1. Home
  2. Cisco Systems
  3. ASA 5510 Not routing remote vpn's to Internet

ASA 5510 Not routing remote vpn's to Internet

Hello, I've got a ASA 5510 that has 1 LAN, and Frame relay, and 1 internet connection.

I have 3 remote offices that are hooked up via VPN, they can go anywhere to the inside site, Both the LAN and the other vpn's but they are not going out to the internet at all. I'm at a loss as to where to look.

Here is my config for the ASA. Also it's not routing the site-site vpn on the outside interface to anything inside either.

192.168.168 = 196.168.1 192.168.167 = 192.168.2 192.168.166 = 192.168.3 192.168.165 = 192.168.4 192.168.164 = 192.168.10 10.0 = 10.11

asdm image disk0:/asdm505.bin asdm location x 255.255.255.255 inside no asdm history enable : Saved : ASA Version 7.0(5) ! hostname ciscoasa domain-name default.domain.invalid enable password x encrypted names dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address x 255.255.255.248 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/2 nameif frame security-level 100 ip address 10.11.168.2 255.255.255.0 ! interface Management0/0 shutdown no nameif no security-level ip address 192.168.200.1 255.255.255.0 management-only ! passwd x encrypted ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list inside_nat0_inbound extended permit ip 192.168.1.0

255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list inside_nat0_inbound_V1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_nat0_inbound_V1 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list inside_nat0_inbound_V1 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list frame_cryptomap_40 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list frame_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list frame_cryptomap_80 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_to_inside extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 access-list inside_to_inside extended permit icmp any any access-list inside_to_inside extended permit tcp any any access-list inside_to_inside extended permit udp any any access-list outside_in extended permit icmp any any access-list outside_in extended permit tcp any host x eq 1387 access-list outside_in extended permit tcp any host x eq 3389 access-list outside_in extended permit tcp any host x eq citrix-ica access-list outside_in extended permit udp any host x eq 1494 access-list outside_in extended permit tcp any host x eq ssh access-list inside_nat0_outbound extended permit ip interface inside 192.168.10.11 255.255.255.0 access-list outside_cryptomap_20 extended permit ip interface inside 192.168.10.11 255.255.255.0 access-list outside_cryptomap_20 extended permit ip host 12.34.40.222 any access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 any access-list outside_cryptomap_20 extended permit tcp 192.168.1.0 255.255.255.0 any access-list outside_cryptomap_20 extended permit udp 192.168.1.0 255.255.255.0 any access-list outside_cryptomap_20 extended permit icmp 192.168.1.0 255.255.255.0 any access-list outside_cryptomap_20 extended permit ip 192.168.10.11 255.255.255.0 any pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu frame 1500 asdm image disk0:/asdm505.bin no asdm history enable arp timeout 14400 global (outside) 100 12.34.40.221 global (frame) 100 10.11.168.3 nat (outside) 100 192.168.10.11 255.255.255.0 nat (outside) 100 192.168.168.0 255.255.255.0 nat (outside) 100 192.168.4.0 255.255.255.0 nat (outside) 100 192.168.3.0 255.255.255.0 nat (outside) 100 192.168.2.0 255.255.255.0 nat (outside) 100 192.168.0.0 255.255.0.0 nat (outside) 100 0.0.0.0 0.0.0.0 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 0 access-list inside_nat0_inbound_V1 outside nat (inside) 100 access-list inside_to_inside nat (inside) 100 192.168.4.0 255.255.255.0 nat (inside) 100 192.168.3.0 255.255.255.0 nat (inside) 100 192.168.2.0 255.255.255.0 nat (inside) 100 192.168.168.0 255.255.255.0 static (inside,outside) udp interface 1494 192.168.1.248 1494 netmask 255.255.255.255 static (inside,outside) tcp interface citrix-ica 192.168.1.248 citrix-ica netmask 255.255.255.255 static (inside,outside) tcp interface 3389 192.168.1.248 3389 netmask 255.255.255.255 static (inside,outside) tcp interface ssh 192.168.1.247 ssh netmask 255.255.255.255 static (frame,outside) tcp interface 1387 192.168.2.251 1387 netmask 255.255.255.255 static (inside,outside) tcp interface 1387 192.168.2.251 1387 netmask 255.255.255.255 access-group outside_in in interface outside route outside 0.0.0.0 0.0.0.0 12.34.40.217 1 !route inside 192.168.10.11 255.255.255.0 192.168.1.1 1 route inside 192.168.4.0 255.255.255.0 192.168.1.1 1 route inside 192.168.3.0 255.255.255.0 192.168.1.1 1 route inside 192.168.2.0 255.255.255.0 192.168.1.1 1 route frame 192.168.2.0 255.255.255.0 10.11.168.1 1 route frame 192.168.3.0 255.255.255.0 10.11.168.1 1 route frame 192.168.4.0 255.255.255.0 10.11.168.1 1 route frame 10.11.4.0 255.255.255.0 10.11.168.1 1 route frame 10.11.3.0 255.255.255.0 10.11.168.1 1 route frame 10.11.2.0 255.255.255.0 10.11.168.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec webvpn password-storage disable ip-comp enable re-xauth enable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none webvpn functions none port-forward-name value Application Access http server enable http 0.0.0.0 0.0.0.0 outside http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map frame_map 40 match address frame_cryptomap_40 crypto map frame_map 40 set peer 10.11.3.2 crypto map frame_map 40 set transform-set ESP-3DES-MD5 crypto map frame_map 60 match address frame_cryptomap_60 crypto map frame_map 60 set peer 10.11.4.2 crypto map frame_map 60 set transform-set ESP-3DES-SHA crypto map frame_map 80 match address frame_cryptomap_80 crypto map frame_map 80 set peer 10.11.2.2 crypto map frame_map 80 set transform-set ESP-AES-256-SHA crypto map frame_map interface frame crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 12.34.40.222 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp identity address isakmp enable outside isakmp enable frame isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash md5 isakmp policy 30 group 2 isakmp policy 30 lifetime 28800 isakmp policy 50 authentication pre-share isakmp policy 50 encryption 3des isakmp policy 50 hash sha isakmp policy 50 group 2 isakmp policy 50 lifetime 28800 isakmp policy 70 authentication pre-share isakmp policy 70 encryption aes-256 isakmp policy 70 hash sha isakmp policy 70 group 2 isakmp policy 70 lifetime 28800 tunnel-group 10.11.2.2 type ipsec-l2l tunnel-group 10.11.2.2 ipsec-attributes pre-shared-key * tunnel-group 10.11.3.2 type ipsec-l2l tunnel-group 10.11.3.2 ipsec-attributes pre-shared-key * tunnel-group 10.11.4.2 type ipsec-l2l tunnel-group 10.11.4.2 ipsec-attributes pre-shared-key * tunnel-group x type ipsec-l2l tunnel-group x ipsec-attributes pre-shared-key * telnet 0.0.0.0 0.0.0.0 outside telnet 0.0.0.0 0.0.0.0 inside telnet 0.0.0.0 0.0.0.0 frame telnet timeout 5 ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global Cryptochecksum:cb809b69dee14525e7db849ea553d494 : end

Any help would be much appreciated!

Reply to
squidvt
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.