Here is a few sample configuration for your reference:
Hope that helps.
Your configuration looks fine, I am using ASA software version 7.0(7)
Device Manager version 5.0(7)
My device is not getting some commands, from
Issue this command:
ASA-AIP-CLI(config)#tunnel-group hillvalleyvpn ipsec-ra
There is typo in the document.
The following line:
tunnel-group hillvalleyvpn ipsec-ra
tunnel-group hillvalleyvpn type ipsec-ra
Yes you are right, I already found the correct command with the keyword (type), now I am facing a problem, my internal network is not accessible via vpn connection,
I connect using cisco VPn client and it connects successfully, but It is not accessing my application or ping my internal network, maybe here split tunneling is required.. what do u say ?
I found a document perhaps specified by you, ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example,, I followed the steps specified in this document but there is no effect,
In the standard ACL, I replaced the example ip with my servers vlan network i.e. 192.168.1.0 but it doesn't work, then I also permitted my vpnpool ip subnet 192.168.55.0, but the result is same,,,
My ASA is configured with 3 interfaces, inside, outside and DMZ, server are in DMZ,,
DMZ security level 50
Inside security level 100
outside security level 0
outside network ip 192.168.75.0
DMZ network 192.168.1.0
My objective is to access the servers in DMZ interface.
You would also need to configure NAT exemption for DMZ as follows:
access-list dmz-nonat permit ip 192.168.1.0 255.255.255.0 192.168.55.0 255.255.255.0
nat (DMZ) 0 access-list dmz-nonat
Hope that resolves it.
Yes,, Its working fine right now,,,my internal network is accessible now, thanks again,,,,
Now I am concerned with my NAT rule, which I was previously using in my Cisco Router 2811, VPN Clients were also connecting with 2811, now I have removed it and using ASA as gateway and VPN clients are connecting with ASA,,
The NAT rule which I was using in Cisco Router 2811
ip nat inside source static tcp 192.168.1.15 80 interface FastEthernet0/1 80
by using this command, I was able to use my web application, Now I want to use it with ASA,
What public ip address do you want to use to NAT 192.168.1.15? Would it be the ASA outside interface ip adddress?
If it is, then you would need to configure the following:
static (DMZ,outside) tcp interface 80 192.168.1.15 80 netmask 255.255.255.255
And on the outside interface, you would need to configure ACL to allow TCP/80 in.
ASA outside interface is a private ip ,, 192.168.75.2
Above then ASA, I am using a internet link load balancing device Tp-link TL-R488T, I have configured its 3 interfaces with 3 internet connections having different live ip subnets,
TP-link local interface ip 192.168.75.1
I am looking to nat the server at all my three available internet connections live ips,
all three internet links are configured on TP-link and internet link load balancing is performing,
Tp-link's local Ip connected with ASA is 192.168.75.1
My users will access the web application via internet by entering any of above mentioned live ip address.. when they will enter any live ip in browser, they will be redirected to my server 192.168.1.15 placed in DMZ
Your advised NAT command is working perfectly, My web application server is accessible now from internet,
Now I am concerned with my ACL placed in outside interface
access-list outside_to_dmz extended permit ip any any
access-list outside_to_dmz extended permit tcp any any
access-group outside_to_dmz in interface outside
by applying this acl, all ports are open for every kind of traffic, I want to restrict it only for VPN, TCP 80, TCP Remote Desktop 3389 only,,
Please advise which ports should be open for VPN client...
Since the VPN is terminated on the ASA itself, you do not need to open any specific ports. The ASA will automatically allow the VPN ports since it's terminated on itself.
I have applied an access-list to restrict some users to go over the internet
access-list Internet extended permit ip 192.168.10.111 any
access-list Internet extended permit ip 192.168.10.4 any
access-group Internet out interface outside
this acl should allow only two hosts to exit over the internet while all other local ips should be denied, but when I apply this acl to outside out interface, my internet stops working on allowed ips,
whats the issue?
This is my last query, I am very thankful to you,
Please apply the access-list in the inbound direction on the internal interface.
Assuming that the user is on inside interface, pls apply as follows:
access-group Internet in interface inside
By applying this ACL, all other applications has stopped working, Inside yours are unable to access resources in DMZ,
I want, inside users to give access to only DMZ but they should not pass outside interface
For inside to DMZ access, you would also need to add the following ACL:
access-list Internet extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
And where, which interface in/out this ACL will be applied? DMZ ?
Can you please explain if we apply an ACL at outside interface out like
access-list Internet extended permit ip host 192.168.10.111 any
and apply it
access-group Internet out interface outside
by applying only this acl should allow only host 192.168.10.111 to go over the Internet and all the others should be denied by implicit deny,,
what do u say ?
Secondly, VPN connection speed is very slow, It was quite excellent while I was using on Cisco 2811 router,