Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote VPN connection as well as internet

Hi,

 

we have a Cisco ASA 5512-X & we have configured the Site to Site VPN (IPsec Tunnel) as well as Cisco Remote vpn client. Both are working fine.

problem is that:

when user connecting remote client vpn then they are able to access the corporate LAN but he is not able to access the internet on his local machine.

I want , when user connect remote client vpn as well as his local internet.

Kindly help us to do this.

Present configuration is attached.

 


object network obj-10.90.5.0
 subnet 10.90.5.0 255.255.255.0

nat (inside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.90.5.0 obj-10.90.5.0 no-proxy-arp route-lookup

ip local pool testpool 10.90.5.1-10.90.5.100 mask 255.255.255.0   


crypto ipsec ikev1 transform-set us_3des esp-3des esp-md5-hmac   
crypto dynamic-map RVPN 1 set ikev1 transform-set us_3des       
crypto map CVPN 1 ipsec-isakmp dynamic RVPN                    
crypto map CVPN interface outside       


crypto ikev1 policy 1  
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400


tunnel-group usnlgroup type ipsec-ra      
tunnel-group usnlgroup general-attributes   
 address-pool testpool    
tunnel-group usnlgroup ipsec-attributes
 ikev1 pre-shared-key *******  

username vinod password *****   

 

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

If the PC looses internet

If the PC looses internet after connecting to the VPN then it should be using tunnel-all as the split-tunnel-policy.

From your configuration I see that there is no group-policy configured on the tunnel-group.

To enable split-tunnel you can use the below configuration

Note down the subnets that you need to allow over the client VPN. Apart from these subnets all other traffic will use your PC's local internet circuit.

access-list Split_Tunnel_List standard permit <LAN subnet> <mask>

group-policy usnlgroup internal
group-policy usnlgroup attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List

tunnel-group usnlgroup general-attributes 

default-group-policy usnlgroup 

Reconnect the VPN and then try accessing the internet.

7 REPLIES
Hall of Fame Super Silver

Please have a look at your

Please have a look at your group-policy. You will need some lines under the group-policy like:

      split-tunnel-policy tunnelspecified
      split-tunnel-network-list value vpn_tunnellist

The "vpn_tunnelist" paramaeter refers to an access-list with the remote networks specified something like this:

     access-list vpn_tunnellist standard permit 192.168.0.0 255.255.255.0 
 

New Member

hi,could you please send us

hi,

could you please send us the exact configuration to add on in older configuration.

New Member

SeeCisco ASA - Remote VPN

VIP Purple

You have multiple ways to

You have multiple ways to achieve this. Here are three:

  1. Place a proxy server into your internal network and reconfigure the proxy-settings of the client to use this proxy. This reconfiguration can be done automatically, controlled by the ASA. This is my favorite solution for company employees.
  2. If you can't or don't want to deploy a proxy you can send all Internet-traffic straight back to the internet. For that you need a NAT-rule (outside,outside) to do dynamic PAT for your VPN-Pool and you have to configure "same-security-traffic permit intra-interface". This is my second choice for company employees.
  3. Configure split-tunneling. With that, you only send traffic that is for your company through the tunnel and all the rest is allows directly from the client to the internet. This is the least secure solution.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

If the PC looses internet

If the PC looses internet after connecting to the VPN then it should be using tunnel-all as the split-tunnel-policy.

From your configuration I see that there is no group-policy configured on the tunnel-group.

To enable split-tunnel you can use the below configuration

Note down the subnets that you need to allow over the client VPN. Apart from these subnets all other traffic will use your PC's local internet circuit.

access-list Split_Tunnel_List standard permit <LAN subnet> <mask>

group-policy usnlgroup internal
group-policy usnlgroup attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List

tunnel-group usnlgroup general-attributes 

default-group-policy usnlgroup 

Reconnect the VPN and then try accessing the internet.

New Member

Now my problem has been

Now my problem has been resolved. Thanks for your support.
New Member

Hi there,Noob here. I am

Hi there,

Noob here. I am having the same issue but I am using a different VPN, the one here: http://www.primovpn.net. Will this same settings work for me?

Any help will be appreciated :)

161
Views
0
Helpful
7
Replies
CreatePlease login to create content