inside-to-engdmz extended permit ip any 10.2.0.128 255.255.255.248

access-list inside-to-engdmz extended permit ip any 10.2.0.144 255.255.255.240

access-list inside-to-engdmz extended permit ip 10.2.0.0 255.255.254.0 10.2.0.144 255.255.255.240

access-list acl-dmzeng extended permit tcp host 67.129.130.20 host 10.2.0.24 eq 1433

access-list acl-dmzeng extended permit tcp host 67.129.130.20 host 10.2.0.24 eq 5151

access-list acl-dmzeng extended permit tcp host 67.129.130.20 host 10.2.0.24 eq 5152

access-list acl-dmzeng extended permit tcp host 67.129.130.20 host 10.2.0.24 eq 5153

access-list acl-dmzeng extended permit tcp host 67.129.130.20 host 10.2.0.24 object-group License

verIPRange

access-list acl-dmzeng extended permit tcp host 67.129.130.20 host 10.2.0.24 eq 135

access-list acl-dmzeng extended permit icmp host 67.129.130.20 10.2.0.0 255.255.0.0

access-list acl-dmzeng extended permit icmp host 67.129.130.20 any

access-list acl-dmzeng extended permit tcp any any eq www

access-list acl-dmzeng extended permit tcp any any eq 8080

access-list acl-dmzeng extended permit udp any any eq domain

access-list acl-dmzeng extended permit udp any any eq 443

access-list out-acl remark *** DMZeng ***

access-list out-acl extended permit tcp any host 67.129.130.20 eq www

access-list out-acl extended permit tcp host 204.134.195.24 host 67.129.130.20 eq 5151

access-list out-acl extended permit tcp host 204.134.195.24 host 199.104.18.19 eq 5151

access-list out-acl remark *** end DMZeng ***

access-list out-acl extended permit icmp any any echo-reply

access-list out-acl extended permit icmp any any time-exceeded

access-list out-acl extended permit icmp any any unreachable

New Member

Re: ASA 5520 VPN question

tunnel-group vpntest type ipsec-ra

tunnel-group vpntest general-attributes

address-pool Address_Pool

default-group-policy vpntest

tunnel-group vpntest ipsec-attributes

pre-shared-key *

tunnel-group vpncity type ipsec-ra

tunnel-group vpncity general-attributes

address-pool (Inside) Address_Pool

address-pool Address_Pool

authentication-server-group Radius

authentication-server-group (Inside) Radius

default-group-policy vpncity

tunnel-group vpncity ipsec-attributes

pre-shared-key *

peer-id-validate cert

: end

274
Views
0
Helpful
3
Replies