Solved: Re: Cisco ASA 5505 - VPN Configuration

mramirez · ‎09-16-2008

I am trying to setup a VPN connection to allow clients to access the internal network. I have tried using the VPN wizard time & time again but client will connect but can get out to the internet & communicate with any host on the network. I have tried using a dhcp vpn pool in either the 192.x.x.x or the 10.10.1.X network but no luck.

Any comments or suggestions appreciated.

Marwan ALshawi · ‎09-17-2008

whats the reason of those commands?

nat (Outside) 0 access-list policyPAT

nat (Outside) 5 10.10.1.0 255.255.255.0

if not spicific reason remove them

and put the foolowing command:

sysopt connection permit-ipsec

in global configuration mode to allow the VPN traffic to bypass interface access lists

good luck

if helpful Rate

View solution in original post

Marwan ALshawi · ‎09-16-2008

to solve ur problem u need split tunneling

with split tunneling u gonna include what should be tunnled over vpn any thing else will go t the normal client setting like defualt gateway for internet

do:

access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0

group-policy VPNT attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

so only traffic included in ACL Split_Tunnel_List will be included in the VPN tunnel anything else as mentioned will use normal PC seeting

use the following link as a refrence:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

good luck

if helpful rate

mramirez · ‎09-17-2008

Hi Marwan,

Let me try as you said & will give you an update.

Thanks for your input!

mramirez · ‎09-17-2008

Hi Marwan,

The commands that you suggested did work work out great! When I VPN into the ASA, I am able to get out to the internet. The only other issue is that I can not ping or access any of the host on the 192.168.1.0 network. How do I go about doing this? What I want to accomplish is access some network drives on a Microsoft Windows 2003 server.

Thanks in advance.

Manny

Thanks.

mramirez · ‎09-17-2008

One other quick question, how do I increase the time the the VPN session times out? As of right now, it times out at about 10 minutes.

Thanks.

mramirez · ‎09-17-2008

Sorry, I forgot to include the latest config.

Marwan ALshawi · ‎09-17-2008

whats the reason of those commands?

nat (Outside) 0 access-list policyPAT

nat (Outside) 5 10.10.1.0 255.255.255.0

if not spicific reason remove them

and put the foolowing command:

sysopt connection permit-ipsec

in global configuration mode to allow the VPN traffic to bypass interface access lists

good luck

if helpful Rate

mramirez · ‎09-18-2008

I will try it out & give you the results.

Thanks for your efforts by the way.

mramirez · ‎09-18-2008

Hi Marwan,

Your suggestions worked out great & am able to access the internet & network drives on the 192.168.1.0 network . I removed the 2 commands & inserted the sysopt connection permit-ipsec command. It worked without the sysopt command but I inserted it anyways because from my understanding it permits IPsec traffic without checking the ACL's?

Anyways thank you so much for all your help.

Manny