cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2417
Views
0
Helpful
25
Replies

VPN Access HELP

woodjl1650
Level 1
Level 1

I have setup VPN access to my ASA 5505...I am finally able to connect and recieve and IP address from it.  But now I stumped on why I can not access my network.  My network is as follows:  Cable Modem --->ASA 5505--->Cisco 3660 Router--->Cisco 2900XL Switch--->Windows 2008 Server--->Client PCs.  Can anyone help me figure out where I am going wrong?

Home_Network.jpg

ASA 5505 Running Config:

ASA Version 8.2(3)
!
hostname ciscoasa
enable password DQucN59Njn0OjpJL encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp
!
ftp mode passive
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
ip local pool HomeVPN 192.168.3.0-192.168.3.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
!
router rip
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
default-information originate
version 2
!
route outside 0.0.0.0 0.0.0.0 174.56.139.1 1
route inside 192.168.1.0 255.255.255.0 192.168.2.2 1
route inside 192.168.3.0 255.255.255.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNHome internal
group-policy VPNHome attributes
dns-server value 192.168.1.14 8.8.8.8
vpn-tunnel-protocol IPSec
default-domain value wood.homeserv.com
username Jonathan password WsMCHUiqvEuA9Gmb encrypted privilege 0
username Jonathan attributes
vpn-group-policy VPNHome
tunnel-group VPNHome type remote-access
tunnel-group VPNHome general-attributes
address-pool HomeVPN
default-group-policy VPNHome
tunnel-group VPNHome ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:214676358ccd68b2acb313ffcd92c6fa
: end

Cisco 3660 Router Config:

Building configuration...

Current configuration : 5921 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.7Q9$mJ4Y0sVUoAw8QZ/33g1JD/
enable password henry999
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.7
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.11 192.168.1.19
ip dhcp excluded-address 192.168.1.1 192.168.1.19
!
ip dhcp pool 192.168.1.0/24
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool 192.168.1.2/24
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip admission name NAC eapoudp inactivity-time 60 list NAC1
ip ips sdf location flash://SDF autosave
ip ips notify SDEE
ip ips name sdm_ips_rule
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username woodjl privilege 15 secret 5 $1$w.xT$cFJweRcOx29N9hKafqu4h1
username wooldjl privilege 15 secret 5 $1$4o6/$IO13XCGj9XXjIAGTsN3Yj0
!
!
!
class-map match-any SDM-Transactional-1
match  dscp af21
match  dscp af22
match  dscp af23
class-map match-any SDM-Signaling-1
match  dscp cs3
match  dscp af31
class-map match-any SDM-Routing-1
match  dscp cs6
class-map match-any SDM-Voice-1
match  dscp ef
class-map match-any SDM-Management-1
match  dscp cs2
!
!
policy-map SDM-QoS-Policy-1
class SDM-Voice-1
  priority percent 33
   police cir 33000000
     conform-action transmit
     exceed-action drop
class SDM-Signaling-1
  bandwidth percent 5
   police cir 5000000
     conform-action transmit
     exceed-action drop
class SDM-Routing-1
  bandwidth percent 5
   police cir 5000000
     conform-action transmit
     exceed-action drop
class SDM-Management-1
  bandwidth percent 5
   police cir 5000000
     conform-action transmit
     exceed-action drop
class SDM-Transactional-1
  bandwidth percent 5
   police cir 5000000
     conform-action transmit
     exceed-action drop
class class-default
  fair-queue
  random-detect
   police cir 22000000
     conform-action transmit
     exceed-action drop
!
!
!
crypto isakmp client configuration group HomeUsers
key henrydixie7153
dns 192.168.1.14 8.8.8.8
domain wood.homeserv.com
pool SDM_POOL_1
include-local-lan
max-users 5
netmask 255.255.255.0
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
!
crypto ipsec profile HomeVPN
set transform-set SDM_TRANSFORMSET_1
!
!
crypto map HomeVPN 1 ipsec-isakmp
set peer 192.168.3.1
set security-association idle-time 7200
set transform-set SDM_TRANSFORMSET_1
set pfs group1
match address VPN1
!
!
!
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 192.168.2.2 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip admission NAC
ip ips sdm_ips_rule in
ip ips sdm_ips_rule out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip verify unicast reverse-path
ip nat inside
ip ips sdm_ips_rule in
ip ips sdm_ips_rule out
ip virtual-reassembly
duplex auto
speed auto
service-policy output SDM-QoS-Policy-1
!
router rip
version 2
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1
network 192.168.1.0
no auto-summary
!
ip local pool SDM_POOL_1 192.168.3.1 192.168.3.10
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
ip nat pool Home 192.168.1.1 192.168.1.24 netmask 255.255.255.0
!
!
ip access-list extended NAC1
remark NAC
remark SDM_ACL Category=64
remark NAC Rule
permit ip 192.0.0.0 0.255.255.255 any
ip access-list extended VPN
remark VPN Access
remark SDM_ACL Category=4
remark VPN
permit ip any any
ip access-list extended VPN1
remark VPN Access
remark SDM_ACL Category=4
permit ip host 192.168.3.1 any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 192.168.2.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 192.168.2.2 echo-reply
access-list 101 permit icmp any host 192.168.2.2 time-exceeded
access-list 101 permit icmp any host 192.168.2.2 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
snmp-server community 192.168.1.1 RO
snmp-server enable traps tty
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
transport output all
line aux 0
transport output all
line vty 0 4
password henry
transport input telnet
transport output all
!
!
end

25 Replies 25

I get this error: Crypto map associated with multiple interfaces. Cannot enable rri

remove this line

crypto map inside_map interface inside

no crypto map inside_map interface inside

Hi Jonathan,

I would suggest a small test to troubleshoot this issue and see if routing is an issue here:


On one of the PC's in the internal network belonging to the subnet 192.168.1.0, open a command prompt and do a tracert to 192.168.3.10 (random ip in the vpn pool), and see where it dies. It ideally should end up at the ASA. If not then we need to check the routing, and i see that you are uding RIP, so make sure the routes are advertized properly among the internal routers.

Let me know if this helps,

Cheers,

Rudresh V

Ok, the tracert ends on my router 192.168.1.1

is tht after reverse-route???

in any case u see that it ends on the 1.1 which i belive is the 3800 router can u please routes on that

Yes that is after the reverse route.... would you like the config for 3660 router? if so it is listed below:


Building configuration...

Current configuration : 6265 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.7Q9$mJ4Y0sVUoAw8QZ/33g1JD/
enable password henry999
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.7
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.11 192.168.1.19
ip dhcp excluded-address 192.168.1.1 192.168.1.19
!
ip dhcp pool 192.168.1.0/24
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool 192.168.1.2/24
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip admission name NAC eapoudp inactivity-time 60 list NAC1
ip ips sdf location flash://SDF autosave
ip ips notify SDEE
ip ips name sdm_ips_rule
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username woodjl privilege 15 secret 5 $1$w.xT$cFJweRcOx29N9hKafqu4h1
username wooldjl privilege 15 secret 5 $1$4o6/$IO13XCGj9XXjIAGTsN3Yj0
!
!
!
class-map match-any SDM-Transactional-1
match  dscp af21
match  dscp af22
match  dscp af23
class-map match-any SDM-Signaling-1
match  dscp cs3
match  dscp af31
class-map match-any SDM-Routing-1
match  dscp cs6
class-map match-any SDM-Voice-1
match  dscp ef
class-map match-any SDM-Management-1
match  dscp cs2
!
!
policy-map SDM-QoS-Policy-1
class SDM-Voice-1
  priority percent 33
   police cir 33000000
     conform-action transmit
     exceed-action drop
class SDM-Signaling-1
  bandwidth percent 5
   police cir 5000000
     conform-action transmit
     exceed-action drop
class SDM-Routing-1
  bandwidth percent 5
   police cir 5000000
     conform-action transmit
     exceed-action drop
class SDM-Management-1
  bandwidth percent 5
   police cir 5000000
     conform-action transmit
     exceed-action drop
class SDM-Transactional-1
  bandwidth percent 5
   police cir 5000000
     conform-action transmit
     exceed-action drop
class class-default
  fair-queue
  random-detect
   police cir 22000000
     conform-action transmit
     exceed-action drop
!
!
!
crypto isakmp client configuration group HomeUsers
key henrydixie7153
dns 192.168.1.14 8.8.8.8
domain wood.homeserv.com
pool SDM_POOL_1
include-local-lan
max-users 5
netmask 255.255.255.0
!
crypto isakmp client configuration group VPNHome
key henry999
dns 192.168.1.14 8.8.4.4
domain wood.homeserv.com
pool SDM_POOL_2
include-local-lan
max-users 10
netmask 255.255.255.0
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_2 esp-3des esp-sha-hmac
!
crypto ipsec profile VPNHome
set transform-set SDM_TRANSFORMSET_2
!
!
crypto map VPNHome 1 ipsec-isakmp
set peer 192.168.3.0
set security-association idle-time 7200
set transform-set SDM_TRANSFORMSET_1
set pfs group1
match address VPN1
!
!
!
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 192.168.2.2 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip admission NAC
ip ips sdm_ips_rule in
ip ips sdm_ips_rule out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip verify unicast reverse-path
ip nat inside
ip ips sdm_ips_rule in
ip ips sdm_ips_rule out
ip virtual-reassembly
duplex auto
speed auto
service-policy output SDM-QoS-Policy-1
!
router rip
version 2
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1
network 192.168.1.0
no auto-summary
!
ip local pool SDM_POOL_1 192.168.3.1 192.168.3.10
ip local pool SDM_POOL_2 192.168.4.0 192.168.4.10
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 0.0.0.0 0.0.0.0 192.168.3.1
!
!
ip nat pool Home 192.168.1.1 192.168.1.24 netmask 255.255.255.0
!
!
ip access-list extended NAC1
remark NAC
remark SDM_ACL Category=64
remark NAC Rule
permit ip 192.0.0.0 0.255.255.255 any
ip access-list extended VPN
remark VPN Access
remark SDM_ACL Category=4
remark VPN
permit ip any any
ip access-list extended VPN1
remark VPN Access
remark SDM_ACL Category=4
permit ip host 192.168.3.1 any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip host 255.255.255.0 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 192.168.2.2 echo-reply
access-list 101 permit icmp any host 192.168.2.2 time-exceeded
access-list 101 permit icmp any host 192.168.2.2 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
snmp-server community 192.168.1.1 RO
snmp-server enable traps tty
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
transport output all
line aux 0
transport output all
line vty 0 4
password henry
transport input telnet
transport output all
!
!
end

i dont qiuite understand why you have vpon config in this router

if it is not required plz remove it

also see if you require this to be like this remove if not in use already

ip route 0.0.0.0 0.0.0.0 192.168.3.1

add this route

ip route 192.168.3.0 0.0.0.255 192.168.2.1

also i see you have acl applied on int fa0/0 which is connected to ASA

please permit vpn traffic in that acl

ip access-list extended 101

1 permit 192.168.3.0 0.0.0.255 any

Since I getting an error with this line ip route 192.168.3.0 0.0.0.255 192.168.2.1 could I use the subnet 255.255.255.0 instead of 0.0.0.255?

Hi Jonathan,

If the trace route ends at the router, it means the router is not handing over the packet to the ASA for the destination subnet of 192.168.3.0

Now i see that you are advertizing 192.168.3.0 subnet at the ASA via RIP. I think this is not propagating to the router for some reason. So please check the routes on the router and make sure there is a route for 192.168.3.0 pointing to the ASA via RIP. If not, then the routing protocol RIP is our route cause of the issue.

You can add a static route at the router for this, and it shoulr work. But since you are using RIP, a dynamic routing protocol, you would need to check the routing config and correct this for correct route advertizements, either at the router or the ASA.

Now since you are already advertizing 192.168.3.0 in RIP (as per your configuration), i don't think reverse route is needed for the vpn pool.

Let me know if it works,

Cheers,

Rudresh V

Ok, I restored the factory default to the router, to clear all unneeded items.  I am back up and running like I was before, I entered in line :

ip route 192.168.3.0 0.0.0.255 192.168.2.1 and this is what came up: Router(config)#ip route 192.168.3.0 0.0.0.255 192.168.2.1
%Inconsistent address and mask.I am not understanding the 192.168.3.0 0.0.0.255 command, what is the 0.0.0.255 subnet for?

Current Show Run:

Router#show run
Building configuration...

Current configuration : 1096 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.19
!
ip dhcp pool 192.168.1.0/24
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8 8.8.4.4 192.168.1.14 192.168.1.13
!
!
username woodjl privilege 15 secret 5 $1$FJyW$Ozgsn9oO0acvYSSeohvzX/
!
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!

!
control-plane
!
!

!
line con 0
line aux 0
line vty 0 4
!
!
end

SInce you already have a default route to the ASA, you don't need the more specific one.

But, looking at the most recent ASA config you posted, I think there was some confusion about the split tunnel config.

You have

access-list VPNWoodHome_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list WoodVPN_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0 

But only one of these is actually used in the group-policy.

group-policy WoodVPN attributes
  split-tunnel-network-list value WoodVPN_splitTunnelAcl
So my suggestion is to add:

access-list WoodVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
(and remove the other 2 access-lists unless they're used for something else)

hth
Herbert
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: