Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA VPN Users Internet access

Hello,

I am configuring an ASA 5505 for remote users to access a network. VPN users can authenticate against the domain controller, connect and obtain a vaild IP. The local DNS server is resolving domain names for the users as well and the remote users can access all systems behind the ASA. Users are not able to access the internet once connected.

The config is posted below does anyone see anything funky?

: Saved
:
ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name domain.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.21.0 RemoteUsersSubnet description VPN User Subnet
name 192.168.20.2 domaincontroller description Domain Controller
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.20.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XXX.XXX.XXX.XXX 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner login 
ftp mode passive dns server-group DefaultDNS domain-name DOMAIN
same-security-traffic permit intra-interface access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 any access-list inside_access_in extended permit ip RemoteUsersSubnet 255.255.255.0 any access-list outside_access_in extended permit ip RemoteUsersSubnet 255.255.255.0 any access-list TestACL standard permit host 0.0.0.0 access-list inside_nat0_outbound extended permit ip any RemoteUsersSubnet 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool RemoteUsers 192.168.21.10-192.168.21.40 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 192.168.20.0 255.255.255.0 nat (outside) 0 RemoteUsersSubnet 255.255.255.0 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa-server DOMAIN protocol nt aaa-server DOMAIN (inside) host DOMAINCONTROLLER
nt-auth-domain-controller 192.168.20.2 aaa authentication ssh console LOCAL http server enable http XXX.XXX.XXX.XXX 255.255.255.255 outside http RemoteUsersSubnet 255.255.255.0 inside http 192.168.20.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 inside http XXX.XXX.XXX.XXX 255.255.255.255 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs group1 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal  20 telnet timeout 5 ssh XXX.XXX.XXX.XXX 255.255.255.255 outside ssh timeout 5 console timeout 0 dhcpd auto_config outside ! group-policy DfltGrpPolicy attributes banner none wins-server value 192.168.20.2 dns-server value 192.168.20.2 dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none smartcard-removal-disconnect enable client-firewall none client-access-rule none webvpn   functions url-entry   html-content-filter none   homepage none   keep-alive-ignore 4   http-comp gzip   filter none   url-list none   customization value DfltCustomization   port-forward none   port-forward-name value Application Access   sso-server none   deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information   svc none   svc keep-installer installed   svc keepalive none   svc rekey time none   svc rekey method none   svc dpd-interval client none   svc dpd-interval gateway none   svc compression deflate group-policy RemoteUsers internal group-policy RemoteUsers attributes banner value wins-server value 192.168.20.2 dns-server value 192.168.20.2 vpn-tunnel-protocol IPSec password-storage enable ipsec-udp enable split-tunnel-policy excludespecified split-tunnel-network-list value TestACL default-domain value DEFAULTDOMAIN
backup-servers clear-client-config address-pools value RemoteUsers username ADMIN password FaKbw/.bzwrZp.L3 encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes dhcp-server DOMAINCONTROLLER
tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group RemoteUsers type ipsec-ra tunnel-group RemoteUsers general-attributes address-pool RemoteUsers authentication-server-group DOMAIN LOCAL default-group-policy RemoteUsers tunnel-group RemoteUsers ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny   inspect sunrpc   inspect xdmcp   inspect sip   inspect netbios   inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:df34902825b1b9836c79d5a907ef124c : end asdm image disk0:/asdm-524.bin asdm location DOMAINCONTROLLER 255.255.255.255 inside asdm location 0.0.0.0 255.255.255.255 inside asdm history enable
2 REPLIES
Cisco Employee

Re: ASA VPN Users Internet access

which group policy you are using,can you confgure split tunnel as per

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

New Member

Re: ASA VPN Users Internet access

Thanks for the quick reply.  I am using the RemoteUsers policy group and I was able to setup split tunnels and maintain internet connectivty.  However, I am unable to ping or access the ASA device as a remote VPN user and would like to tunnel all user traffic through the VPN. Any thoughts?

494
Views
0
Helpful
2
Replies
CreatePlease to create content