https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096554#M395091 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>This ACL seems to define which networks are found behind the VPN connection when the user is connected wth the Client</P><P></P><P><STRONG>access-list InExchange_VPN_splitTunnelAcl standard permit 10.42.10.0 255.255.255.0</STRONG></P><P></P><P>As you can see only one network is configured. You can add the other network simply by configuring another ACL line</P><P></P><P><STRONG>access-list InExchange_VPN_splitTunnelAcl standard permit 10.42.1.0 255.255.255.0</STRONG></P><P></P><P>You will also need to take into account this while configuring NAT Exemption between this new LAN network and the VPN Pool that the users have.</P><P></P><P>It seems to me that the following NAT configurations are for the current VPN Client NAT Exemptions</P><P></P><P><STRONG>nat (Inside,WAN1) source static any any destination static NETWORK_OBJ_10.42.10.224_27 NETWORK_OBJ_10.42.10.224_27 no-proxy-arp route-lookup</STRONG></P><P></P><P>As the Production network is on another firewall Interface. You need a similiar rule for that interface using the Production LAN and the VPN Pool used. By the way, which one is the pool you use? </P><P></P><P>Is it this one?</P><P></P><P><STRONG>ip local pool Vpn_pool 10.42.10.231-10.42.10.245 mask 255.255.255.0</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 27 Nov 2012 10:34:00 GMT Jouni Forss 2012-11-27T10:34:00Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096551#M395076 <P>Hi,</P><P></P><P>I have a remote access VPN to our office network 10.42.10.0. however I have some web services that are located in a production network 10.42.1.0 that users in the office network need to access.</P><P>This is obviously no problem when using remote desktop to an office PC but when users with laptops remote in and try to access the website on the production network it does not work.</P><P></P><P>Is there any way for the tunnel also to also allow traffic to the production network&nbsp; for the remote hosts?</P><P></P><P>/Hilmar&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Tue, 12 Mar 2019 00:28:33 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096551#M395076 IT Asitis 2019-03-12T00:28:33Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096552#M395081 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>This should be no problem at all.</P><P></P><P>But it all depends on your current firewall/VPN configurations.</P><P></P><P>If you could post atleast part of your configuration or a complete configuration with any sensitive information removed (public IP addresses etc) we could go through it.</P><P></P><P>If you have a Full tunnel VPN Client configuration the problem is probably related to NAT and ACL configurations. If you are using Split Tunnel VPN you might need to add some network/host addresses to the Split tunnel ACL.</P><P></P><P>But as I said, would be easier if we could look at the configurations</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 27 Nov 2012 10:01:11 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096552#M395081 Jouni Forss 2012-11-27T10:01:11Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096553#M395087 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P></P><P>I have added the running config with afew IP modifications</P><P></P><P>/H</P></BODY></HTML> Tue, 27 Nov 2012 10:21:35 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096553#M395087 IT Asitis 2012-11-27T10:21:35Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096554#M395091 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>This ACL seems to define which networks are found behind the VPN connection when the user is connected wth the Client</P><P></P><P><STRONG>access-list InExchange_VPN_splitTunnelAcl standard permit 10.42.10.0 255.255.255.0</STRONG></P><P></P><P>As you can see only one network is configured. You can add the other network simply by configuring another ACL line</P><P></P><P><STRONG>access-list InExchange_VPN_splitTunnelAcl standard permit 10.42.1.0 255.255.255.0</STRONG></P><P></P><P>You will also need to take into account this while configuring NAT Exemption between this new LAN network and the VPN Pool that the users have.</P><P></P><P>It seems to me that the following NAT configurations are for the current VPN Client NAT Exemptions</P><P></P><P><STRONG>nat (Inside,WAN1) source static any any destination static NETWORK_OBJ_10.42.10.224_27 NETWORK_OBJ_10.42.10.224_27 no-proxy-arp route-lookup</STRONG></P><P></P><P>As the Production network is on another firewall Interface. You need a similiar rule for that interface using the Production LAN and the VPN Pool used. By the way, which one is the pool you use? </P><P></P><P>Is it this one?</P><P></P><P><STRONG>ip local pool Vpn_pool 10.42.10.231-10.42.10.245 mask 255.255.255.0</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 27 Nov 2012 10:34:00 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096554#M395091 Jouni Forss 2012-11-27T10:34:00Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096555#M395093 <HTML><HEAD></HEAD><BODY><P> Yes that is the vpn pool im using.</P><P></P><P>So add the access list and then another nat rule?</P><P></P><P>/H</P></BODY></HTML> Tue, 27 Nov 2012 10:38:25 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096555#M395093 IT Asitis 2012-11-27T10:38:25Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096556#M395095 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Basically you just need another line to the existing ACL <STRONG>InExchange_VPN_splitTunnelAcl </STRONG>(the line in the last post)</P><P></P><P>I guess the NAT configuration should be something like this (using made up names for objects, dont have to be these)</P><P></P><P></P><P><STRONG>object network PRODUCTION-LAN</STRONG></P><P><STRONG> subnet 10.42.1.0 255.255.255.0</STRONG></P><P></P><P><STRONG>object network VPN-POOL</STRONG></P><P><STRONG> subnet 10.42.10.0 255.255.255.224</STRONG></P><P></P><P><STRONG>nat (Production,WAN1) source static PRODUCTION-LAN PRODUCTION-LAN destination static VPN-POOL VPN-POOL</STRONG></P><P></P><P>To me it seems you mostly use ASDM for configuration as there is a huge amount of objects and object-groups and they have very mixed naming scheme. It makes for a pretty agonizing expirience to read though in CLI format <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 27 Nov 2012 11:13:16 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096556#M395095 Jouni Forss 2012-11-27T11:13:16Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096557#M395097 <HTML><HEAD></HEAD><BODY><P>True the naming scheme could be better <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" height="16" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif" width="16"></SPAN></P><P></P><P>I have applied the configuration as you posted and i will try to test this tonight(cant test during office hours) and see if everything works.</P><P></P><P>Ill get back tonight/tomorrow with the results.</P><P></P><P>Thanks for your help so far.</P><P></P><P>/Hilmar</P></BODY></HTML> Tue, 27 Nov 2012 12:19:32 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096557#M395097 IT Asitis 2012-11-27T12:19:32Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096558#M395099 <HTML><HEAD></HEAD><BODY><P> It works <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" height="16" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif" width="16"></SPAN></P><P></P><P>At first it didnt but then i changed the subnet mask for the following object to 255.255.255.0:</P><P><STRONG> </STRONG></P><P><STRONG>object network VPN-POOL</STRONG></P><P><STRONG>subnet 10.42.10.0 255.255.255.224</STRONG></P><P><STRONG> </STRONG></P><P>After that i tested a website on a production server and also remote desktop from a laptop via VPN and it works.</P><P></P><P>Thanks alot for your help.</P><P></P><P>/Hilmar</P><P><STRONG> </STRONG></P></BODY></HTML> Tue, 27 Nov 2012 20:56:14 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096558#M395099 IT Asitis 2012-11-27T20:56:14Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096559#M395100 <HTML><HEAD></HEAD><BODY><P>Ah,</P><P></P><P>Typo there. Network address should have been 10.42.10.<STRONG>224</STRONG> and mask 255.255.255.224. But I guess no reason to change anything since its working.</P><P></P><P>Glad to be of help <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 27 Nov 2012 21:49:16 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/2096559#M395100 Jouni Forss 2012-11-27T21:49:16Z