cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1182
Views
9
Helpful
7
Replies

VPN Connects, cannot get to anything on LAN

WStoffel1
Level 1
Level 1

OK, what am i missing?  My VPN connects OK with the VPN Client Version 5.0.07.0290 but I'm unable to access anything on the 10.0.0.0 /24 network.

Any thoughts?  I should be able to ping the server 10.0.0.90 if this was working correctly, from my laptop while I'm on VPN.  Config follows:

ASA Version 7.2(4)

!

hostname XXXX

domain-name energy.com

enable password jp28ZvYIS1PQVK6M encrypted

passwd UmzM9i7pSqpXEdTR encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.9 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 74.x.x.150 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

dns server-group DefaultDNS

domain-name energy.com

access-list 101 extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.0

access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.0

access-list outside_in extended permit tcp any host 74.x.x.146 eq 35330

access-list outside_in extended permit tcp any host 74.x.x.147 eq 10000

access-list outside_in extended permit icmp any any

access-list outside_in extended permit tcp any host 74.x.x.148 eq 990

access-list outside_in extended permit udp any host 74.x.x.148 eq 900

access-list outside_in extended permit tcp any host 74.x.x.148 range 4000 4099

access-list outside_in extended permit udp any host 74.x.x.148 range 4000 4099

access-list outside_in extended permit udp any host 74.x.x.148 eq 990

pager lines 24

logging enable

logging timestamp

logging buffer-size 100000

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool dhcppptp-pool 192.168.150.1-192.168.150.20

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 10.0.0.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 74.x.x.146 10.0.0.90 netmask 255.255.255.255

static (inside,outside) 74.x.x.147 10.0.0.91 netmask 255.255.255.255

static (inside,outside) 74.x.x.148 10.0.0.3 netmask 255.255.255.255

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 74.x.x.145 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 10.0.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

tftp-server inside 10.0.0.109 cpix.cfg

group-policy BEVPN internal

group-policy BEVPN attributes

dns-server value 10.0.0.4 10.0.0.1

vpn-idle-timeout 30

split-tunnel-policy tunnelall

split-tunnel-network-list value 101

default-domain value maindomain.com

user-authentication disable

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

tunnel-group BEVPN type ipsec-ra

tunnel-group BEVPN general-attributes

address-pool dhcppptp-pool

default-group-policy BEVPN

tunnel-group BEVPN ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect dns preset_dns_map

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b379566df0e7f5213ad2396676763859

: end

1 Accepted Solution

Accepted Solutions

Hi,

I dont see the NAT0 configuration anymore in this configuration

nat (inside) 0 access-list nonat

Can you also change the Split Tunnel ACL

access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0

group-policy BEVPN attributes

no split-tunnel-network-list value 101

split-tunnel-network-list value SPLIT-TUNNEL

You can also use the command "show run" which will generate a little less output

- Jouni

View solution in original post

7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Can you try adding this configuration

fixup protocol icmp

Or the same can be done with the following commands

policy-map global_policy

class inspection_default

  inspect icmp

And then try again

- Jouni

Mariana Rodriguez
Cisco Employee
Cisco Employee

Hi,

In addition to what Jouni recommends, if you would like to have split tunneling configured (acl 101) it has to be paired with the following command:

group-policy BEVPN attributes

  split-tunnel-policy tunnelspecified

Right now is configured as tunnelall. As a best practice is better that this acl 101 (split tunnel ACL) is configured as a standard acl. If by any chance the Default Gateway in your network is not this ASA, then with this command you can test the communication between your VPN client and the Inside interface of the ASA:

management inside

This makes "pingueable" the interface. However, the icmp inspection might be needed. In the event that there's another L3 hop in the network, make sure this hop nows that 192.168.150.0/24 is across the 10.0.0.9 (ASA inside)

Hope it works!

Mariana

WStoffel1
Level 1
Level 1

Thanks guys.  I always forget the ICMP inspects, going to have to tie a string around my finger.  So thats added.

I had actually changed split tunnel to tunnelspecified already, just didnt update my post.  I have remote SSH access to this ASA (5505) so tunnelall was killing me.  Still waiting on verification from the site, but it's all L2 switches and this ASA should be the gateway.

management inside is added.

Below is a sh run all, with the changes so far it's still not working.  I'll give it a little while if anyone has thoughts, as i'd like to get it figured out why it's not working...but before COB I'll just create a new one since I'm now reverse engineering someone elses handy work.  Figuring this one out just helps me learn better

ASA Version 7.2(4)

!

command-alias exec h help

command-alias exec lo logout

command-alias exec p ping

command-alias exec s show

terminal width 80

hostname cjbbefw

domain-name energy.com

enable password jp28ZvYIS1PQVK6M encrypted

no fips enable

passwd UmzM9i7pSqpXEdTR encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.9 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 74.x.x.150 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

switchport mode access

no switchport protected

speed auto

duplex auto

!

interface Ethernet0/1

switchport access vlan 1

switchport mode access

no switchport protected

speed auto

duplex auto

!

interface Ethernet0/2

switchport access vlan 1

switchport mode access

no switchport protected

speed auto

duplex auto

!

interface Ethernet0/3

switchport access vlan 1

switchport mode access

no switchport protected

speed auto

duplex auto

!

interface Ethernet0/4

switchport access vlan 1

switchport mode access

no switchport protected

speed auto

duplex auto

!

interface Ethernet0/5

switchport access vlan 1

switchport mode access

no switchport protected

speed auto

duplex auto

!

interface Ethernet0/6

switchport access vlan 1

switchport mode access

no switchport protected

speed auto

duplex auto

!

interface Ethernet0/7

switchport access vlan 1

switchport mode access

no switchport protected

speed auto

duplex auto

!

regex _default_gator "Gator"

regex _default_firethru-tunnel_2 "[/\\]cgi[-]bin[/\\]proxy"

regex _default_shoutcast-tunneling-protocol "1"

regex _default_http-tunnel "[/\\]HT_PortLog.aspx"

regex _default_x-kazaa-network "[xX]-[kK][aA][zZ][aA][aA]-[nN][eE][tT][wW][oO][rR][kK]"

regex _default_msn-messenger "[Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn][/\\][Xx][-][Mm][Ss][Nn][-][Mm][Ee][Ss][Ss][Ee][Nn][Gg][Ee][Rr]"

regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"

regex _default_gnu-http-tunnel_uri "[/\\]index[.]html"

regex _default_aim-messenger "[Hh][Tt][Tt][Pp][.][Pp][Rr][Oo][Xx][Yy][.][Ii][Cc][Qq][.][Cc][Oo][Mm]"

regex _default_gnu-http-tunnel_arg "crap"

regex _default_icy-metadata "[iI][cC][yY]-[mM][eE][tT][aA][dD][aA][tT][aA]"

regex _default_GoToMyPC-tunnel "machinekey"

regex _default_windows-media-player-tunnel "NSPlayer"

regex _default_yahoo-messenger "YMSG"

regex _default_httport-tunnel "photo[.]exectech[-]va[.]com"

regex _default_firethru-tunnel_1 "firethru[.]com"

checkheaps check-interval 60

checkheaps validate-checksum 60

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 60

dns server-group DefaultDNS

domain-name energy.com

access-list 101 extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.224

access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.224

access-list outside_in extended permit tcp any host 74.x.x.146 eq 35330

access-list outside_in extended permit tcp any host 74.x.x.147 eq 10000

access-list outside_in extended permit icmp any any

access-list outside_in extended permit tcp any host 74.x.x.148 eq 990

access-list outside_in extended permit udp any host 74.x.x.148 eq 900

access-list outside_in extended permit tcp any host 74.x.x.148 range 4000 4099

access-list outside_in extended permit udp any host 74.x.x.148 range 4000 4099

access-list outside_in extended permit udp any host 74.x.x.148 eq 990

pager lines 24

logging enable

logging timestamp

logging buffer-size 250000

logging asdm-buffer-size 100

logging buffered debugging

logging asdm informational

logging flash-minimum-free 3076

logging flash-maximum-allocation 1024

logging rate-limit 1 10 message 620002

logging rate-limit 1 10 message 717015

logging rate-limit 1 10 message 717018

logging rate-limit 1 10 message 201013

logging rate-limit 1 10 message 201012

logging rate-limit 1 10 message 419003

logging rate-limit 1 10 message 405002

logging rate-limit 1 10 message 421007

logging rate-limit 1 10 message 405001

logging rate-limit 1 10 message 421001

logging rate-limit 1 10 message 421002

logging rate-limit 1 10 message 710002

logging rate-limit 1 10 message 209003

logging rate-limit 1 10 message 209004

logging rate-limit 1 10 message 209005

logging rate-limit 1 10 message 431002

logging rate-limit 1 10 message 431001

logging rate-limit 1 10 message 110003

logging rate-limit 1 10 message 110002

logging rate-limit 1 10 message 450001

mtu inside 1500

mtu outside 1500

ip local pool dhcppptp-pool 192.168.150.1-192.168.150.30 mask 255.255.255.224

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

no nat-control

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 74.x.x.146 10.0.0.90 netmask 255.255.255.255

static (inside,outside) 74.x.x.147 10.0.0.91 netmask 255.255.255.255

static (inside,outside) 74.x.x.148 10.0.0.3 netmask 255.255.255.255

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 74.x.x.145 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable 443

http 10.0.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

no snmp-server enable traps syslog

no snmp-server enable traps ipsec start stop

no snmp-server enable traps entity config-change fru-insert fru-remove

no snmp-server enable traps remote-access session-threshold-exceeded

snmp-server enable

snmp-server listen-port 161

fragment size 200 inside

fragment chain 24 inside

fragment timeout 5 inside

no fragment reassembly full inside

fragment size 200 outside

fragment chain 24 outside

fragment timeout 5 outside

no fragment reassembly full outside

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt noproxyarp inside

no sysopt noproxyarp outside

service password-recovery

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec security-association replay window-size 64

crypto ipsec fragmentation before-encryption inside

crypto ipsec fragmentation before-encryption outside

crypto ipsec df-bit copy-df inside

crypto ipsec df-bit copy-df outside

crypto dynamic-map cisco 1 set transform-set myset

crypto dynamic-map cisco 1 set security-association lifetime seconds 28800

crypto dynamic-map cisco 1 set security-association lifetime kilobytes 4608000

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

crypto isakmp identity auto

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

vpn-addr-assign aaa

vpn-addr-assign dhcp

vpn-addr-assign local

no vpn-sessiondb max-session-limit

no vpn-sessiondb max-webvpn-session-limit

no remote-access threshold

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

management-access inside

l2tp tunnel hello 60

no vpnclient enable

priority-queue inside

  queue-limit   0

  tx-ring-limit -1

priority-queue outside

  queue-limit   0

  tx-ring-limit -1

tftp-server inside 10.0.0.109 cpix.cfg

ssl server-version any

ssl client-version any

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1 rc4-md5

webvpn

memory-size percent 25

port 443

character-encoding none

no http-proxy

no https-proxy

default-idle-timeout 1800

no csd enable

no svc enable

customization DfltCustomization

  title text WebVPN Service

  title style background-color:white;color:maroon;border-bottom:5px groove #669999;font-size:larger;vertical-align:middle;text-align:left;font-weight:bold

  username-prompt text USERNAME:

  username-prompt style color:black;font-weight:bold;text-align:right

  password-prompt text PASSWORD:

  password-prompt style color:black;font-weight:bold;text-align:right

  group-prompt text GROUP:

  group-prompt style color:black;font-weight:bold;text-align:right

  login-button text Login

  login-button style border:1px solid black;background-color:white;font-weight:bold;font-size:80%

  clear-button text Clear

  clear-button style border:1px solid black;background-color:white;font-weight:bold;font-size:80%

  login-title text Login

  login-title style background-color:#666666;color:white

  login-message text Please enter your username and password.

  login-message style background-color:#CCCCCC;color:black

  logout-title text Logout

  logout-title style background-color:#666666;color:white

  logout-message text Goodbye.

  logout-message style background-color:#999999;color:black

  web-applications title text Web Applications

  web-applications title style background-color:#99CCCC;color:black;font-weight:bold;text-transform:uppercase

  web-applications message text Enter Web Address (URL)

  web-applications message style background-color:#99CCCC;color:maroon;font-size:smaller

  web-applications dropdown text Web Bookmarks

  web-applications dropdown style border:1px solid black;font-weight:bold;color:black;font-size:80%

  browse-networks title text Browse Networks

  browse-networks title style background-color:#99CCCC;color:black;font-weight:bold;text-transform:uppercase

  browse-networks message text Enter Network Path

  browse-networks message style background-color:#99CCCC;color:maroon;font-size:smaller

  browse-networks dropdown text File Folder Bookmarks

  browse-networks dropdown style border:1px solid black;font-weight:bold;color:black;font-size:80%

  application-access title text Application Access

  application-access title style background-color:#99CCCC;color:black;font-weight:bold;text-transform:uppercase

  application-access message text Start Application Client

  application-access message style background-color:#99CCCC;color:maroon;font-size:smaller

  application-access window text Close this window when you finish using Application Access.
Please wait for the table to be displayed before starting applications.

  application-access window style background-color:#99CCCC;color:black;font-weight:bold

  web-bookmarks link style color:#669999;border-bottom: 1px solid #669999;text-decoration:none

  web-bookmarks title text Web Bookmarks

  web-bookmarks title style color:#669999;background-color:#99CCCC;font-weight:bold

  file-bookmarks link style color:#669999;border-bottom: 1px solid #669999;text-decoration:none

  file-bookmarks title text File Folder Bookmarks

  file-bookmarks title style color:#669999;background-color:#99CCCC;font-weight:bold

  page style background-color:white;font-family:Arial,Helv,sans-serif

  border style background-color:#669999;color:white

  dialog title style background-color:#669999;color:white

  dialog message style background-color:#99CCCC;color:black

  dialog border style border:1px solid black;border-collapse:collapse

  no logo

  application-access hide-details disable

no tunnel-group-list enable

rewrite order 65535 enable resource-mask *

cache

  disable

  max-object-size 1000

  min-object-size 0

  cache-compressed

  no cache-static-content

  lmfactor 20

  expiry-time 1

no auto-signon

group-policy DfltGrpPolicy internal

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

smartcard-removal-disconnect enable

client-firewall none

client-access-rule none

webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact

your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

no vpn-nac-exempt

group-policy BEVPN internal

group-policy BEVPN attributes

dns-server value 10.0.0.4 10.0.0.1

vpn-idle-timeout 30

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 101

default-domain value maindomain.com

user-authentication disable

no vpn-nac-exempt

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

no accounting-server-group

default-group-policy DfltGrpPolicy

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

peer-id-validate req

no chain

no trust-point

isakmp keepalive threshold 10 retry 2

tunnel-group DefaultRAGroup type ipsec-ra

tunnel-group DefaultRAGroup general-attributes

no address-pool

authentication-server-group LOCAL

no accounting-server-group

default-group-policy DfltGrpPolicy

no dhcp-server

no nac-authentication-server-group

no strip-realm

no password-management

no override-account-disable

no strip-group

no authorization-required

authorization-dn-attributes CN OU

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

peer-id-validate req

no chain

no trust-point

isakmp keepalive threshold 300 retry 2

no radius-sdi-xauth

isakmp ikev1-user-authentication none

tunnel-group DefaultRAGroup ppp-attributes

no authentication pap

authentication chap

authentication ms-chap-v1

no authentication ms-chap-v2

no authentication eap-proxy

tunnel-group DefaultWEBVPNGroup type webvpn

tunnel-group DefaultWEBVPNGroup general-attributes

no address-pool

authentication-server-group LOCAL

no accounting-server-group

default-group-policy DfltGrpPolicy

no dhcp-server

no password-management

no override-account-disable

no authorization-required

authorization-dn-attributes CN OU

tunnel-group DefaultWEBVPNGroup webvpn-attributes

hic-fail-group-policy DfltGrpPolicy

customization DfltCustomization

authentication aaa

dns-group DefaultDNS

tunnel-group BEVPN type ipsec-ra

tunnel-group BEVPN general-attributes

address-pool dhcppptp-pool

authentication-server-group LOCAL

no accounting-server-group

default-group-policy BEVPN

no dhcp-server

no nac-authentication-server-group

no strip-realm

no password-management

no override-account-disable

no strip-group

no authorization-required

authorization-dn-attributes CN OU

tunnel-group BEVPN ipsec-attributes

pre-shared-key *

peer-id-validate req

no chain

no trust-point

isakmp keepalive threshold 300 retry 2

no radius-sdi-xauth

isakmp ikev1-user-authentication none

tunnel-group BEVPN ppp-attributes

no authentication pap

authentication chap

authentication ms-chap-v1

no authentication ms-chap-v2

no authentication eap-proxy

!

class-map type inspect http match-all _default_gator

match request header user-agent regex _default_gator

class-map type inspect http match-all _default_msn-messenger

match response header content-type regex _default_msn-messenger

class-map type inspect http match-all _default_yahoo-messenger

match request body regex _default_yahoo-messenger

class-map type inspect http match-all _default_windows-media-player-tunnel

match request header user-agent regex _default_windows-media-player-tunnel

class-map type inspect http match-all _default_gnu-http-tunnel

match request args regex _default_gnu-http-tunnel_arg

match request uri regex _default_gnu-http-tunnel_uri

class-map type inspect http match-all _default_firethru-tunnel

match request header host regex _default_firethru-tunnel_1

match request uri regex _default_firethru-tunnel_2

class-map type inspect http match-all _default_aim-messenger

match request header host regex _default_aim-messenger

class-map type inspect http match-all _default_http-tunnel

match request uri regex _default_http-tunnel

class-map type inspect http match-all _default_kazaa

match response header regex _default_x-kazaa-network count gt 0

class-map type inspect http match-all _default_shoutcast-tunneling-protocol

match request header regex _default_icy-metadata regex _default_shoutcast-tunneling-protocol

class-map class-default

match any

class-map inspection_default

match default-inspection-traffic

class-map type inspect http match-all _default_GoToMyPC-tunnel

match request args regex _default_GoToMyPC-tunnel

match request uri regex _default_GoToMyPC-tunnel_2

class-map type inspect http match-all _default_httport-tunnel

match request header host regex _default_httport-tunnel

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

  no message-length maximum server

  no message-length maximum client

  dns-guard

  protocol-enforcement

  nat-rewrite

  no id-randomization

  no id-mismatch

  no tsig enforced

policy-map type inspect h323 _default_h323_map

description Default H.323 policymap

parameters

  no rtp-conformance

policy-map type inspect esmtp _default_esmtp_map

description Default ESMTP policy-map

parameters

  mask-banner

  no mail-relay

  no special-character

  no allow-tls

match cmd line length gt 512

  drop-connection log

match cmd RCPT count gt 100

  drop-connection log

match body line length gt 998

  log

match header line length gt 998

  drop-connection log

match sender-address length gt 320

  drop-connection log

match MIME filename length gt 255

  drop-connection log

match ehlo-reply-parameter others

  mask

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225 _default_h323_map

  inspect h323 ras _default_h323_map

  inspect rsh

  inspect rtsp

  inspect esmtp _default_esmtp_map

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect dns preset_dns_map

  inspect icmp

class class-default

policy-map type inspect sip _default_sip_map

description Default SIP policymap

parameters

  im

  no ip-address-privacy

  traffic-non-sip

  no rtp-conformance

policy-map type inspect dns _default_dns_map

description Default DNS policy-map

parameters

  no message-length maximum

  no message-length maximum server

  no message-length maximum client

  dns-guard

  protocol-enforcement

  nat-rewrite

  no id-randomization

  no id-mismatch

  no tsig enforced

policy-map type inspect ipsec-pass-thru _default_ipsec_passthru_map

description Default IPSEC-PASS-THRU policy-map

parameters

  esp per-client-max 0 timeout 0:10:00

!

service-policy global_policy global

imap4s

port 993

no server

outstanding 20

name-separator :

server-separator @

authentication-server-group LOCAL

no authorization-server-group

no accounting-server-group

default-group-policy DfltGrpPolicy

no authentication

no authorization-required

authorization-dn-attributes CN OU

pop3s

port 995

no server

outstanding 20

name-separator :

server-separator @

authentication-server-group LOCAL

no authorization-server-group

no accounting-server-group

default-group-policy DfltGrpPolicy

no authentication

no authorization-required

authorization-dn-attributes CN OU

smtps

port 988

no server

outstanding 20

name-separator :

server-separator @

authentication-server-group LOCAL

no authorization-server-group

no accounting-server-group

default-group-policy DfltGrpPolicy

authentication aaa

no authorization-required

authorization-dn-attributes CN OU

prompt hostname context

auto-update device-id hostname

auto-update poll-period 720 0 5

auto-update timeout 0

compression svc http-comp

Cryptochecksum:0205b5f052807872ee954a44641c9e9e

: end

Hi,

I dont see the NAT0 configuration anymore in this configuration

nat (inside) 0 access-list nonat

Can you also change the Split Tunnel ACL

access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0

group-policy BEVPN attributes

no split-tunnel-network-list value 101

split-tunnel-network-list value SPLIT-TUNNEL

You can also use the command "show run" which will generate a little less output

- Jouni

LOL.  I just did the sh run all in case there was something stupid I was missing, but since all the extra garbage is unconfigured stuff...

Nat 0, not sure what happened there unless there's someone else monkeying around, but thanks for noticing!  That's back.

ACL is updated, with what logically seems more correct.  I have to remote into the VPN client machine from where i'm at, so testing is a bit limited for the next 2 hours, when i'm back to my office I'll test this config out.

Thank you as always.

Looks like the last round of changes fixed it.  I have access to the LAN while VPN'd in.  So the SPLIT-TUNNEL acl, is that what

Mariana was referring to as a best practice above, to make it a Standard ACL?

I attached the final config as it's working now for reference.  There's some apparent clean up that needs to happen, but all I'm supposed to do is get the VPN working, which it is now.

Thanks a bunch guys!

Hi,

Yes the Standard type ACL which Mariana mentioned is the simplest way to do it and there is no need to use Extended ACLs in this case.

You simply add a ACL line for each network/host for which you want the traffic to be forwarded to the VPN from the VPN Client users perspective.

The above ACL basically tells the ASA and VPN Client "Tunnel all connections to destination network 10.0.0.0/24 to the VPN client connection".

For example if you were to add a network 10.0.1.0/24 to your LAN and needed VPN client connectivity there you would simply add the following line

access-list SPLIT-TUNNEL permit 10.0.1.0 255.255.255.0

Naturally you would also need

access-list nonat extended permit ip 10.0.1.0 255.255.255.0 192.168.150.0 255.255.255.224

You can see the network 10.0.1.0/24 on the VPN client software when its connected. Just find the section mentioning the routes.

- Jouni