Cisco ASA 5505 split tunneling enabled, still can't ping
Chad
colocation facility. Recently local lan access
was not working so I configured the split tunnel access list. Local Lan
access now works but when connected to the vpn
I still cannot ping anything on the opposite side of the tunnel. I could
never ping anything on the other side. Can anyone
look at my config and tell me what I have configured wrong? The main office
is using 192.168.10.x. The VPN dhcp pool
192.168.11.x. The co-location facility uses 192.168.4.x. here is my
config. Thanks in advance:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(3)
!
hostname CompanyX
domain-name DOMAIN.COM
enable password 69YOKWVnTsvFTsnn encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.x.x.x 255.255.255.0
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name DOMAIN.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list CompanyX_splitTunnelAcl standard permit 192.168.10.0
255.255.255.0
access-list CompanyX_splitTunnelAcl standard permit 192.168.11.0
255.255.255.240
access-list CompanyX_splitTunnelAcl standard permit 64.x.x.x 255.255.255.0
access-list CompanyX_splitTunnelAcl standard permit 192.168.4.0
255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.11.0
255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.4.0
255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.10.0
255.255.255.0 192.168.4.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool RemoteClientPool 192.168.11.1-192.168.11.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 64.71.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 65.x.x.x 255.255.255.255 outside
http 67.x.x.x 255.255.255.255 outside
http 192.168.10.0 255.255.255.0 inside
http 67.x.x.x 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 65.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh 65.x.x.x 255.255.255.255 outside
ssh 67.x.x.x 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.101-192.168.10.132 inside
dhcpd dns 192.168.10.201 64.x.x.x interface inside
dhcpd wins 192.168.10.200 192.168.10.201 interface inside
dhcpd lease 86400 interface inside
dhcpd ping_timeout 10000 interface inside
dhcpd domain DOMAIN.COM interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy CompanyX internal
group-policy CompanyX attributes
wins-server value 192.168.10.200 192.168.10.201
dns-server value 192.168.10.200 192.168.10.201
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CompanyX_splitTunnelAcl
default-domain value DOMAIN.COM
USERNAMES REMOVED
vpn-group-policy CompanyX
tunnel-group CompanyX type ipsec-ra
tunnel-group CompanyX general-attributes
address-pool RemoteClientPool
default-group-policy CompanyX
tunnel-group CompanyX ipsec-attributes
pre-shared-key *
tunnel-group 65.x.x.x type ipsec-l2l
tunnel-group 65.x.x.x ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:4cce7fd8f7f56356c9d862d80d64aeac
: end
ciscoKidJay
news:4836c89e$0$11641$607e...@cv.net:
you have two ways to allow icmp through. The best way is by ACL. The
alternate way is through a service policy. I recommend the first.
You don't have to allow it out, but you need to allow the reply back in.
acces-list outside extended line 1 permit icmp 192.168.4.0 255.255.255.0
any echo-reply
access-group outside in interface outside
When you apply that ACL and bind it to the outside interface, you should
see hits on the ACL trying to allow the replies of your ICMP back in
from 192.168.4.0 (remote side).
If that doesn't work, you can shotgun it and try this-
acces-list inisde extended line 1 permit icmp any any any echo
acces-list inisde extended line 2 permit icmp any 192.168.4.0
255.255.255.0 echo-reply
acces-list inisde extended line 3 permit icmp any 192.168.11.0
255.255.255.0 echo-reply
access-group inside in interface inside
That ACL will allow you to send out icmp, but not allow icmp echo
replies to be sent to the Interent from sites that aren't yours.
Hope this helps. If not, you can email me direct-
crazys...@yahoo.com
CiscoKidJay
www.mycrazyfriends.com