Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
803
Views
10
Helpful
8
Replies

Remote access VPN

Go to solution
IT Asitis
Level 1
Level 1

‎11-27-2012 12:33 AM - edited ‎03-11-2019 05:28 PM

Hi,

I have a remote access VPN to our office network 10.42.10.0. however I have some web services that are located in a production network 10.42.1.0 that users in the office network need to access.

This is obviously no problem when using remote desktop to an office PC but when users with laptops remote in and try to access the website on the production network it does not work.

Is there any way for the tunnel also to also allow traffic to the production network  for the remote hosts?

/Hilmar          

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to IT Asitis

‎11-27-2012 03:13 AM

Hi,

Basically you just need another line to the existing ACL InExchange_VPN_splitTunnelAcl (the line in the last post)

I guess the NAT configuration should be something like this (using made up names for objects, dont have to be these)

object network PRODUCTION-LAN

subnet 10.42.1.0 255.255.255.0

object network VPN-POOL

subnet 10.42.10.0 255.255.255.224

nat (Production,WAN1) source static PRODUCTION-LAN PRODUCTION-LAN destination static VPN-POOL VPN-POOL

To me it seems you mostly use ASDM for configuration as there is a huge amount of objects and object-groups and they have very mixed naming scheme. It makes for a pretty agonizing expirience to read though in CLI format

- Jouni

View solution in original post

8 Replies 8

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-27-2012 02:01 AM

Hi,

This should be no problem at all.

But it all depends on your current firewall/VPN configurations.

If you could post atleast part of your configuration or a complete configuration with any sensitive information removed (public IP addresses etc) we could go through it.

If you have a Full tunnel VPN Client configuration the problem is probably related to NAT and ACL configurations. If you are using Split Tunnel VPN you might need to add some network/host addresses to the Split tunnel ACL.

But as I said, would be easier if we could look at the configurations

- Jouni

0 Helpful

Go to solution
IT Asitis
Level 1
Level 1
In response to Jouni Forss

‎11-27-2012 02:21 AM

Hi,

I have added the running config with afew IP modifications

/H

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to IT Asitis

‎11-27-2012 02:34 AM

Hi,

This ACL seems to define which networks are found behind the VPN connection when the user is connected wth the Client

access-list InExchange_VPN_splitTunnelAcl standard permit 10.42.10.0 255.255.255.0

As you can see only one network is configured. You can add the other network simply by configuring another ACL line

access-list InExchange_VPN_splitTunnelAcl standard permit 10.42.1.0 255.255.255.0

You will also need to take into account this while configuring NAT Exemption between this new LAN network and the VPN Pool that the users have.

It seems to me that the following NAT configurations are for the current VPN Client NAT Exemptions

nat (Inside,WAN1) source static any any destination static NETWORK_OBJ_10.42.10.224_27 NETWORK_OBJ_10.42.10.224_27 no-proxy-arp route-lookup

As the Production network is on another firewall Interface. You need a similiar rule for that interface using the Production LAN and the VPN Pool used. By the way, which one is the pool you use?

Is it this one?

ip local pool Vpn_pool 10.42.10.231-10.42.10.245 mask 255.255.255.0

- Jouni

Go to solution
IT Asitis
Level 1
Level 1
In response to Jouni Forss

‎11-27-2012 02:38 AM

Yes that is the vpn pool im using.

So add the access list and then another nat rule?

/H

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to IT Asitis

‎11-27-2012 03:13 AM

Hi,

Basically you just need another line to the existing ACL InExchange_VPN_splitTunnelAcl (the line in the last post)

I guess the NAT configuration should be something like this (using made up names for objects, dont have to be these)

object network PRODUCTION-LAN

subnet 10.42.1.0 255.255.255.0

object network VPN-POOL

subnet 10.42.10.0 255.255.255.224

nat (Production,WAN1) source static PRODUCTION-LAN PRODUCTION-LAN destination static VPN-POOL VPN-POOL

To me it seems you mostly use ASDM for configuration as there is a huge amount of objects and object-groups and they have very mixed naming scheme. It makes for a pretty agonizing expirience to read though in CLI format

- Jouni

Go to solution
IT Asitis
Level 1
Level 1
In response to Jouni Forss

‎11-27-2012 04:19 AM

True the naming scheme could be better

I have applied the configuration as you posted and i will try to test this tonight(cant test during office hours) and see if everything works.

Ill get back tonight/tomorrow with the results.

Thanks for your help so far.

/Hilmar

0 Helpful

Go to solution
IT Asitis
Level 1
Level 1
In response to IT Asitis

‎11-27-2012 12:56 PM

It works

At first it didnt but then i changed the subnet mask for the following object to 255.255.255.0:

object network VPN-POOL

subnet 10.42.10.0 255.255.255.224

After that i tested a website on a production server and also remote desktop from a laptop via VPN and it works.

Thanks alot for your help.

/Hilmar

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to IT Asitis

‎11-27-2012 01:49 PM

Ah,

Typo there. Network address should have been 10.42.10.224 and mask 255.255.255.224. But I guess no reason to change anything since its working.

Glad to be of help

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card