- Posts: 3
- Thank you received: 0
CiscoASA 5505 - VPN clients don't have internet
15 years 7 months ago #30299
by wbx
CiscoASA 5505 - VPN clients don't have internet was created by wbx
Hi, I have tried several configurations but nothing seems to work, so I am assuming the appliance is caching it all, i'm not unplugging it and plugging it back in and clearing it all to restart each time. Still I get either no access to internet from the VPN clients or no internal access, I tried the solution for allowing VPN users to surf withtouth a split and works but then no internal access.
I'm sorry I"m newby on this, can someone let me know whats wrong on my settings, I am attaching the config.
=========
ciscoasa(config)# sho run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name domain.local
enable password ************** encrypted
passwd ************** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.17.1.1 255.255.255.0
!
interface Vlan2
description Internet ISP connection
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
access-list vpnaccess_splitTunnelAcl standard permit 10.17.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.17.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 10.17.1.0 255.255.255.0 any
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.17.1.50-10.17.1.75 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 10.17.1.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.17.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
group-policy vpnaccess internal
group-policy vpnaccess attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnaccess_splitTunnelAcl
username j password ************** encrypted privilege 0
username j attributes
vpn-group-policy vpnaccess
tunnel-group vpnaccess type ipsec-ra
tunnel-group vpnaccess general-attributes
address-pool vpnpool
default-group-policy vpnaccess
tunnel-group vpnaccess ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:**************
: end
ciscoasa(config)#
I'm sorry I"m newby on this, can someone let me know whats wrong on my settings, I am attaching the config.
=========
ciscoasa(config)# sho run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name domain.local
enable password ************** encrypted
passwd ************** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.17.1.1 255.255.255.0
!
interface Vlan2
description Internet ISP connection
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
access-list vpnaccess_splitTunnelAcl standard permit 10.17.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.17.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 10.17.1.0 255.255.255.0 any
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.17.1.50-10.17.1.75 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 10.17.1.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.17.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
group-policy vpnaccess internal
group-policy vpnaccess attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnaccess_splitTunnelAcl
username j password ************** encrypted privilege 0
username j attributes
vpn-group-policy vpnaccess
tunnel-group vpnaccess type ipsec-ra
tunnel-group vpnaccess general-attributes
address-pool vpnpool
default-group-policy vpnaccess
tunnel-group vpnaccess ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:**************
: end
ciscoasa(config)#
15 years 7 months ago #30308
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: CiscoASA 5505 - VPN clients don't have internet
I had a quick look. Can you confirm that you need the following line?
[code:1]nat (outside) 1 10.17.1.0 255.255.255.0 [/code:1]
This is outside nat, try removing it if you don't need it. VPN can be configured to work without using outside NAT.
[code:1]nat (outside) 1 10.17.1.0 255.255.255.0 [/code:1]
This is outside nat, try removing it if you don't need it. VPN can be configured to work without using outside NAT.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
15 years 7 months ago #30402
by Blake
Replied by Blake on topic Re: CiscoASA 5505 - VPN clients don't have internet
I agree with the above statement, this line needs removed, not sure that will fix your problem but not actually sure what you are trying to accomplish with that statement, i would have actually expected that statement to read (inside) instead of outside actually.
nat (outside) 1 10.17.1.0 255.255.255.0
nat (outside) 1 10.17.1.0 255.255.255.0
15 years 6 months ago #30440
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: CiscoASA 5505 - VPN clients don't have internet
wbx,
Make the necessary changes to your configuration to bring it to this point and issue the following command:
isakmp nat-traversal 20
or
crypto isakmp nat-traversal 20
Then connect your clients and see if you have access to the internal network.
This assumes that you still use the dynamic crypto map 20 commands (crypto dynamic-map outside_dyn_map 20) in that configuration.
Give it a go and let us know.
Cheers,
[/code]
I tried the solution for allowing VPN users to surf withtouth a split and works but then no internal access.
Make the necessary changes to your configuration to bring it to this point and issue the following command:
isakmp nat-traversal 20
or
crypto isakmp nat-traversal 20
Then connect your clients and see if you have access to the internal network.
This assumes that you still use the dynamic crypto map 20 commands (crypto dynamic-map outside_dyn_map 20) in that configuration.
Give it a go and let us know.
Cheers,
[/code]
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Time to create page: 0.128 seconds