Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
885
Views
0
Helpful
4
Replies

Configuring Remote LAN and WAN access...

CrackerJackSoftware
Level 1
Level 1

‎12-16-2010 02:44 PM

Okay so I have followed this information here but still users can not get access to the remote site's LAN.  And on top of it all when connected to the VPN users can't browse the internet.  What have I done wrong? 

Labels:
0 Helpful
4 Replies 4

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎12-16-2010 02:46 PM

Hi,

If when connected you lose internet is because split-tunneling is not configured (all traffic is sent through the tunnel and the VPN server is not configured to provide internet access to the client).

If the clients cannot access the LAN through the tunnel could be because of NAT configuration or no route back to the VPN pool, or NAT-T not configured and required.

In short, could be many things... please provide more information.

Federico.

0 Helpful

CrackerJackSoftware
Level 1
Level 1
In response to Federico Coto Fajardo

‎12-16-2010 02:58 PM

Here is my running config....

ASA Version 7.2(4)

!

hostname bmpeCisco

domain-name bmpe.bmpelocal.com

enable password B1XG9Q2KwgM/dmyh encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.2.1 255.0.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name bmpe.bmpelocal.com

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 10.0.8.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.8.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.9.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 10.0.9.0 255.255.255.240

access-list BMPE_splitTunnelAcl standard permit any

access-list inside_access_in extended permit ip any any

access-list Local_LAN_Access standard permit host 0.0.0.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool BMPVPN 10.0.8.1-10.0.8.10 mask 255.0.0.0

ip local pool BMPEVPN 10.0.9.1-10.0.9.10

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0 dns

access-group inside_access_in in interface inside

route inside 10.0.8.0 255.255.255.240 10.0.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 10.0.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 10.0.2.2-10.0.2.33 inside

dhcpd enable inside

!

webvpn

enable outside

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 10.0.1.1

vpn-tunnel-protocol l2tp-ipsec

group-policy bmp internal

group-policy bmp attributes

dns-server value 10.0.1.1

vpn-tunnel-protocol l2tp-ipsec

group-policy IPSEC-VPN internal

group-policy IPSEC-VPN attributes

dns-server value 10.0.2.1

vpn-tunnel-protocol IPSec

default-domain value bmp.bmpenterprise.com

group-policy BMPENTERPRISE internal

group-policy BMPENTERPRISE attributes

dns-server value 10.0.2.1

vpn-tunnel-protocol IPSec

default-domain value BMP.BMPEnterprise.com

group-policy BMPE internal

group-policy BMPE attributes

wins-server none

dns-server value 10.0.1.1

vpn-access-hours none

vpn-simultaneous-logins 10

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol l2tp-ipsec

password-storage disable

group-lock value BMPE

ipsec-udp enable

split-tunnel-policy excludespecified

split-tunnel-network-list value Local_LAN_Access

intercept-dhcp disable

secure-unit-authentication enable

user-authentication enable

user-authentication-idle-timeout none

ip-phone-bypass disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method auto-detect

msie-proxy local-bypass disable

address-pools value BMPVPN

smartcard-removal-disconnect enable

client-firewall none

client-access-rule none

group-policy BMPELocal internal

group-policy BMPELocal attributes

dns-server value 10.0.1.1

vpn-tunnel-protocol IPSec

default-domain value bmpe.bmpelocal.com

username brian password meufPwVyeELT3IA8 encrypted privilege 0

username brian attributes

vpn-group-policy IPSEC-VPN

vpn-tunnel-protocol IPSec l2tp-ipsec

username cbechdol password 3W2Ebv8OklzjCNRy encrypted privilege 0

username cbechdol attributes

vpn-group-policy bmp

vpn-tunnel-protocol IPSec l2tp-ipsec

username kjackson password N4Do0.mZ3iHi34Iz encrypted privilege 0

username kjackson attributes

vpn-group-policy IPSEC-VPN

vpn-tunnel-protocol IPSec l2tp-ipsec

username dvoss password MbFGJ0EGTmunxisr encrypted privilege 0

username dvoss attributes

vpn-group-policy IPSEC-VPN

vpn-tunnel-protocol IPSec l2tp-ipsec

username dperkins password BcQVR8G5.OZkuj1T encrypted privilege 0

username dperkins attributes

vpn-group-policy IPSEC-VPN

vpn-tunnel-protocol IPSec l2tp-ipsec

username admin password mpcn5zi5aBiXxl6s encrypted privilege 0

username admin attributes

vpn-group-policy bmp

vpn-tunnel-protocol IPSec l2tp-ipsec

username tbatot password 44OAD48YMAO48/NZ encrypted privilege 0

username tbatot attributes

vpn-group-policy IPSEC-VPN

vpn-tunnel-protocol IPSec l2tp-ipsec

username mkrejci password njOqmXPIZbg2gkZM encrypted privilege 0

username mkrejci attributes

vpn-group-policy IPSEC-VPN

vpn-tunnel-protocol IPSec l2tp-ipsec

username jbrandt password OGLSGUvMBoiKEIkz encrypted privilege 0

username jbrandt attributes

vpn-group-policy IPSEC-VPN

vpn-tunnel-protocol IPSec l2tp-ipsec

username lesquibel password 0XDKAq63OnVmsbNX encrypted privilege 0

username lesquibel attributes

vpn-group-policy IPSEC-VPN

vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

address-pool BMPVPN

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

no authentication ms-chap-v1

authentication ms-chap-v2

tunnel-group BMPE type ipsec-ra

tunnel-group BMPE general-attributes

address-pool BMPEVPN

authorization-server-group LOCAL

default-group-policy BMPE

authorization-required

authorization-dn-attributes UID

tunnel-group BMPE ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

tunnel-group BMPELocal type ipsec-ra

tunnel-group BMPELocal general-attributes

address-pool BMPEVPN

default-group-policy BMPELocal

tunnel-group BMPELocal ipsec-attributes

pre-shared-key *

tunnel-group bmp type ipsec-ra

tunnel-group bmp general-attributes

address-pool BMPVPN

default-group-policy bmp

tunnel-group bmp ipsec-attributes

pre-shared-key *

tunnel-group bmp ppp-attributes

no authentication ms-chap-v1

authentication ms-chap-v2

no tunnel-group-map enable ou

no tunnel-group-map enable ike-id

no tunnel-group-map enable peer-ip

tunnel-group-map default-group bmp

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:297f07e0eef7caca9c622d73f21a27c4

: end

0 Helpful

CrackerJackSoftware
Level 1
Level 1
In response to CrackerJackSoftware

‎12-16-2010 03:29 PM

Okay I got the internet working by changing my static route interface from inside to outside for the gateway.  But you still can not access anything on the remote LAN.  Not sure what I need to change there...

0 Helpful

CrackerJackSoftware
Level 1
Level 1
In response to CrackerJackSoftware

‎12-16-2010 04:15 PM

Wow! I was able to correct all my problems!  The NAT just needed to be configured for the internal server.  Once I set up the server on the outside and inside interface using NAT it all started working!!

0 Helpful
Customers Also Viewed These Support Documents