I already made an ACL to permit any>any ip now i still can't get to the router's interface (the ASA exteral Ethernet is connected to the router's internal ethernet port) i already did static nat on the ASA'S internal network which is (192.168.1.0/24) to be translated into the external ASA's entherner (which is 192.168.0.0/24) which is also the router's internal network.

Do you think that imight be missing something else?

Oh and i alreday added static route to any netwotk to the router IP address as a default gateway for the ASA to get to the internet.

Thank you.

Perhaps you could post your config minus any public IP info ?

Jon

hostname ciscoasa

domain-name nav.info

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.0.1 router description router

name 192.168.1.10 WebServer-Internal

name 192.168.0.0 Outside-network

name 192.168.0.10 WebServer-External

name 192.168.1.6 Aeroresearcher-IN

name 192.168.0.230 Aeroresearcher-OUT

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.0.6 255.255.255.0

!

interface Vlan5

no nameif

security-level 50

ip address dhcp

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 4.4.4.2

domain-name nav.info

object-group service DM_INLINE_SERVICE_1

service-object tcp-udp

service-object ip

service-object tcp eq www

service-object tcp eq https

service-object udp eq snmp

service-object udp eq snmptrap

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

protocol-object icmp6

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

protocol-object icmp6

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object icmp

protocol-object icmp6

object-group protocol DM_INLINE_PROTOCOL_4

protocol-object ip

protocol-object icmp

protocol-object icmp6

object-group protocol DM_INLINE_PROTOCOL_5

protocol-object ip

protocol-object icmp

protocol-object icmp6

access-list testvpn2_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 a

ny interface outside

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3

any any

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 a

ny any

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 a

ny any

access-list inside_authentication extended deny tcp any any

access-list inside_access_out extended permit ip any any

access-list inside_access_out extended permit object-group DM_INLINE_PROTOCOL_5

any any

access-list outside_access_out extended permit ip any any

access-list outside_access_out extended permit object-group DM_INLINE_PROTOCOL_2

any any

access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.25

5.224

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19

2.168.1.208 255.255.255.240

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpn 192.168.1.100-192.168.1.200 mask 255.255.255.0

ip local pool vpn2 192.168.1.205-192.168.1.210 mask 255.255.255.255

ip local pool vpn3 192.168.1.215-192.168.1.220 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 192.168.0.8-192.168.0.15 netmask 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) Outside-network 192.168.1.0 netmask 255.255.255.0

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

route outside 0.0.0.0 0.0.0.0 router 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication match inside_authentication inside LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128

-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256

-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy testvpn2 internal

group-policy testvpn2 attributes

vpn-tunnel-protocol IPSec

default-domain value nav.info

group-policy testvpn2_1 internal

group-policy testvpn2_1 attributes

dns-server value 4.4.4.2

vpn-tunnel-protocol IPSec

Your ACL-implemetation (and much of the complete config) is a real mess (sorry to say that).

Please specify what you want to achieve and then let's work out how the config should be modified.

1. How should the outbound traffic be controlled?
2. Do you need inbound traffic?
3. Where are your VPN-clients?
4. which version are you running?
5. Do you really have private addresses on the outside interface? If yes, do you have control over the router in front of your ASA?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks Karsten,

I need inbound traffic to be able to go back to the internet and browse HTTP,HTTPS i have a VPN setup and iam using VPN cleint software, everything works fine in the vpn but when i disable split tunneling(which is what i want to do) the vpn clients can't go to the internet (naturally because my internal network can't) , the vpn pool i set up is in the same internal network ip range.

When i first got the ASA i did a change in the CLI which i learned which is to allow http and https to my web server by creating an access list specifying the IP of my server, the only computer that can go to the internet from the internal network is my webserver computer.I am not sure which version you are refering to here, the ASDM version is (6.4).

The answers to your number 5 is YES,YES.

Thanks

I am not sure which version you are refering to here, the ASDM version is (6.4).

I'm refering to the ASA-version. You see the version with "show version" at the top of the output.

The answers to your number 5 is YES,YES.

is it a DSL-router (PPPoE?) that you can reconfigure to bridge-mode? With that, the public IP that is now on that router would be moved to the ASA. With that you have more control over the needed functions like NAT. The rest of the config is dependant on that so we have to figure that out first.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

This is the router which is actally a modem and a router and an access point (3 in 1): http://www.motorola.com/us/SBG6580-SURFboard%C2%AE-eXtreme-Wireless-Cable-Modem/70902.html  but if there is bridging in the router (which i dobt it) then what is the static route on the ASA going to be ? (Now the static route on the asa is >OUTSIDE INTERFACE>NETWORK ANY>GATEWAY> (the router's internal IP addess).

Thank you much, there is one thing though, the router doesn't have any NAT options so, what if i wanna do it with the current config. i mean with the addition of your suggested config. what is the final config would look like? oh and there is something else, when i do a packet trace to the router's int. (192.168.0.1) or any other host on the internet, sometimes it says allowed but i can't actually get to it, and sometimes it says Denied or dropped and when i trace the ACL that drops it, i see that it is one of the implisit access lists!! it is a little confusing..i mean it is not really black and white thing.

Thanks