cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
683
Views
0
Helpful
7
Replies

Remote VPN connection as well as internet

dabur10376004
Level 1
Level 1

Hi,

 

we have a Cisco ASA 5512-X & we have configured the Site to Site VPN (IPsec Tunnel) as well as Cisco Remote vpn client. Both are working fine.

problem is that:

when user connecting remote client vpn then they are able to access the corporate LAN but he is not able to access the internet on his local machine.

I want , when user connect remote client vpn as well as his local internet.

Kindly help us to do this.

Present configuration is attached.

 


object network obj-10.90.5.0
 subnet 10.90.5.0 255.255.255.0

nat (inside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.90.5.0 obj-10.90.5.0 no-proxy-arp route-lookup

ip local pool testpool 10.90.5.1-10.90.5.100 mask 255.255.255.0   


crypto ipsec ikev1 transform-set us_3des esp-3des esp-md5-hmac   
crypto dynamic-map RVPN 1 set ikev1 transform-set us_3des       
crypto map CVPN 1 ipsec-isakmp dynamic RVPN                    
crypto map CVPN interface outside       


crypto ikev1 policy 1  
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400


tunnel-group usnlgroup type ipsec-ra      
tunnel-group usnlgroup general-attributes   
 address-pool testpool    
tunnel-group usnlgroup ipsec-attributes
 ikev1 pre-shared-key *******  

username vinod password *****   

 

1 Accepted Solution

Accepted Solutions

Raja Periyasamy
Level 1
Level 1

If the PC looses internet after connecting to the VPN then it should be using tunnel-all as the split-tunnel-policy.

From your configuration I see that there is no group-policy configured on the tunnel-group.

To enable split-tunnel you can use the below configuration

Note down the subnets that you need to allow over the client VPN. Apart from these subnets all other traffic will use your PC's local internet circuit.

access-list Split_Tunnel_List standard permit <LAN subnet> <mask>

group-policy usnlgroup internal
group-policy usnlgroup attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List

tunnel-group usnlgroup general-attributes 

default-group-policy usnlgroup 

Reconnect the VPN and then try accessing the internet.

View solution in original post

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

Please have a look at your group-policy. You will need some lines under the group-policy like:

      split-tunnel-policy tunnelspecified
      split-tunnel-network-list value vpn_tunnellist

The "vpn_tunnelist" paramaeter refers to an access-list with the remote networks specified something like this:

     access-list vpn_tunnellist standard permit 192.168.0.0 255.255.255.0 
 

hi,

could you please send us the exact configuration to add on in older configuration.

You have multiple ways to achieve this. Here are three:

  1. Place a proxy server into your internal network and reconfigure the proxy-settings of the client to use this proxy. This reconfiguration can be done automatically, controlled by the ASA. This is my favorite solution for company employees.
  2. If you can't or don't want to deploy a proxy you can send all Internet-traffic straight back to the internet. For that you need a NAT-rule (outside,outside) to do dynamic PAT for your VPN-Pool and you have to configure "same-security-traffic permit intra-interface". This is my second choice for company employees.
  3. Configure split-tunneling. With that, you only send traffic that is for your company through the tunnel and all the rest is allows directly from the client to the internet. This is the least secure solution.

Raja Periyasamy
Level 1
Level 1

If the PC looses internet after connecting to the VPN then it should be using tunnel-all as the split-tunnel-policy.

From your configuration I see that there is no group-policy configured on the tunnel-group.

To enable split-tunnel you can use the below configuration

Note down the subnets that you need to allow over the client VPN. Apart from these subnets all other traffic will use your PC's local internet circuit.

access-list Split_Tunnel_List standard permit <LAN subnet> <mask>

group-policy usnlgroup internal
group-policy usnlgroup attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List

tunnel-group usnlgroup general-attributes 

default-group-policy usnlgroup 

Reconnect the VPN and then try accessing the internet.

Now my problem has been resolved. Thanks for your support.

Hi there,

Noob here. I am having the same issue but I am using a different VPN, the one here: http://www.primovpn.net. Will this same settings work for me?

Any help will be appreciated :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: