09-09-2014 07:32 AM
Hi,
we have a Cisco ASA 5512-X & we have configured the Site to Site VPN (IPsec Tunnel) as well as Cisco Remote vpn client. Both are working fine.
problem is that:
when user connecting remote client vpn then they are able to access the corporate LAN but he is not able to access the internet on his local machine.
I want , when user connect remote client vpn as well as his local internet.
Kindly help us to do this.
Present configuration is attached.
object network obj-10.90.5.0
subnet 10.90.5.0 255.255.255.0
nat (inside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.90.5.0 obj-10.90.5.0 no-proxy-arp route-lookup
ip local pool testpool 10.90.5.1-10.90.5.100 mask 255.255.255.0
crypto ipsec ikev1 transform-set us_3des esp-3des esp-md5-hmac
crypto dynamic-map RVPN 1 set ikev1 transform-set us_3des
crypto map CVPN 1 ipsec-isakmp dynamic RVPN
crypto map CVPN interface outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group usnlgroup type ipsec-ra
tunnel-group usnlgroup general-attributes
address-pool testpool
tunnel-group usnlgroup ipsec-attributes
ikev1 pre-shared-key *******
username vinod password *****
Solved! Go to Solution.
09-09-2014 11:28 PM
If the PC looses internet after connecting to the VPN then it should be using tunnel-all as the split-tunnel-policy.
From your configuration I see that there is no group-policy configured on the tunnel-group.
To enable split-tunnel you can use the below configuration
Note down the subnets that you need to allow over the client VPN. Apart from these subnets all other traffic will use your PC's local internet circuit.
access-list Split_Tunnel_List standard permit <LAN subnet> <mask>
group-policy usnlgroup internal
group-policy usnlgroup attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
tunnel-group usnlgroup general-attributes
default-group-policy usnlgroup
Reconnect the VPN and then try accessing the internet.
09-09-2014 08:43 AM
Please have a look at your group-policy. You will need some lines under the group-policy like:
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_tunnellist
The "vpn_tunnelist" paramaeter refers to an access-list with the remote networks specified something like this:
access-list vpn_tunnellist standard permit 192.168.0.0 255.255.255.0
09-09-2014 11:12 PM
hi,
could you please send us the exact configuration to add on in older configuration.
09-10-2014 03:07 AM
09-09-2014 08:47 AM
You have multiple ways to achieve this. Here are three:
09-09-2014 11:28 PM
If the PC looses internet after connecting to the VPN then it should be using tunnel-all as the split-tunnel-policy.
From your configuration I see that there is no group-policy configured on the tunnel-group.
To enable split-tunnel you can use the below configuration
Note down the subnets that you need to allow over the client VPN. Apart from these subnets all other traffic will use your PC's local internet circuit.
access-list Split_Tunnel_List standard permit <LAN subnet> <mask>
group-policy usnlgroup internal
group-policy usnlgroup attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
tunnel-group usnlgroup general-attributes
default-group-policy usnlgroup
Reconnect the VPN and then try accessing the internet.
09-10-2014 04:16 AM
09-25-2014 08:34 PM
Hi there,
Noob here. I am having the same issue but I am using a different VPN, the one here: http://www.primovpn.net. Will this same settings work for me?
Any help will be appreciated :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: