ASA 5505 Split Tunneling configured but still all traffic Tunneling

Similar Questions

• ASA 5505 VPN works great but can't access internet via the tunnel to customers

  We have an ASA 5505 ASA 8.2.1 running and using IPSec for Remote access clients in the main office.  Remote access is a lot of work, with full access to network resources in the main office and the only thing I can't get to work is access to internet through the tunnel.  I don't want to use split tunneling.  I use ASDM 6.2.1 for configuration.  Any help is appreciated.  I'm probably missing something simple and it looked so much, I'm probably looking at right beyond the error.  Thanks in advance for your time and help!    Jim

  Add a statement of nat for your segment of customer on the external interface

  NAT (outside) - access list

  then allow traffic routing back on the same interface, it is entered in the

  permit same-security-traffic intra-interface

  *

  *

  * more than information can be found here:

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807...

  On Wednesday, 27 January 2010, at 23:12, jimcanova

• ASA 5505 IPSEC VPN connected but cannot access the local network

  ASA: 8.2.5

  ASDM: 6.4.5

  LAN: 10.1.0.0/22

  Pool VPN: 172.16.10.0/24

  Hi, we purcahsed a new ASA 5505 and try to configure IPSEC VPN via ASDM; I simply run the wizards, installation vpnpool, split tunnelling, etc.

  I can connect to the ASA using the cisco VPN client and internet works fine on the local PC, but it can not access the local network (can not impossible. ping remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile, I created worked very well.

  Here is my setup, wrong set up anything?

  ASA Version 8.2 (5)

  !

  hostname asatest

  domain XXX.com

  activate 8Fw1QFqthX2n4uD3 encrypted password

  g9NiG6oUPjkYrHNt encrypted passwd

  names of

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 10.1.1.253 255.255.252.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  address IP XXX.XXX.XXX.XXX 255.255.255.240

  !

  passive FTP mode

  clock timezone PST - 8

  clock summer-time recurring PDT

  DNS server-group DefaultDNS

  domain vff.com

  vpntest_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.252.0

  access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.252.0 172.16.10.0 255.255.255.0

  pager lines 24

  Enable logging

  timestamp of the record

  logging trap warnings

  asdm of logging of information

  logging - the id of the device hostname

  host of logging inside the 10.1.1.230

  Within 1500 MTU

  Outside 1500 MTU

  IP local pool 172.16.10.1 - 172.16.10.254 mask 255.255.255.0 vpnpool

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  AAA-server protocol nt AD

  AAA-server host 10.1.1.108 AD (inside)

  NT-auth-domain controller 10.1.1.108

  Enable http server

  http 10.1.0.0 255.255.252.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH 10.1.0.0 255.255.252.0 inside

  SSH timeout 20

  Console timeout 0

  dhcpd outside auto_config

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal group vpntest strategy

  Group vpntest policy attributes

  value of 10.1.1.108 WINS server

  Server DNS 10.1.1.108 value

  Protocol-tunnel-VPN IPSec l2tp ipsec

  disable the password-storage

  disable the IP-comp

  Re-xauth disable

  disable the PFS

  IPSec-udp disable

  IPSec-udp-port 10000

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list vpntest_splitTunnelAcl

  value by default-domain XXX.com

  disable the split-tunnel-all dns

  Dungeon-client-config backup servers

  the address value vpnpool pools

  admin WeiepwREwT66BhE9 encrypted privilege 15 password username

  username user5 encrypted password privilege 5 yIWniWfceAUz1sUb

  the encrypted password privilege 3 umNHhJnO7McrLxNQ util_3 username

  tunnel-group vpntest type remote access

  tunnel-group vpntest General attributes

  address vpnpool pool

  authentication-server-group AD

  authentication-server-group (inside) AD

  Group Policy - by default-vpntest

  band-Kingdom

  vpntest group tunnel ipsec-attributes

  pre-shared-key BEKey123456

  NOCHECK Peer-id-validate

  !

  !

  privilege level 3 mode exec cmd command perfmon

  privilege level 3 mode exec cmd ping command

  mode privileged exec command cmd level 3

  logging of the privilege level 3 mode exec cmd commands

  privilege level 3 exec command failover mode cmd

  privilege level 3 mode exec command packet cmd - draw

  privilege show import at the level 5 exec mode command

  privilege level 5 see fashion exec running-config command

  order of privilege show level 3 exec mode reload

  privilege level 3 exec mode control fashion show

  privilege see the level 3 exec firewall command mode

  privilege see the level 3 exec mode command ASP.

  processor mode privileged exec command to see the level 3

  privilege command shell see the level 3 exec mode

  privilege show level 3 exec command clock mode

  privilege exec mode level 3 dns-hosts command show

  privilege see the level 3 exec command access-list mode

  logging of orders privilege see the level 3 exec mode

  privilege, level 3 see the exec command mode vlan

  privilege show level 3 exec command ip mode

  privilege, level 3 see fashion exec command ipv6

  privilege, level 3 see the exec command failover mode

  privilege, level 3 see fashion exec command asdm

  exec mode privilege see the level 3 command arp

  command routing privilege see the level 3 exec mode

  privilege, level 3 see fashion exec command ospf

  privilege, level 3 see the exec command in aaa-server mode

  AAA mode privileged exec command to see the level 3

  privilege, level 3 see fashion exec command eigrp

  privilege see the level 3 exec mode command crypto

  privilege, level 3 see fashion exec command vpn-sessiondb

  privilege level 3 exec mode command ssh show

  privilege, level 3 see fashion exec command dhcpd

  privilege, level 3 see the vpnclient command exec mode

  privilege, level 3 see fashion exec command vpn

  privilege level see the 3 blocks from exec mode command

  privilege, level 3 see fashion exec command wccp

  privilege see the level 3 exec command mode dynamic filters

  privilege, level 3 see the exec command in webvpn mode

  privilege control module see the level 3 exec mode

  privilege, level 3 see fashion exec command uauth

  privilege see the level 3 exec command compression mode

  level 3 for the show privilege mode configure the command interface

  level 3 for the show privilege mode set clock command

  level 3 for the show privilege mode configure the access-list command

  level 3 for the show privilege mode set up the registration of the order

  level 3 for the show privilege mode configure ip command

  level 3 for the show privilege mode configure command failover

  level 5 mode see the privilege set up command asdm

  level 3 for the show privilege mode configure arp command

  level 3 for the show privilege mode configure the command routing

  level 3 for the show privilege mode configure aaa-order server

  level mode 3 privilege see the command configure aaa

  level 3 for the show privilege mode configure command crypto

  level 3 for the show privilege mode configure ssh command

  level 3 for the show privilege mode configure command dhcpd

  level 5 mode see the privilege set privilege to command

  privilege level clear 3 mode exec command dns host

  logging of the privilege clear level 3 exec mode commands

  clear level 3 arp command mode privileged exec

  AAA-server of privilege clear level 3 exec mode command

  privilege clear level 3 exec mode command crypto

  privilege clear level 3 exec command mode dynamic filters

  level 3 for the privilege cmd mode configure command failover

  clear level 3 privilege mode set the logging of command

  privilege mode clear level 3 Configure arp command

  clear level 3 privilege mode configure command crypto

  clear level 3 privilege mode configure aaa-order server

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4

  : end

  Captures we can see packets going from the pool to the internal LAN, but we do not reply back packages.

  The routing must be such that for 172.16.10.0/24 packages should reach the inside interface of the ASA.

  On client machines or your internal LAN switch, you need to add route for 172.16.10.0/24 pointing to the inside interface of the ASA.

• Write syslog to ASA 5505 VPN tunnel on syslog server?

  Hello

  Is it possible to let the ASA 5505 write syslog messages to a syslog server on the core network where the ASA 5550 is? (on the ipsec tunnel?)

  I tried this. The tunnel is up, but I get the message from routing could not locate the next hop for the NP (ASA 5505 ip) udp inside: (ip of the syslog server).

  THX,

  Marc

  MJonkers,

  I would suggest that you configure inside interface as the interface for management access. Include IP and IP address NAT syslog server interface inside 0 ACL and ACL crypto.

  You can order the "access management" when you want to run an ASA inside of interface through the VPN 7.2 below command reference:

  http://www.Cisco.com/en/us/customer/docs/security/ASA/asa72/command/reference/m_72.html#wp1780826

  I am running the VPN configuration on 8.2 and querying SNMP works.

  I hope this helps.

  Thank you

• Renew the certificate of identity on Cisco ASA 5505, do I have to renew all user certificates?

  n00b questions.

  I have to renew my SSL certificate of identity soon on my Cisco ASA 5505.  I'll have to renew all my certificates for client on their devices, so they can establish a vpn tunnel?

  Hi dsartoros,

  If you encounter a self signed (generated locally) identity certificate renewed, then you will need to download this certificate on the clients so that they can connect without getting "untrusted server certificate error".

  If you renew a certificate issued by a 3rd party CA (sending of CSR to CA) and certificate, then you will not need to make any changes on the client as they already trust the certification authority that issues the certificate first root.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• ASA 5505 VPN tunnel

  Hello again,

  can you please answer me a few questions that burned my head these days

  1 can I connect ASA5505 a WRT54GL router in a VPN tunnel so that the WRT54GL is the endpoint that connects to the ASA?

  2. If Yes can you tell me please which firmware should I use and the steps that will follow.

  3 if not can you me say what router should I use so that the VPN tunnel can be done.

  Thank you!

  Hi Svetoslav,

  I understand that you ask if you can establish a VPN site to site between an ASA 5505 and Linksys WRT54GL. Unfortunately, the WRT54GL doesn't support VPN endpoint. If you don't want to spend money on another ASA 5505 (which I recommend), you can watch the line Cisco Small Business firewall-lights/roads, like the RV320.

  http://www.Cisco.com/en/us/products/ps11997/index.html

  Kind regards

  Mike

• ASA 5505 Site tunnel site

  I have a simple question, but want to make sure, before I start.

  I have 3 5505 devices corp 1 and 1 to two areas of the site. Is it possible to have several tunnels on the asa corp? a #1 site and the other site #2?

  My license is based on the whole of the SAA.

  I already have remote user VPN configuration on the devices as well. Who does wrong or interfere with anything to add tunnels?

  Appreciate any help or advice.

  -Jon

  

  You can have up to 10 peers of vpn based on your license, which included the two vpn site-to-site and remote access.

  If the total number of simultaneous vpn peers is not greater than 10 (2 at most 8 and site to site vpn remote connected), you should be OK.

• ASA ACL split Tunnel

  Cisco ASA.

  For example, I have the subnet in the tunnel of splitting ACL 192.168.0.0/16. I need made an exception to remove 192.168.89.0/24 in the ACL CE-tunnel - what is the best way to do it?

  Hi rioneljeudy ,

  You can restrict the subnets in the ACL used for the tunnel of split for example change the 16 something more specific or apply a filter, VPN policy. See an example on the following link:

  http://www.Cisco.com/c/en/us/support/docs/security/PIX-500-series-security-appliances/99103-PIX-ASA-VPN-filter.html

  It may be useful

  -Randy-

• Split tunnel with ASA 5510 and PIX506.

  Hello

  I have the production between Asa 5510 (main office) and Pix 506 VPN tunnel. It is configured so that all traffic is encrypted and moves through the tunnel. This includes remote users behind Pix Internet traffic. I would like to use split tunnel and direct Internet traffic hitting the web directly from Pix instead of going through the tunnel. How can I do this safely? Please see current config Pix below:

  :
  6.3 (5) PIX version
  interface ethernet0 car
  interface ethernet1 10baset
  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100

  clock timezone EDT - 5
  clock to summer time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 02:00
  No fixup protocol dns
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol they 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  No fixup protocol sip udp 5060
  fixup protocol 2000 skinny
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  no correction protocol tftp 69
  names of
  allow VPN 192.x.x.x 255.255.255.0 ip access list one
  LocalNet ip access list allow a whole
  pager lines 20
  opening of session
  monitor debug logging
  logging warnings put in buffered memory
  logging trap warnings
  Outside 1500 MTU
  Within 1500 MTU
  IP address outside 24.x.x.x 255.255.255.0
  IP address inside192.x.x.x 255.255.255.0
  IP audit name Outside_Attack attack action alarm down reset
  IP audit name Outside_Recon info action alarm down reset
  interface IP outside the Outside_Recon check
  interface IP outside the Outside_Attack check
  alarm action IP verification of information
  reset the IP audit attack alarm drop action
  disable signing verification IP 2000
  disable signing verification IP 2001
  disable signing verification IP 2004
  disable signing verification IP 2005
  disable signing verification IP 2150
  PDM logging 100 information
  history of PDM activate
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0 access-list LocalNet
  Route outside 0.0.0.0 0.0.0.0 24.x.x.x
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
  Timeout, uauth 0:05:00 absolute
  GANYMEDE + Protocol Ganymede + AAA-server
  AAA-server GANYMEDE + 3 max-failed-attempts
  AAA-server GANYMEDE + deadtime 10
  RADIUS Protocol RADIUS AAA server
  AAA-server RADIUS 3 max-failed-attempts
  AAA-RADIUS deadtime 10 Server
  AAA-server local LOCAL Protocol
  Enable http server
  enable floodguard
  Permitted connection ipsec sysopt
  Crypto ipsec transform-set esp-3des esp-md5-hmac AMC
  map UrgentCare 10 ipsec-isakmp crypto
  card crypto UrgentCare 10 corresponds to the VPN address
  card crypto UrgentCare 10 set counterpart x.x.x.x
  card crypto UrgentCare 10 value transform-set AMC
  UrgentCare interface card crypto outside
  ISAKMP allows outside
  ISAKMP key * address x.x.x.x 255.255.255.255 netmask
  ISAKMP identity address
  part of pre authentication ISAKMP policy 20
  ISAKMP policy 20 3des encryption
  ISAKMP policy 20 md5 hash
  20 2 ISAKMP policy group
  ISAKMP duration strategy of life 20 86400
  SSH timeout 15
  Console timeout 0
  Terminal width 80
  Cryptochecksum:9701c306b05151471c437f29695ffdbd
  : end

  I would do something by changing the acl that applies to your crypto card. You want to know what you want to support above the tunnel and then deny other networks.

  If you have:

  192.168.3.0/24

  192.168.4.0/24

  10.10.10.0/24

  172.16.0.0/16

  Do something like:

  VPN access list allow 192.x.x.x ip 255.255.255.0 192.168.3.0 255.255.255.0

  VPN access list allow 192.x.x.x ip 255.255.255.0 192.168.4.0 255.255.255.0

  VPN access list allow 192.x.x.x ip 255.255.255.0 10.10.10.0 255.255.255.0

  VPN access list allow 192.x.x.x 255.255.255.0 ip 172.16.0.0 255.255.0.0

  Then when the traffic is destined for something other than these networks, it will go not to the ISP instead of the tunnel.

  HTH,

  John

• Configuration of VPN server easy to tunnel ALL traffic?

  Hi guys,.

  Someone at - it a link or a tutorial to point me in the right direction?  Here is the example that I follow:

  http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bdf.PDF

  I would like to than the easy VPN client to tunnel all traffic through the vpn.  This includes internal and external.  Thus, for example, web browsing also would be through the tunnel from the client computer.

  Thanks for the help!

  Jason

  Hi Jason,

  Since no split-tunnels are configured here, yes all traffic will be sent through the tunnel.

  Please evaluate the useful messages

  Best regards

  Eugene

• ASA 5505 AnyConnect 8.2 connect other subnets from site to site

  Hello

  I'm somehwat new Cisco and routing. I have an installation of two ASA 5505 that are configured for the site to site vpn and AnyConnect. The AnyConnect subnet can connect to inside VLANs to the SiteA but I can't for the remote to Site B subnet when you use AnyConnect. Any ideas? I have to add the subnet of 10.0.7.0/24 to the site to site policy? Do I need to set up several NAT rules? Details below.

  Site A: ASA 5505 8.2

  Outside: 173.X.X.X/30

  Inside: 10.0.5.0/24

  AnyConnect: 10.0.7.0/24

  Site b: ASA 5505 8.2

  Outsdie: 173.X.X.X/30

  Inside: 10.0.6.0/24

  The AnyConnect subnet cannot access the network of 10.0.6.0/24.

  Any help would be greatly appreciated! Thank you!

  Hello Kevin,

  You must go back to identity (outdoors, outdoor) identity NAT (essentially for two subnets (Anyconnect and Remote_IPSec).

  And of course to include traffic in the ACL for IPSec crypto and (if used) split with the Anyconnect tunnel.

  Note all useful posts!

  Kind regards

  Jcarvaja

  Follow me on http://laguiadelnetworking.com

• VPN split Tunneling does not

  Hello

  First of all - thanks to all who post here.  I often browse the forums and search for help here and its very useful, so a big pat on the back for all who contribute.  My first post, so here goes...

  I've got my ASA 5505 v8.2 configured to allow the AnyConnect. This works.  Client can connect and access remote systems via VPN.  What causes me a massive headache, is the customer loses internet connectivity.  I played a bit with my config a bit so what I am about to post that I know for sure is incorrect, but any help is greatly appreciated.

  Notes

  1. the router was set up for a VPN site to site standard that is no longer functional, but as you can see all the settings are always in the router.

  2. the router also a DMZ configuration has to allow access to the internet with the help of the DMZ to some customers

  CONFIGURATION:

  ASA Version 8.2 (5)

  !

  hostname MYHOST

  activate mUUvr2NINofYuSh2 encrypted password

  UNDrnIuGV0tAPtz2 encrypted passwd

  names of

  name x.x.x.x LIKES-SD

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  switchport access vlan 7

  !

  interface Vlan1

  nameif inside

  security-level 100

  192.168.101.1 IP address 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP x.x.x.x 255.255.0.0

  !

  interface Vlan7

  prior to interface Vlan1

  nameif DMZ

  security-level 20

  IP 137.57.183.1 255.255.255.0

  !

  passive FTP mode

  clock timezone STD - 7

  the obj_any_dmz object-group network

  10 extended access-list allow ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255.255.0

  permit access ip host x.x.x.x 192.168.25.0 extended list no_nat 255.255.25 5.0

  tunneling split list of permitted access standard 192.168.101.0 255.255.255.0

  192.168.101.0 IP Access-list extended sheep 255.255.255.0 allow all

  pager lines 24

  Enable logging

  debug logging in buffered memory

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  MTU 1500 DMZ

  mask 192.168.101.125 - 192.168.101.130 255.255.255.0 IP local pool Internal_Range

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global interface 10 (external)

  NAT (inside) 0-list of access no_nat

  NAT (inside) 1 access-list sheep

  NAT (DMZ) 10 137.57.183.0 255.255.255.0

  Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

  Route inside 192.168.8.0 255.255.255.0 192.168.101.2 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  the ssh LOCAL console AAA authentication

  http server enable 64000

  http 0.0.0.0 0.0.0.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-aes-256 batus, esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  correspondence address card crypto 100 10 batus

  crypto batus 100 peer LIKES-SD card game

  batus batus 100 transform-set card crypto

  batus outside crypto map interface

  Crypto ca trustpoint ASDM_TrustPoint1

  registration auto

  name of the object CN = MYHOST

  ClientX_cert key pair

  Configure CRL

  string encryption ca ASDM_TrustPoint1 certificates

  certificate 0f817951

  308201e7 a0030201 30820150 0202040f 0d06092a 81795130 864886f7 0d 010105

  05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d 30

  1b06092a 864886f7 0d 010902 160e4149 4d452d56 504e2d42 41545553 301e170d

  31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117

  30150603 55040313 0e41494d 452-5650 4e2d4241 54555331 1d301b06 092 d has 8648

  86f70d01 0902160e 41494d 45 2d56504e 424154 55533081 9f300d06 092 2d has 8648

  86f70d01 01010500 03818d 30818902 00 818100c 9 ff840bf4 cfb8d394 2 c 940430

  1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3

  4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9

  db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c

  783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300 d 0609 2a 864886

  8181007e f70d0101 05050003 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8

  b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd 622 dc3d3821

  fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9

  7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3

  63ebd49d 30dd06f4 e0fa25

  quit smoking

  crypto ISAKMP allow outside

  crypto ISAKMP policy 40

  preshared authentication

  aes-256 encryption

  sha hash

  Group 5

  life 86400

  Telnet timeout 5

  SSH 0.0.0.0 0.0.0.0 inside

  SSH 0.0.0.0 0.0.0.0 DMZ

  SSH timeout 10

  Console timeout 0

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  SSL encryption rc4 - md5, rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1

  SSL-trust outside ASDM_TrustPoint1 point

  WebVPN

  allow outside

  SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image

  enable SVC

  internal ClientX_access group strategy

  attributes of Group Policy ClientX_access

  VPN-tunnel-Protocol svc

  Split-tunnel-network-list value split tunneling

  access.local value by default-field

  the address value Internal_Range pools

  IPv6 address pools no

  WebVPN

  SVC mtu 1406

  generate a new key SVC time no

  SVC generate a new method ssl key

  username privilege 15 encrypted password ykAxQ227nzontdIh ClientX

  ClientX username attributes

  VPN-group-policy ClientX_access

  type of service admin

  tunnel-group x.x.x.x type ipsec-l2l

  tunnel-group ipsec-attributes x.x.x.x

  pre-shared key *.

  tunnel-group ClientX type remote access

  attributes global-tunnel-group ClientX

  address pool Internal_Range

  Group Policy - by default-ClientX_access

  type tunnel-group SSLClientProfile remote access

  attributes global-tunnel-group SSLClientProfile

  Group Policy - by default-ClientX_access

  type tunnel-group ClientX_access remote access

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:e7d92a387d1c5f07e14b3c894d159ec1

  : end

  -----------------------

  Thanks for any help!

  In your group strategy, you specified the ACLs that should be used for split Tunneling, but you forgot to change the policy, so the ASA always uses tunnel-all. Here's what you'll need:

  attributes of Group Policy ClientX_access

  Split-tunnel-network-list value split tunneling

  Split-tunnel-policy tunnelspecified

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• Windows - Internet access, no split Tunnel L2TP VPN Clients does not

  Greetings!

  I have four ASA 5505 that I configured with 4 site to site VPN tunnels (works perfectly) to connect to our company facilities 4. The ASA is also configured with remote access L2TP/IPsec so that a specific group of users of portable computers can connect to and access to all facilities. It also works very well except for one important exception - my split tunnel setting doesn't seem to work, because I can't connect to the Internet outside the VPN resources.

  I accept the inherent risk of allowing tunnels to split from a security point of view since I take the necessary steps to secure the systems used for remote access. I would appreciate any feedback on how to get the job of split tunnel.

  Here is the configuration:

  : Saved
  :
  ASA Version 1.0000 11
  !
  SGC hostname
  domain somewhere.com
  names of
  COMMENTS COMMENTS LAN 192.168.2.0 name description
  name 75.185.129.13 description of SGC - external INTERNAL ASA
  name 172.22.0.0 description of SITE1-LAN Ohio management network
  description of SITE2-LAN name 172.23.0.0 Lake Club Network
  name 172.24.0.0 description of training3-LAN network Southwood
  description of training3 - ASA 123.234.8.124 ASA Southwoods name
  INTERNAL name 192.168.10.0 network Local INTERNAL description
  description of name 192.168.11.0 INTERNAL - VPN VPN INTERNAL Clients
  description of Apollo name 192.168.10.4 INTERNAL domain controller
  description of DHD name 192.168.10.2 Access Point #1
  description of GDO name 192.168.10.3 Access Point #2
  description of Odyssey name 192.168.10.5 INTERNAL Test Server
  CMS internal description INTERNAL ASA name 192.168.10.1
  name 123.234.8.60 description of SITE1 - ASA ASA management Ohio
  description of SITE2 - ASA 123.234.8.189 Lake Club ASA name
  description of training3-VOICE name Southwood Voice Network 10.1.0.0
  name 172.25.0.0 description of training3-WIFI wireless Southwood
  !
  interface Vlan1
  nameif outside
  security-level 0
  IP address dhcp setroute
  !
  interface Vlan2
  nameif INSIDE
  security-level 100
  255.255.255.0 SGC-internal IP address
  !
  interface Vlan3
  nameif COMMENTS
  security-level 50
  IP 192.168.2.1 255.255.255.0
  !
  interface Ethernet0/0
  Time Warner Cable description
  !
  interface Ethernet0/1
  switchport access vlan 2
  switchport trunk allowed vlan 2-3
  switchport vlan trunk native 2
  switchport mode trunk
  !
  interface Ethernet0/2
  switchport access vlan 2
  switchport trunk allowed vlan 2-3
  switchport vlan trunk native 2
  switchport mode trunk
  !
  interface Ethernet0/3
  switchport access vlan 2
  switchport trunk allowed vlan 2-3
  switchport vlan trunk native 2
  switchport mode trunk
  !
  interface Ethernet0/4
  switchport access vlan 2
  switchport trunk allowed vlan 2-3
  switchport vlan trunk native 2
  switchport mode trunk
  !
  interface Ethernet0/5
  switchport access vlan 2
  switchport trunk allowed vlan 2-3
  switchport vlan trunk native 2
  switchport mode trunk
  !
  interface Ethernet0/6
  Description for Wireless AP Trunk Port
  switchport access vlan 2
  switchport trunk allowed vlan 2-3
  switchport vlan trunk native 2
  switchport mode trunk
  !
  interface Ethernet0/7
  Description for Wireless AP Trunk Port
  switchport access vlan 2
  switchport trunk allowed vlan 2-3
  switchport vlan trunk native 2
  switchport mode trunk
  !
  boot system Disk0: / asa821-11 - k8.bin
  Disk0: / config.txt boot configuration
  passive FTP mode
  clock timezone IS - 5
  clock to summer time EDT recurring
  DNS domain-lookup outside
  INTERNAL DNS domain-lookup
  DNS domain-lookup GUEST
  DNS server-group DefaultDNS
  Name-Server 4.2.2.2
  domain somewhere.com
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  DM_INLINE_TCP_1 tcp service object-group
  EQ port 3389 object
  port-object eq www
  EQ object of the https port
  EQ smtp port object
  the DM_INLINE_NETWORK_1 object-group network
  network-object SITE1-LAN 255.255.0.0
  network-object SITE2-LAN 255.255.0.0
  network-object training3-LAN 255.255.0.0
  object-group training3-GLOBAL network
  Southwood description Global Network
  network-object training3-LAN 255.255.0.0
  network-object training3-VOICE 255.255.0.0
  network-object training3-WIFI 255.255.0.0
  DM_INLINE_TCP_2 tcp service object-group
  EQ port 5900 object
  EQ object Port 5901
  object-group network INTERNAL GLOBAL
  Description Global INTERNAL Network
  network-object INTERNAL 255.255.255.0
  network-object INTERNALLY-VPN 255.255.255.0
  access-list outside_access note Pings allow
  outside_access list extended access permit icmp any CMS-external host
  access-list outside_access note that VNC for Camille
  outside_access list extended access permit tcp any host CMS-external object-group DM_INLINE_TCP_2
  access-list outside_access note INTERNAL Services
  outside_access list extended access permit tcp any host CMS-external object-group DM_INLINE_TCP_1
  DefaultRAGroup_splitTunnelAcl list standard access allowed INTERNAL 255.255.255.0
  access-list sheep extended ip INTERNAL 255.255.255.0 allow INTERNAL VPN 255.255.255.0
  access-list extended sheep allowed ip IN-HOUSE-GLOBAL SITE1-LAN 255.255.0.0 object-group
  access-list extended sheep allowed ip IN-HOUSE-GLOBAL SITE2-LAN 255.255.0.0 object-group
  access-list extended sheep allowed ip object-IN-HOUSE-GLOBAL object group training3-GLOBAL
  access-list INTERNAL-to-SITE1 extended permit ip IN-HOUSE-GLOBAL SITE1-LAN 255.255.0.0 object-group
  access-list INTERNAL-to-training3 extended permitted ip object-IN-HOUSE-GLOBAL object group training3-GLOBAL
  access-list INTERNAL-to-SITE2 extended permit ip IN-HOUSE-GLOBAL SITE2-LAN 255.255.0.0 object-group
  no pager
  Enable logging
  exploitation forest asdm warnings
  Debugging trace record
  Outside 1500 MTU
  MTU 1500 INTERNAL
  MTU 1500 COMMENTS
  192.168.11.1 mask - local 192.168.11.25 pool IN-HOUSE VPN IP 255.255.255.0
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 623.bin
  enable ASDM history
  ARP timeout 14400
  Global 1 interface (outside)
  (INTERNAL) NAT 0 access-list sheep
  NAT (INTERNAL) 1 0.0.0.0 0.0.0.0
  NAT (GUEST) 1 0.0.0.0 0.0.0.0
  5900 5900 Camille netmask 255.255.255.255 interface static tcp (GUEST, outdoor)
  3389 3389 Apollo netmask 255.255.255.255 interface static tcp (INDOOR, outdoor)
  public static tcp (INDOOR, outdoor) interface www Apollo www netmask 255.255.255.255
  public static tcp (INDOOR, outdoor) interface https Apollo https netmask 255.255.255.255
  public static tcp (INDOOR, outdoor) interface smtp smtp Apollo netmask 255.255.255.255
  5901 puppy 5901 netmask 255.255.255.255 interface static tcp (GUEST, outdoor)
  Access-group outside_access in interface outside
  Timeout xlate 0:05:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  RADIUS protocol AAA-server Apollo
  Apollo (INTERNAL) AAA-server Apollo
  Timeout 5
  key *.
  AAA authentication enable LOCAL console
  the ssh LOCAL console AAA authentication
  AAA authentication LOCAL telnet console
  AAA authentication http LOCAL console
  Enable http server
  http 0.0.0.0 0.0.0.0 INTERNAL
  http 0.0.0.0 0.0.0.0 COMMENTS
  No snmp server location
  No snmp Server contact
  Community SNMP-server
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
  Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  SYSTEM_DEFAULT_CRYPTO_MAP game 65535 dynamic-map crypto transform-set ESP-3DES-SHA TRANS_ESP_3DES_SHA
  correspondence address 1 card crypto outside_map INTERNAL SITE1
  card crypto outside_map 1 set of peer SITE1 - ASA
  card crypto outside_map 1 set of transformation-ESP-3DES-SHA
  address for correspondence card crypto outside_map 2 INTERNAL training3
  outside_map 2 peer training3 - ASA crypto card game
  card crypto outside_map 2 game of transformation-ESP-3DES-SHA
  address for correspondence outside_map 3 card crypto INTERNAL SITE2
  game card crypto outside_map 3 peers SITE2 - ASA
  card crypto outside_map 3 game of transformation-ESP-3DES-SHA
  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  delimiter group @.
  Telnet training3 - ASA 255.255.255.255 outside
  Telnet SITE2 - ASA 255.255.255.255 outside
  Telnet SITE1 - ASA 255.255.255.255 outside
  Telnet 0.0.0.0 0.0.0.0 INTERNAL
  Telnet 0.0.0.0 0.0.0.0 COMMENTS
  Telnet timeout 60
  SSH enable ibou
  SSH training3 - ASA 255.255.255.255 outside
  SSH SITE2 - ASA 255.255.255.255 outside
  SSH SITE1 - ASA 255.255.255.255 outside
  SSH 0.0.0.0 0.0.0.0 INTERNAL
  SSH 0.0.0.0 0.0.0.0 COMMENTS
  SSH timeout 60
  Console timeout 0
  access to the INTERNAL administration
  Hello to tunnel L2TP 100
  interface ID client DHCP-client to the outside
  dhcpd dns 4.2.2.1 4.2.2.2
  dhcpd ping_timeout 750
  dhcpd outside auto_config
  !
  address INTERNAL 192.168.10.100 dhcpd - 192.168.10.200
  dhcpd Apollo Odyssey interface INTERNAL dns
  dhcpd somewhere.com domain INTERNAL interface
  interface of dhcpd option 150 ip 10.1.1.40 INTERNAL
  enable dhcpd INTERNAL
  !
  dhcpd address 192.168.2.100 - 192.168.2.200 COMMENTS
  dhcpd dns 4.2.2.1 4.2.2.2 interface COMMENTS
  enable dhcpd COMMENTS
  !

  a basic threat threat detection
  statistical threat detection port
  Statistical threat detection Protocol
  Statistics-list of access threat detection
  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
  NTP server 192.43.244.18 prefer external source
  WebVPN
  allow outside
  CSD image disk0:/securedesktop-asa-3.4.2048.pkg
  SVC disk0:/sslclient-win-1.1.4.179.pkg 1 image
  SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 2 image
  enable SVC
  Group Policy DefaultRAGroup INTERNAL
  attributes of Group Policy DefaultRAGroup
  Server DNS 192.168.10.4 value
  Protocol-tunnel-VPN l2tp ipsec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
  value by default-domain somewhere.com
  Group Policy DefaultWEBVPNGroup INTERNAL
  attributes of Group Policy DefaultWEBVPNGroup
  VPN-tunnel-Protocol webvpn
  Group Policy DefaultL2LGroup INTERNAL
  attributes of Group Policy DefaultL2LGroup
  Protocol-tunnel-VPN IPSec l2tp ipsec
  Group Policy DefaultACVPNGroup INTERNAL
  attributes of Group Policy DefaultACVPNGroup
  VPN-tunnel-Protocol svc
  attributes of Group Policy DfltGrpPolicy
  value of 192.168.10.4 DNS Server 4.2.2.2
  VPN - 25 simultaneous connections
  VPN-idle-timeout no
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
  value by default-domain somewhere.com
  the value INTERNAL VPN address pools
  chip-removal-disconnect disable card
  WebVPN
  SVC keepalive no
  client of dpd-interval SVC no
  dpd-interval SVC bridge no
  value of customization DfltCustomization
  attributes global-tunnel-group DefaultRAGroup
  VPN INTERNAL address pool
  Group Policy - by default-DefaultRAGroup
  IPSec-attributes tunnel-group DefaultRAGroup
  pre-shared-key *.
  Disable ISAKMP keepalive
  tunnel-group DefaultRAGroup ppp-attributes
  No chap authentication
  no authentication ms-chap-v1
  ms-chap-v2 authentication
  attributes global-tunnel-group DefaultWEBVPNGroup
  VPN INTERNAL address pool
  Group Policy - by default-DefaultWEBVPNGroup
  tunnel-group 123.234.8.60 type ipsec-l2l
  IPSec-attributes tunnel-group 123.234.8.60
  pre-shared-key *.
  tunnel-group 123.234.8.124 type ipsec-l2l
  IPSec-attributes tunnel-group 123.234.8.124
  pre-shared-key *.
  tunnel-group 123.234.8.189 type ipsec-l2l
  IPSec-attributes tunnel-group 123.234.8.189
  pre-shared-key *.
  type tunnel-group DefaultACVPNGroup remote access
  attributes global-tunnel-group DefaultACVPNGroup
  VPN INTERNAL address pool
  Group Policy - by default-DefaultACVPNGroup
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  inspect the http
  inspect the they
  !
  global service-policy global_policy
  context of prompt hostname
  Cryptochecksum:423c807c0d63cb3e9aeceda977053f84
  : end
  ASDM image disk0: / asdm - 623.bin
  ASDM location Camille 255.255.255.255 INTERNAL
  ASDM location INTERNAL CGT-external 255.255.255.255
  ASDM location INTERNAL SITE1-LAN 255.255.0.0
  ASDM location INTERNAL SITE2-LAN 255.255.0.0
  ASDM location INTERNAL training3-LAN 255.255.0.0
  ASDM location INTERNAL training3 - ASA 255.255.255.255
  ASDM location INTERNAL GDO 255.255.255.255
  ASDM location INTERNAL SITE1 - ASA 255.255.255.255
  ASDM location INTERNAL SITE2 - ASA 255.255.255.255
  ASDM location INTERNAL training3-VOICE 255.255.0.0
  ASDM location puppy 255.255.255.255 INTERNAL
  enable ASDM history

  I should also mention that my test clients are a combination of Windows XP, Windows 7, and Windows Mobile. Other that in specifying the preshared key and forcing L2TP/IPsec on the client side, the VPN settings on clients are the default settings with the help of MS-CHAP/MS-CHAPv2.

  You must configure * intercept-dhcp enable * in your group strategy:

  attributes of Group Policy DefaultRAGroup

  attributes of Group Policy DefaultRAGroup

  Server DNS 192.168.10.4 value
  Protocol-tunnel-VPN l2tp ipsec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
  value by default-domain somewhere.com

  Intercept-dhcp enable

  -Latptop VPN clients (which I assume are on windows computers) is also the * use on remote network default gateway * box unchecked.  It is located on the Advanced tab of VPN client TCP/IP properties.   Select Client VPN > properties > Networking > TCP/IP Internet Protocol > properties > advanced and uncheck the box.

  Alex

• access list of split tunneling

  Hello

  I have some problems on ASA 5520 split tunneling configuration.

  Here's the scenario:

  Number of remote users connects ipsec with ASA 5520 (in central) using ubuntu vpnc-client.

  Split tunneling is used, in order to allow remote users to surf the Internet using their ISP.

  The goal is to remove the possibility for ssh/telnet servers within the local enterprise network for remote users.

  Here is a part of the config:

  internal REMOTE_gp group strategy
  attributes of Group Policy REMOTE_gp
  VPN-idle-timeout no
  Protocol-tunnel-VPN IPSec
  Group-lock no
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list REMOTE_split

  tunnel-group type REMOTE access remotely

  tunnel-group REMOTE General attributes

  authentication-server-group RADIUSGR

  Group Policy - by default-REMOTE_gp

  REMOTE tunnel-group ipsec-attributes

  pre-shared-key *.

  ISAKMP keepalive retry threshold 15 10

  RADIUS protocol AAA-server RADIUSGR

  AAA-server RADIUSGR (INSIDE_LAN) 192.168.0.244

  REMOTE_split list extended access deny tcp 192.168.0.0 255.255.255.0 ssh telnet rank everything

  permit access ip 192.168.0.0 scope list REMOTE_split 255.255.255.0 192.168.100.0 255.255.255.0

  ip subnet ##192.168.100.0/24 - where from Radius Server to allocate ip addresses to remote users.

  INSIDE_LAN_in list extended access deny tcp 192.168.0.0 255.255.255.0 eq ssh 192.168.100.0 255.255.255.0

  INSIDE_LAN_in list extended access deny tcp 192.168.0.0 255.255.255.0 eq telnet 192.168.100.0 255.255.255.0

  permit access ip 192.168.0.0 scope list INSIDE_LAN_in 255.255.255.0 any

  It has nat enabled on the interface, but there is a special instruction in nat0 ACL for 192.168.100.0 subnet

  permit access ip 192.168.0.0 scope list INSIDE_LAN_nat0_outbound 255.255.255.0 192.168.100.0 255.255.255.0

  The problem is that the remote users can easily ssh and telnet servers in network INSIDE_LAN. Everything I put in INSIDE_LAN_in ACL, remote users still have full access to this network. Restrictions in the REMOTE_split ACL do not work either.

  You must configure vpn-filter rather to block telnet and ssh access as follows:

  Remote filter access list deny tcp 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 22

  Remote filter access list deny tcp 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 23

  distance-filter 192.168.100.0 ip access list allow 255.255.255.0 192.168.0.0 255.255.255.0

  attributes of Group Policy REMOTE_gp

  VPN-value filter-remote control

  Split tunnel acl has the following statement and it should be extended to standard ACLs instead of:

  REMOTE_split list of permitted access 192.168.0.0 255.255.255.0

  Hope that helps.

• Client VPN und Cisco asa 5505 tunnel work but no traffic

  Hi all

  I am new to this forum and Don t have a lot of experience with Cisco, so I hope I can get help from specialists.

  I have the following problem:

  I installed und konfigured ASA 5505 for use with vpn client. I would like to access the local network from outside through vpn.

  To test, I installed ASA 5505 with ADSL (pppoe) and tried to give access to the internal network.

  Of course whenever I have recive the supplier's different IP address, but it didn't is not a problem reconfigure in the vpn client.

  After the connection is established (vpn tunnel work) I can see my external network packets. But I Don t have any connection to the internal network.

  I erased my setup yesterday and tried to reconfigure ASA again. I didn t tested yesterday, because it was too late. And I know that I Don t have the authorization rule at present by the ACL. But I think I'm having the same problem again. (tunnel but no traffic).

  What I did wrong. Could someone let me know what I have to do today.

  With hope for your help Dimitri.

  ASA configuration after reset and basic configuration: works to the Internet from within the course.

  : Saved

  : Written by enable_15 to the CEDT 20:29:18.909 Sunday, August 29, 2010

  !

  ASA Version 8.2 (2)

  !

  ciscoasa hostname

  activate 2KFQnbNIdI.2KYOU encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  PPPoE client vpdn group home

  IP address pppoe setroute

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  boot system Disk0: / asa822 - k8.bin

  passive FTP mode

  clock timezone THATS 1

  clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

  DNS domain-lookup outside

  DNS server-group DefaultDNS

  Server name 194.25.0.60

  Server name 194.25.0.68

  DM_INLINE_TCP_1 tcp service object-group

  port-object eq www

  EQ object of the https port

  inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 no matter what eq field open a debug session

  inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1 open a debug session

  inside_access_in list extended access deny ip any any debug log

  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.0.0 255.255.0.0

  permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.128

  homegroup_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  IP local pool homepool 192.168.10.1 - 192.168.10.100 mask 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm-625 - 53.bin

  ASDM location 192.168.0.0 255.255.0.0 inside

  ASDM location 192.168.10.0 255.255.255.0 inside

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  inside_access_in access to the interface inside group

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  VPDN group home request dialout pppoe

  VPDN group House localname 04152886790

  VPDN group House ppp authentication PAP

  VPDN username 04152886790 password 1

  dhcpd outside auto_config

  !

  dhcpd address 192.168.1.5 - 192.168.1.36 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  TFTP server 192.168.1.5 inside c:/tftp-root

  WebVPN

  Group Policy inner residential group

  attributes of the strategy of group home group

  value of 192.168.1.1 DNS server

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list homegroup_splitTunnelAcl

  username user01 encrypted password privilege 0 v5P40l1UGvtJa7Nn

  user01 username attributes

  VPN-strategy group home group

  tunnel-group home group type remote access

  attributes global-tunnel-group home group

  address homepool pool

  Group Policy - by default-homegroup

  tunnel-group group residential ipsec-attributes

  pre-shared-key ciscotest

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:930e6cddf25838e47ef9633dc2f07acb

  : end

  Hello

  Normally, you want a static public IP address on the ASA to allow it to receive connections from VPN clients (avoid to change the IP address all the time).

  If you connect via VPN, check the following:

  1. the tunnel is established:

  HS cry isa his

  Must say QM_IDLE or MM_ACTIVE

  2 traffic is flowing (encrypted/decrypted):

  HS cry ips its

  3. Enter the command:

  management-access inside

  And check if you can PING the inside ASA VPN client IP.

  4. check that the default gateway for the LAN internal ASA within intellectual property (or there is a road to the ASA to send traffic to the VPN clients).

  Federico.