All,
We have two locations (office and hosting), each with a 5510, connected via VPN connection. There are no issues accessing the hosting environment or the internet from within the office. However, when users VPN into the office using the Cisco client, they can not access internet hosts and anything in the hosting environment. Accessing systems in the office network is not an issue.
I've attached most of the running-config (obviously unimportant parts stripped out) below. Any help would be greatly appreciated.
Hugh
names name 192.168.242.1 INT-primary name 1.2.3.34 EXT-34 name 1.2.3.35 EXT-35 name 1.2.3.36 EXT-36 name 1.2.3.49 EXT-49 name 1.2.3.50 EXT-50 name 1.2.3.51 EXT-51 name 1.2.3.52 EXT-52 name 4.5.6.250 Hosting-250 dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address EXT-36 255.255.255.240 ! interface Ethernet0/1 duplex full nameif inside security-level 100 ip address INT-primary 255.255.255.0 ! interface Ethernet0/2 nameif phone security-level 75 ip address 10.10.10.1 255.255.255.0 ! interface Ethernet0/3 nameif dmz security-level 25 ip address 10.20.30.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! object-group network Hosting-45 network-object 192.168.245.0 255.255.255.0 object-group network Office-42 description Internal office IPs network-object 192.168.242.0 255.255.255.0 access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit icmp any any time-exceeded access-list outside_20_cryptomap extended permit ip 192.168.242.0
255.255.255.0 192.168.245.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.242.0 255.255.255.0 192.168.245.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip any 192.168.242.240 255.255.255.240 access-list inside_nat0_outbound extended permit ip any 192.168.242.248 255.255.255.248 access-list outside_cryptomap_3 extended permit ip any 192.168.242.240 255.255.255.240 access-list outside_cryptomap extended permit ip any 192.168.242.248 255.255.255.248 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu phone 1500 mtu dmz 1500 mtu management 1500 ip local pool Employees 192.168.242.250-192.168.242.252 mask 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip verify reverse-path interface phone ip verify reverse-path interface dmz no failover monitor-interface outside monitor-interface inside monitor-interface phone monitor-interface dmz monitor-interface management arp timeout 14400 nat-control global (outside) 10 EXT-49 netmask 255.255.255.240 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 10 192.168.242.0 255.255.255.0 nat (phone) 10 10.10.10.0 255.255.255.0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 1.2.3.33 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa-server AD protocol radius aaa-server NT protocol nt aaa-server NT host INT-AD nt-auth-domain-controller AD group-policy OffVPN internal group-policy OffVPN attributes wins-server value 192.168.242.2 dns-server value 192.168.242.2 192.168.242.27 vpn-tunnel-protocol IPSec default-domain value domain.local crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set peer Hosting-250 crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes hash sha group 5 lifetime 86400 tunnel-group OffVPN type ipsec-ra tunnel-group OffVPN general-attributes address-pool Employees authentication-server-group NT default-group-policy OffVPN tunnel-group OffVPN ipsec-attributes pre-shared-key * tunnel-group 4.5.6.250 type ipsec-l2l tunnel-group 4.5.6.250 ipsec-attributes pre-shared-key * console timeout 0 ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 !