topic Re: IPsec VPN help on ASA 5510 in Network Security

IPsec VPN help on ASA 5510

shortnathan — Mon, 11 Mar 2019 12:05:00 GMT

Hi,

I'm trying to set up a remote VPN on the ASA. I've simply used the wizard on the asdm because I'm new to this. I can connect to the VPN fine, but once connected I cannot access anything on the internal network, nor can I get out the internet.

I'm using an IP pool of 10.39.230.50-100. The internal network that I want to access is across another router connected to the inside interface, 10.39.1.0. 10.39.239.3 is the router. (it has a subinterface of 10.39.230.3 as well)

It seems like it might be a NAT problem but I can't figure it out. Any ideas?

Re: IPsec VPN help on ASA 5510

dongdongliu — Wed, 20 Feb 2008 02:53:41 GMT

Hi, Nathan

it seems like you access internal server from inside interface, so the traffic is input and output at same interface(inside ifterface), doesn`t it?

regard

dongdong

Re: IPsec VPN help on ASA 5510

Alan Huseyin Kayahan — Wed, 20 Feb 2008 04:17:27 GMT

Hi Nathan

Identify subnets individually for routes as much as possible so remove the following route

no inside 10.0.0.0 255.0.0.0 10.39.239.3 1

and add routes to subnets individually like

inside 10.39.1.0 255.255.255.0 10.39.239.3 1

Most important, add the return trip traffic route for your VPN clients in router(the router with 10.39.239.3 IP)! But since (it has a subinterface of 10.39.230.3 as well) is correct, it assumes 10.39.230.0 is a connected route, so you should use a VPN IP range that does not exist in router or firewall. For ex

ip local pool fds_pool 192.168.120.1-192.168.120.126 mask 255.255.255.128

tunnel-group fds general-attributes

no address-pool fdspool

address-pool fds_pool

then

no access-list inside_nat0_outbound_1 extended permit ip 10.39.1.0 255.255.255.0 10.39.230.0 255.255.255.128

access-list inside_nat0_outbound_1 extended permit ip 10.39.1.0 255.255.255.0 192.168.120.0 255.255.255.128

add the following acl

access-list inside_access_in permit 10.39.1.0 255.255.255.0 192.168.120.0 255.255.255.128

Add the following route in router

ip route 192.168.120.0 255.255.255.128 10.39.239.20

Finally a split-tunnel

access-list split_t permit ip 10.39.1.0 255.255.255.0 192.168.1.120 255.255.255.128

group-policy fds attributes

split-tunnel-policy tunnelall

split-tunnel-network list split_t

Regards

Re: IPsec VPN help on ASA 5510

Sighclops — Wed, 20 Feb 2008 15:33:53 GMT

Try a tunneled gateway.

route inside 0.0.0.0 0.0.0.0 10.39.239.3 tunneled

Also make sure you have a route on the inside router for the VPN IP pool.

Re: IPsec VPN help on ASA 5510

shortnathan — Wed, 20 Feb 2008 21:44:44 GMT

Thanks for the response! I've made the changes you suggested, but no split tunneling because we aren't going to be using it. It's still not working correctly. I can't get internet when connected to the VPN.

access-list inside_access_in permit 10.39.0.0/16 255.255.255.0 192.168.20.0 255.255.255.0

I changed to the above for test purposes. I can talk to the network connected to the interface on the ASA (10.39.239.0) but not to the remote segment (10.39.1.0). I've added an ip route 192.168.20.0 255.255.255.0 10.39.239.0 to the router. Any more ideas?

Re: IPsec VPN help on ASA 5510

Alan Huseyin Kayahan — Fri, 22 Feb 2008 00:23:48 GMT

Nathan,

Please post your current running config after modifications

Re: IPsec VPN help on ASA 5510

shortnathan — Fri, 22 Feb 2008 01:04:47 GMT

Got it working now. Turns out that I needed a route back on the router at the other office. Thanks guys!