Hi guys,
Looking for a little help after a day of frustration. I am really new to this and studiying so I know that I am doing something dumb. Anyway, I purchased an ASA 5505 and placed it between my Cable Modem and Cisco 3745 router. The outside interface on the ASA is dhcp, the inside interface is 192.168.100.1. The outside interface of the 3745 is 192.168.100.2 and the inside is 192.168.1.1. The VPN pool is 192.168.200.10 - 192.168.200.10.
Thanks in advance!
Here are the problems...
1. When I establish a VPN session to the ASA, I can ping and access any resources dierectly connected to the ASA's interfaces and on the ASA's internal 192.168.100.0 network. However, I cannot access any resources behind the 3745. I cannot even ping 192.168.1.1. Even directly connected hosts on the ASA cannot access Hosts in the 192.168.1.x subnet. There appears to be no traffic between 192.168.100.0 and 192.168.1.0.
2. Although I believe that I sent up split-tunnel, I cannot U-Turn back to the internet once connected to the VPN.
Here is my network topology as well as my ASA config and Router config.....
ASA ......
ASA Version 8.2(5)
!
hostname poog-fw1
domain-name poog
enable password ********** encrypted
************ encrypted
names
name 192.168.100.2 RouterWAN
name 192.168.100.0 Internal
name 192.168.200.0 VPN
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 167.206.245.129
name-server 167.206.245.130
domain-name poog
same-security-traffic permit intra-interface
object-group network VPN
object-group network RouterWAN
object-group network RouterWAN-01
object-group network RouterWAN-02
object-group network RouterWAN-03
object-group network RouterWAN-04
object-group network RouterWAN-05
object-group network obj_any
object-group network obj_any-01
object-group network obj-0.0.0.0
object-group network iphone
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp VPN 255.255.255.0 any
access-list outside_access_in remark Telnet to Router
access-list outside_access_in extended permit tcp any interface outside eq telnet
access-list outside_access_in remark IP Cameras
access-list outside_access_in extended permit object-group TCPUDP any interface outside range 1021 1022
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in remark FTP to NAS
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in remark VNC to WX Server
access-list outside_access_in extended permit tcp any interface outside eq 5900
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in remark Telnet to Router
access-list outside_access_in remark IP Cameras
access-list outside_access_in remark FTP to NAS
access-list outside_access_in remark VNC to WX Server
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list inside_nat0_outbound extended permit ip Internal 255.255.255.0 VPN 255.255.255.0
access-list split-tunnel standard permit Internal 255.255.255.0
access-list split-tunnel standard permit host 192.168.1.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 192.168.200.10-192.168.200.20 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface telnet RouterWAN telnet netmask 255.255.255.255
static (inside,inside) tcp interface 5900 RouterWAN 5900 netmask 255.255.255.255
static (inside,outside) tcp interface ftp RouterWAN ftp netmask 255.255.255.255
static (inside,outside) tcp interface 1021 RouterWAN 1021 netmask 255.255.255.255
static (inside,inside) tcp interface 1022 RouterWAN 1022 netmask 255.255.255.255
access-group outside_access_in in interface outside
!
router rip
network Internal
default-information originate
version 2
no auto-summary
!
route inside 192.168.1.0 255.255.255.0 RouterWAN 1
route inside VPN 255.255.255.0 192.168.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Internal 255.255.255.0 inside
http VPN 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet Internal 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address RouterWAN-RouterWAN inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 167.206.245.129
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-network-list value split-tunnel
group-policy Clientless internal
group-policy Clientless attributes
vpn-tunnel-protocol webvpn
webvpn
url-list value VPN_Book_Marks
group-policy AnyConnect internal
group-policy AnyConnect attributes
banner value Welcome To My Network
dns-server value 167.206.245.129
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value poog
webvpn
url-list value VPN_Book_Marks
svc keep-installer installed
svc ask none default svc
username ogonzalez password 0VrbklOhGRHipw79 encrypted privilege 0
username ogonzalez attributes
vpn-group-policy Clientless
username jgonzalez password ymcpO334smdskkpl encrypted privilege 0
username jgonzalez attributes
vpn-group-policy AnyConnect
tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
address-pool VPNPOOL
tunnel-group RAVPN webvpn-attributes
group-alias RAVPN enable
group-url
https://69.121.142.156/RAVPN enable
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPNPOOL
default-group-policy AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
group-url
https://69.121.142.156/AnyConnect enable
tunnel-group Clientless type remote-access
tunnel-group Clientless general-attributes
default-group-policy Clientless
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/odd ... DCEService destination address email
callhome@cisco.com destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7d91e2ad8d7a86c40860fa8a1b117271
: end
Router.....
Current configuration : 1922 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname poog_rtr1
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
no logging monitor
enable secret 5 *************.
!
no aaa new-model
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip dhcp excluded-address 192.168.1.1 192.168.1.150
!
ip dhcp pool DHCP1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 167.206.245.129 167.206.245.130
!
!
!
!
!
!
!
!
!
!
!
!
username ***** privilege 15 password 0 *****
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description WAN
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
network 192.168.1.0
network 192.168.100.0
network 192.168.200.0
no auto-summary
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.100 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.13 5900 interface FastEthernet0/1 5900
ip nat inside source static tcp 192.168.1.12 1022 interface FastEthernet0/1 1022
ip nat inside source static tcp 192.168.1.11 1021 interface FastEthernet0/1 1021
ip nat inside source static tcp 192.168.1.100 21 interface FastEthernet0/1 21
ip nat inside source static tcp 192.168.1.1 23 interface FastEthernet0/1 23
ip http server
ip http authentication local
ip classless
ip route 192.168.200.0 255.255.255.0 FastEthernet0/1
!
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit any
no cdp run
!
!
!
!
!
!
!
dial-peer cor custom
!
!
!
gateway
!
banner motd ^C
***** UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED! *****^C
!
line con 0
line aux 0
line vty 0 4
login local
!
end
Register
Search 
Login
