Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
0
Helpful
2
Replies

Please Help! Can not access to web after connected to VPN

Go to solution
harry0310
Level 1
Level 1

‎02-17-2013 04:10 PM

Hi,

I am a newbie on Cisco products.  I configured a Cisco ASA 5505 firewall with VPN.  However, I can not access to the web after I connected to the remote IPSec VPN.  I also failed to connect to the webs using IP.  But I can connect to internal servers in the office without any problems.

Below is my configuration, can someone please help?  Many Thanks

ASA Version 8.2(5)

!

hostname asa

domain-name xxxxxxxxx.com

enable password xxxxxxxxxxx encrypted

passwd xxxxxxxxxxx encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

clock timezone zone -8

clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00

dns domain-lookup inside

dns server-group DefaultDNS

name-server 107.204.233.222

name-server 192.168.1.3

domain-name xxxxxxxxx.com

access-list inside_nat0_outbound extended permit ip any 192.168.1.96 255.255.255.240

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool sc-pool 192.168.1.100-192.168.1.110 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd dns 107.204.233.222 192.168.1.3 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy xxxxxxxx-sc internal

group-policy xxxxxxxx-sc attributes

dns-server value 107.204.233.222 192.168.1.3

vpn-tunnel-protocol IPSec

default-domain value xxxxxxxxxx.com

username xxxxx password xxxxxxxxxxx encrypted

vpn-group-policy xxxxxxxx-sc

tunnel-group xxxxxxxx-sc type remote-access

tunnel-group xxxxxxxx-sc general-attributes

address-pool sc-pool

default-group-policy xxxxxxxx-sc

tunnel-group xxxxxxxx-sc ipsec-attributes

pre-shared-key **

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

service call-home

call-home reporting anonymous

call-home

contact-email-addr xxxxxxx@hotmail.com

profile CiscoTAC-1

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:5c1c99b09fb26fcc36a8bf7206af8e02

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-17-2013 04:15 PM

Hi,

Try adding the following commands

same-security-traffic permit intra-interface

nat (outside) 1 192.168.1.96 255.255.255.240

If there is still problems with the VPN then I would suggest perhaps changing the VPN Pool to something else than something that overlaps with the LAN network.

In that case these configurations should do the trick

In order from top to bottom they would do the following things

  • First remove the VPN Pool from the VPN configurations
  • Then remove the VPN Pool
  • Remake the VPN Pool with different network
  • Reattach the VPN pool to the VPN configurations
  • Configure NAT0 for the new VPN Pool
  • Remove the old ACL line from the NAT0 configuration

tunnel-group xxxxxxxx-sc general-attributes

no address-pool sc-pool

no ip local pool sc-pool 192.168.1.100-192.168.1.110 mask 255.255.255.0

ip local pool sc-pool 192.168.2.10-192.168.2.254 mask 255.255.255.0

tunnel-group xxxxxxxx-sc general-attributes

address-pool sc-pool

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any 192.168.1.96 255.255.255.240

Naturally you would also need the NAT configuration for the new VPN Pools Internet traffic

nat (outside) 1 192.168.2.0 255.255.255.0

Please rate if the information was helpfull If this solved the problem mark the question as answered.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-17-2013 04:15 PM

Hi,

Try adding the following commands

same-security-traffic permit intra-interface

nat (outside) 1 192.168.1.96 255.255.255.240

If there is still problems with the VPN then I would suggest perhaps changing the VPN Pool to something else than something that overlaps with the LAN network.

In that case these configurations should do the trick

In order from top to bottom they would do the following things

  • First remove the VPN Pool from the VPN configurations
  • Then remove the VPN Pool
  • Remake the VPN Pool with different network
  • Reattach the VPN pool to the VPN configurations
  • Configure NAT0 for the new VPN Pool
  • Remove the old ACL line from the NAT0 configuration

tunnel-group xxxxxxxx-sc general-attributes

no address-pool sc-pool

no ip local pool sc-pool 192.168.1.100-192.168.1.110 mask 255.255.255.0

ip local pool sc-pool 192.168.2.10-192.168.2.254 mask 255.255.255.0

tunnel-group xxxxxxxx-sc general-attributes

address-pool sc-pool

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any 192.168.1.96 255.255.255.240

Naturally you would also need the NAT configuration for the new VPN Pools Internet traffic

nat (outside) 1 192.168.2.0 255.255.255.0

Please rate if the information was helpfull If this solved the problem mark the question as answered.

- Jouni

0 Helpful

Go to solution
harry0310
Level 1
Level 1
In response to Jouni Forss

‎02-17-2013 04:50 PM

Hi Jouni,

It works! After putting the first two commands to the  conf and reconnect to vpn, I can access to the web without problems.  Thank you so much.

Harry

0 Helpful
Customers Also Viewed These Support Documents