Hi,
I have a Cisco 5510, with VPN's set up that authenticate to a RADIUS server.
All is working fine, but what i want is for the remote VPN user to still be able to get on the internet via their local connection.
Is this possible? The remote client has local LAN access fine.
Config below, either ASDM, or CLI help appreciated:
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 194.xx.xx.100 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.46.48.254 255.255.254.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx encrypted
banner login This is a monitored router - Logout now if you do not have authorization
ftp mode passive
object-group network Non_Server
description Non Server Devices Denied Internet Access
network-object Network49 255.255.255.0
network-object 10.46.48.0 255.255.255.128
network-object 10.46.48.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 10.46.49.144 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 10.46.49.128 255.255.255.128
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool remote 10.46.49.201-10.46.49.205 mask 255.255.254.0
ip local pool Radius 10.46.49.150-10.46.49.200 mask 255.255.254.0
icmp permit any traceroute outside
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 194.XX.XX.98 10.46.48.212 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 194.159.181.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Radius protocol radius
max-failed-attempts 5
aaa-server Radius host 10.46.48.200
key donvac
authentication-port 1812
accounting-port 1813
group-policy DoncasterVacman internal
group-policy DoncasterVacman attributes
dns-server value 10.46.48.200
default-domain value XXX
webvpn
group-policy DoncasterASA internal
group-policy DoncasterASA attributes
dns-server value 10.46.48.200
default-domain value XXX
webvpn
username unify password XXX encrypted privilege 0
username unify attributes
vpn-group-policy DoncasterASA
webvpn
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group DoncasterASA type ipsec-ra
tunnel-group DoncasterASA general-attributes
address-pool remote
default-group-policy DoncasterASA
tunnel-group DoncasterASA ipsec-attributes
pre-shared-key *
tunnel-group DoncasterVacman type ipsec-ra
tunnel-group DoncasterVacman general-attributes
address-pool Radius
authentication-server-group Radius
default-group-policy DoncasterVacman
strip-realm
strip-group
tunnel-group DoncasterVacman ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.253 management
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
Thanks
I have a Cisco 5510, with VPN's set up that authenticate to a RADIUS server.
All is working fine, but what i want is for the remote VPN user to still be able to get on the internet via their local connection.
Is this possible? The remote client has local LAN access fine.
Config below, either ASDM, or CLI help appreciated:
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 194.xx.xx.100 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.46.48.254 255.255.254.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx encrypted
banner login This is a monitored router - Logout now if you do not have authorization
ftp mode passive
object-group network Non_Server
description Non Server Devices Denied Internet Access
network-object Network49 255.255.255.0
network-object 10.46.48.0 255.255.255.128
network-object 10.46.48.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 10.46.49.144 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 10.46.49.128 255.255.255.128
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool remote 10.46.49.201-10.46.49.205 mask 255.255.254.0
ip local pool Radius 10.46.49.150-10.46.49.200 mask 255.255.254.0
icmp permit any traceroute outside
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 194.XX.XX.98 10.46.48.212 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 194.159.181.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Radius protocol radius
max-failed-attempts 5
aaa-server Radius host 10.46.48.200
key donvac
authentication-port 1812
accounting-port 1813
group-policy DoncasterVacman internal
group-policy DoncasterVacman attributes
dns-server value 10.46.48.200
default-domain value XXX
webvpn
group-policy DoncasterASA internal
group-policy DoncasterASA attributes
dns-server value 10.46.48.200
default-domain value XXX
webvpn
username unify password XXX encrypted privilege 0
username unify attributes
vpn-group-policy DoncasterASA
webvpn
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group DoncasterASA type ipsec-ra
tunnel-group DoncasterASA general-attributes
address-pool remote
default-group-policy DoncasterASA
tunnel-group DoncasterASA ipsec-attributes
pre-shared-key *
tunnel-group DoncasterVacman type ipsec-ra
tunnel-group DoncasterVacman general-attributes
address-pool Radius
authentication-server-group Radius
default-group-policy DoncasterVacman
strip-realm
strip-group
tunnel-group DoncasterVacman ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.253 management
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
Thanks