cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7776
Views
4
Helpful
11
Replies

No Internet access after cisco vpn client connection

meet_mkhan
Level 1
Level 1

Hi Experts,

Kindly check below config.the problem is  vpn is connected but no internet access

on computer after connecting vpn

 

ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.10.10 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.14.12 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list dubai_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 192.168.14.240 255.255.2
55.240
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool testpool 192.168.14.240-192.168.14.250
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list INSIDE_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.14.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set setFirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set setFirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
username testuser password IqY6lTColo8VIF24 encrypted
username khans password X5bLOVudYKsK1JS/ encrypted privilege 15
tunnel-group mphone type remote-access
tunnel-group mphone general-attributes
 address-pool testpool
tunnel-group mphone ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:059363cdf78583da4e3324e8dfcefbf0
: end
ciscoasa#

1 Accepted Solution

Accepted Solutions

 

Hello

 

Great.  Try adding the below to get it work

access-list vpn-nonat extended permit ip any 192.168.15.0 255.255.255.0

nat (inside) 0 access-list vpn-nonat

Harish

View solution in original post

11 Replies 11

You are missing split tunneling commands...unless you want all traffic to go through the ASA that is.


tunnel-group mphone general-attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value dubai_splitTunnelAcl

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hi Marius Gunnerud,

Thankx for the Reply.Check the below config i added the missing commands but the issue is not

resolved

------------

ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.10.10 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.14.12 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list dubai_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 192.168.14.240 255.255.2
55.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.14.240-192.168.14.250
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list INSIDE_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.14.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set setFirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set setFirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
group-policy mphone internal
group-policy mphone attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value dubai_splitTunnelAcl

username testuser password IqY6lTColo8VIF24 encrypted
username khans password X5bLOVudYKsK1JS/ encrypted privilege 15
tunnel-group mphone type remote-access
tunnel-group mphone general-attributes
 address-pool testpool
tunnel-group mphone ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:80f894dae302ca3e62d710b5a7fdb5c2
: end
ciscoasa#

Hello 

Please add the following

 

nat (outside) 1 192.168.14.0 255.255.255.0

 

hope this helps

Harish

Hi Harish,

 

Thankx  for reply  i can connect to internet after vpn establish but local lan access is disabled i cant able to access my local lan users.

even i cant able to ping my gateway i,e 192.168.14.12(ASA E0/1 IP ADDRESS).

 

when i connect vpn the user gets  ip add 192.168.14.240.I want to connect or access a user which has  ip add 192.168.14.229  my local network .

 

computer vpn connected user (192.16814.240) go to start-->run--->\\192.168.14.229

 

it is not accessable gives error network path was not found.

 

 

 

 

 

Hello,

 

Just noticed that Your inside and vpn pool is in the same Major network.. I would suggest you to change the vPN pool to be in a different network ( say 192.168.15.0/24).. and remove the nat config done above.

 

Harish.

The title of your post is a bit misleading as you mention you do not have internet access, but now talk about VPN to LAN access.

It is best practice to have the VPN and local LAN on different subnets.  However, you can have the same major network for both VPN and LAN but you would need different subnetmasks.

The best way to solve this, as Harish has mentioned, is to place the VPN pool on a different network.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hello Marius Gunnerud and Hari,

I really appreciate the solutions you people provided.I have done the changes in pool and tried to access my inside network but still same problem.Kindly check here under o/ps and attached file at vpn user side.

 

ciscoasa(config)# no ip local pool testpool 192.168.14.240-192.168.14.250
ciscoasa(config)#
ciscoasa(config)# ip local pool testpool 192.168.15.240-192.168.15.250
ciscoasa(config)# int e0/0
ciscoasa(config-if)# no sh
ciscoasa(config-if)# 
ciscoasa#
ciscoasa# sh cry
ciscoasa# sh crypto is
ciscoasa# sh crypto isakmp sa
ciscoasa# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 2.50.34.52
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
ciscoasa# sh crypto ipse
ciscoasa# sh crypto ipsec sa
ciscoasa# sh crypto ipsec sa
interface: outside
    Crypto map tag: dyn1, seq num: 1, local addr: 192.168.10.10

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.15.240/255.255.255.255/0/0)
      current_peer: 2.50.34.52, username: testuser
      dynamic allocated peer ip: 192.168.15.240

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.10.10, remote crypto endpt.: 2.50.34.52

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: DB10CB59

    inbound esp sas:
      spi: 0x5E310D99 (1580273049)
         transform: esp-3des esp-md5-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: dyn1
         sa timing: remaining key lifetime (sec): 28766
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xDB10CB59 (3675310937)
         transform: esp-3des esp-md5-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: dyn1
         sa timing: remaining key lifetime (sec): 28766
         IV size: 8 bytes
         replay detection support: Y

ciscoasa#     sh cli
ciscoasa# sho
ciscoasa# show cl
ciscoasa# show cli
ciscoasa# show vp
ciscoasa# show vpn
ciscoasa# show vpn-
ciscoasa# show vpn-sessiondb
ERROR: % Incomplete command
ciscoasa# show vpn-sessiondb ?

  detail       Show detailed output
  email-proxy  Email-Proxy sessions
  full         Output formatted for data management programs
  index        Index of session
  l2l          IPsec LAN-to-LAN sessions
  ratio        Show VPN Session protocol or encryption ratios
  remote       IPsec Remote Access sessions
  summary      Show VPN Session summary
  svc          SSL VPN Client sessions
  vpn-lb       VPN Load Balancing Mgmt sessions
  webvpn       WebVPN sessions
ciscoasa# show vpn-sessiondb de
ciscoasa# show vpn-sessiondb detail
ERROR: % Incomplete command
ciscoasa# show vpn-sessiondb detail ?

  email-proxy  Email-Proxy sessions
  full         Output formatted for data management programs
  index        Index of session
  l2l          IPsec LAN-to-LAN sessions
  remote       IPsec Remote Access sessions
  svc          SSL VPN Client sessions
  vpn-lb       VPN Load Balancing Mgmt sessions
  webvpn       WebVPN sessions
ciscoasa# show vpn-sessiondb detail re
ciscoasa# show vpn-sessiondb detail remote

Session Type: IPsec Detailed

Username     : testuser               Index        : 1
Assigned IP  : 192.168.15.240         Public IP    : 2.50.34.52
Protocol     : IKE IPsec
Encryption   : 3DES                   Hashing      : MD5 SHA1
Bytes Tx     : 240                    Bytes Rx     : 1920
Pkts Tx      : 4                      Pkts Rx      : 38
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : mphone                 Tunnel Group : mphone
Login Time   : 00:22:21 UTC Thu Oct 9 2014
Duration     : 0h:02m:38s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

IKE Tunnels: 1
IPsec Tunnels: 1

IKE:
  Tunnel ID    : 1.1
  UDP Src Port : 2976                   UDP Dst Port : 500
  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys
  Encryption   : 3DES                   Hashing      : SHA1
  Rekey Int (T): 43200 Seconds          Rekey Left(T): 43048 Seconds
  D/H Group    : 2
  Filter Name  :

IPsec:
  Tunnel ID    : 1.2
  Local Addr   : 0.0.0.0/0.0.0.0/0/0
  Remote Addr  : 192.168.15.240/255.255.255.255/0/0
  Encryption   : 3DES                   Hashing      : MD5
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28646 Seconds
  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
  Bytes Tx     : 240                    Bytes Rx     : 1920
  Pkts Tx      : 4                      Pkts Rx      : 38

NAC:
  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 154 Seconds
  Hold Left (T): 0 Seconds              Posture Token:
  Redirect URL :

ciscoasa#

Hello 

Can you send the below

1. 'route print' from your pc's command line after connecting to vpn

2.Latest complete configuration of ASA

 

Harish.

Hi Harish,

Please check the o/ps below and route print in attached file

Latest ASA Config

 

ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.10.10 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.14.12 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list dubai_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 192.168.14.0 255.255.255
.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.15.240-192.168.15.250
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.14.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set setFirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set setFirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
group-policy mphone internal
group-policy mphone attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value dubai_splitTunnelAcl
username testuser password IqY6lTColo8VIF24 encrypted privilege 15
username testuser attributes
 vpn-group-policy mphone
username khans password X5bLOVudYKsK1JS/ encrypted privilege 15
username khans attributes
 vpn-group-policy mphone
tunnel-group mphone type remote-access
tunnel-group mphone general-attributes
 address-pool testpool
tunnel-group mphone ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:12308d7ff6c6df3d71181248e8d38ba8
: end
ciscoasa#

 

Route Print after vpn connection 


C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x40003 ...00 24 01 a2 e6 f1 ...... D-Link DFE-520TX PCI Fast Ethernet Adapter -
 Packet Scheduler Miniport
0x250004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Schedule
r Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1  192.168.10.211       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     192.168.10.0    255.255.255.0   192.168.10.211  192.168.10.211       20
   192.168.10.211  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.10.255  255.255.255.255   192.168.10.211  192.168.10.211       20
     192.168.14.0    255.255.255.0     192.168.15.1  192.168.15.240       1
     192.168.15.0    255.255.255.0   192.168.15.240  192.168.15.240       20
   192.168.15.240  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.15.255  255.255.255.255   192.168.15.240  192.168.15.240       20
    213.42.233.97  255.255.255.255     192.168.10.1  192.168.10.211       1
        224.0.0.0        240.0.0.0   192.168.10.211  192.168.10.211       20
        224.0.0.0        240.0.0.0   192.168.15.240  192.168.15.240       20
  255.255.255.255  255.255.255.255   192.168.10.211  192.168.10.211       1
  255.255.255.255  255.255.255.255   192.168.15.240  192.168.15.240       1
Default Gateway:      192.168.10.1
===========================================================================
Persistent Routes:
  None

C:\>


C:\>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : asu
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 7:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : D-Link DFE-520TX PCI Fast Ethernet A
dapter
        Physical Address. . . . . . . . . : 00-24-01-A2-E6-F1
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.10.211
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.1
        DNS Servers . . . . . . . . . . . : 213.42.20.20
                                            195.229.241.222

Ethernet adapter Local Area Connection 8:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Cisco Systems VPN Adapter
        Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.15.240
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :

 

 

 

Hello

 

Great.  Try adding the below to get it work

access-list vpn-nonat extended permit ip any 192.168.15.0 255.255.255.0

nat (inside) 0 access-list vpn-nonat

Harish

Hi Harish,

Thankx a lot.Now i can access local network ......

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: