Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3517
Views
0
Helpful
10
Replies

ASA5505 - Routing traffic from VPN clients to interface other then 'inside'

Arvo Bowen
Level 1
Level 1

‎09-18-2011 02:33 PM - edited ‎03-11-2019 02:26 PM

OK so I have two attachments that show my basic network layout.  I can get from the VPN Cisco Client to Workstation 2 just fine with my current NAT rules in place.  I can also get from Workstation 2 to Workstation 3 just fine.  But I'm having issues when I try to get from the VPN client to Workstation 3...  What would I need to do enable to get to Workstation 3 from the VPN client?  IT seems very simple to me (just PAT that traffic as I do the traffic from Workstation 2 to Workstation 3) but that does not work...  Any ideas?

Labels:
Preview file
646 KB
Preview file
606 KB
0 Helpful
10 Replies 10

Arvo Bowen
Level 1
Level 1

‎09-18-2011 02:34 PM

Also here is my config...

: Saved

:

ASA Version 8.4(2)

!

hostname ACS-000-ROU2

domain-name MYDOMAIN

enable password *******

passwd ****** encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 21

!

interface Ethernet0/3

switchport access vlan 31

!

interface Ethernet0/4

switchport access vlan 41

!

interface Ethernet0/5

switchport access vlan 100

shutdown

!

interface Ethernet0/6

switchport access vlan 100

shutdown

!

interface Ethernet0/7

switchport trunk allowed vlan 1,31

switchport mode trunk

!

interface Vlan1

description My Business Name local area network

nameif inside

security-level 100

ip address 10.71.1.1 255.255.255.0

!

interface Vlan2

description All outgoing traffic to the internet

nameif outside

security-level 0

ip address 12.12.30.30 255.255.255.224

!

interface Vlan21

description DMZed FTP server

nameif dmz_ftp

security-level 50

ip address 10.71.5.1 255.255.255.0

!

interface Vlan31

description Corporate local area network

nameif corp

security-level 10

ip address 10.71.3.1 255.255.255.0

!

interface Vlan41

description SCCA hardline to VPN on Cisco 800 series router

nameif scca

security-level 5

ip address 10.22.161.2 255.255.255.0

!

boot system disk0:/asa842-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name MYDOMAIN

same-security-traffic permit intra-interface

object network ACS-000-APB2

host 10.71.1.11

description Arvo Bowen

object service 63210

service tcp source eq 63210

description 63210

object network ASA-INSIDE

host 10.71.1.1

description ASA 5505's inside IP address

object network LAN-INSIDE

subnet 10.71.1.0 255.255.255.0

description My Business Name local area network

object network LAN-VPN

subnet 10.71.2.0 255.255.255.0

description All VPN clients

object network ASA-SCCA

host 10.22.161.2

description ASA 5505's SCCA IP address

object network LAN-SCCA

subnet 10.22.0.0 255.255.0.0

description Scca 10.22.0.0 Network

object network LAN-DALLAS

subnet 10.8.0.0 255.255.0.0

description Dallas corp network

object network ACS-000-CIS1

host 10.71.1.35

object service 4899

service tcp source eq 4899

description 4899

object-group network DM_INLINE_NETWORK_1

network-object object LAN-SCCA

network-object object LAN-INSIDE

access-list outside_access_in extended permit ip host 16.15.62.5 object LAN-VPN inactive

access-list outside_access_in remark Tracking ICMP requests (pings/echos)

access-list outside_access_in extended permit icmp any object LAN-INSIDE

access-list outside_access_in remark All All traffic to get back to the inside LAN

access-list outside_access_in extended permit ip any object LAN-INSIDE

access-list scca_access_in extended permit ip object LAN-SCCA object LAN-VPN

access-list scca_access_in remark Allow traffic to come in from the 10.22.0.0 SCCA network

access-list scca_access_in extended permit ip object LAN-SCCA 10.71.1.0 255.255.255.0

access-list inside_access_in remark Allow any traffic to go outside to the internet from the inside LAN

access-list inside_access_in extended permit ip object LAN-INSIDE any

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object LAN-DALLAS

access-list vpn_sitetosite_dallas_in standard permit 10.71.1.0 255.255.255.0

access-list vpn_sitetosite_dallas_in standard permit host 10.22.0.0

access-list vpn_ciscoclient_in standard permit 10.71.1.0 255.255.255.0

access-list vpn_ciscoclient_in remark FEPS website

access-list vpn_ciscoclient_in standard permit host 16.15.62.5

pager lines 24

logging enable

logging asdm notifications

mtu inside 1500

mtu outside 1500

mtu dmz_ftp 1500

mtu corp 1500

mtu scca 1500

ip local pool GRM_VPN_IP_POOL 10.71.2.2-10.71.2.253

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static ACS-000-APB2 interface service 63210 63210 description Port forward to ACS-000-APB2 box

nat (inside,outside) source static ACS-000-CIS1 interface service 4899 4899 description Port forward to ACS-000-CIS1 box

nat (inside,outside) source static LAN-INSIDE LAN-INSIDE destination static LAN-DALLAS LAN-DALLAS route-lookup description Exempt NAT rule for traffic from the inside network to the Dallas network

nat (inside,outside) source static LAN-INSIDE LAN-INSIDE destination static LAN-VPN LAN-VPN route-lookup description Exempt NAT rule for traffic from the inside network to the VPN clients

nat (outside,scca) source dynamic LAN-DALLAS interface destination static LAN-SCCA LAN-SCCA

nat (outside,scca) source dynamic LAN-VPN interface destination static LAN-SCCA LAN-SCCA

nat (inside,scca) source dynamic LAN-INSIDE interface destination static LAN-SCCA LAN-SCCA description PAT traffic going from the inside LAN to the scca LAN giving the LAN the same IP as the router

nat (inside,outside) source dynamic LAN-INSIDE interface description PAT traffic going from the inside network to the internet giving the LAN the same IP as the router

nat (outside,outside) source dynamic LAN-VPN interface description PAT traffic from the VPN clients to the internet giving the VPN client the office IP address

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group scca_access_in in interface scca

route outside 0.0.0.0 0.0.0.0 12.12.30.1 255

route scca 10.22.0.0 255.255.0.0 10.22.161.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server GRM_AUTH_GROUP protocol kerberos

aaa-server GRM_AUTH_GROUP (inside) host 10.71.1.3

kerberos-realm MYDOMAIN

user-identity default-domain LOCAL

http server enable

http 10.71.1.0 255.255.255.0 inside

http 10.71.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-MD5 ESP-AES-128-SHA

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 16.0.4.5

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ACS_NORCROSS

enrollment self

subject-name O=My Business Name,C=US,St=GA,L="MyLocation"

keypair mydomainname

proxy-ldc-issuer

crl configure

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 1

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 10.71.1.5-10.71.1.132 inside

!

threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev2 ssl-clientless

group-policy VPN_SITETOSITE_DALLAS_POLICY internal

group-policy VPN_SITETOSITE_DALLAS_POLICY attributes

vpn-idle-timeout 30

vpn-filter value vpn_sitetosite_dallas_in

ipv6-vpn-filter none

vpn-tunnel-protocol ikev1

group-policy VPN_CISCOCLIENT_POLICY internal

group-policy VPN_CISCOCLIENT_POLICY attributes

banner none

dns-server value 10.71.1.3

vpn-idle-timeout 30

vpn-filter value vpn_ciscoclient_in

ipv6-vpn-filter none

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn_ciscoclient_in

default-domain value MYDOMAIN

split-tunnel-all-dns disable

address-pools value GRM_VPN_IP_POOL

ipv6-address-pools none

username Administrator password ******** nt-encrypted privilege 15

tunnel-group CONORCROSS type remote-access

tunnel-group CONORCROSS general-attributes

address-pool GRM_VPN_IP_POOL

authentication-server-group GRM_AUTH_GROUP

default-group-policy VPN_CISCOCLIENT_POLICY

tunnel-group CONORCROSS ipsec-attributes

ikev1 pre-shared-key *****

ikev1 trust-point ACS_NORCROSS

tunnel-group 16.0.4.5 type ipsec-l2l

tunnel-group 16.0.4.5 general-attributes

default-group-policy VPN_SITETOSITE_DALLAS_POLICY

tunnel-group 16.0.4.5 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:9a7c5e3e000c424388b56b79f4f17248

: end

asdm image disk0:/asdm-645.bin

no asdm history enable

0 Helpful

Arvo Bowen
Level 1
Level 1

‎09-18-2011 02:39 PM

Could not edit my original post but to give clarity I highlighted a few routes...

OK so I have two attachments that show my basic network layout.  I can get from the VPN Cisco Client to Workstation 2 (YELLOW ROUTE) just fine with my current NAT rules in place.  I can also get from Workstation 2 to Workstation 3 (PURPLE ROUTE) just fine.  But I'm having issues when I try to get from the VPN client to Workstation 3 (RED ROUTE)...  What would I need to do enable to get to Workstation 3 from the VPN client (RED ROUTE)?  IT seems very simple to me (just PAT that traffic as I do the traffic from Workstation 2 to Workstation 3(PURPLE ROUTE)) but that does not work...  Any ideas?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Arvo Bowen

‎09-19-2011 12:16 AM

As far as NATing is concern, you can configure NAT exemption between SCCA LAN subnet and the VPN Pool subnet. You would however need to make sure that the SCCA LAN knows how to route towards the VPN Pool subnet, ie: via the ASA scca interface.

To configure NAT exemption:

nat (scca,outside) source static LAN-SCCA LAN-SCCA destination static LAN-VPN LAN-VPN

0 Helpful

Arvo Bowen
Level 1
Level 1
In response to Jennifer Halim

‎09-19-2011 04:59 AM

Thanks Jennifer!

I got the NAT exempt rule going good (I currently have 2 of them in my config) but what I'm having trouble with I guess is the routing issue...  How can I tell the ASA how to route the traffic correctly?  If I add a route to the ASA what would it look like?

0 Helpful

Arvo Bowen
Level 1
Level 1
In response to Jennifer Halim

‎09-19-2011 05:17 AM

I just tried to do what you were saying so I altered a line in my config to make the NAT an EXEMPT rule...

I changed...

nat (outside,scca) source dynamic LAN-VPN interface destination static LAN-SCCA LAN-SCCA

... to ...

nat (outside,scca) source static LAN-VPN LAN-VPN destination static LAN-SCCA LAN-SCCA route-lookup

... that should make it a NAT EXEMPT rule now.  The other thing I tried to do was tell the ASA how to route all 10.71.1.0/24 traffic.  I tried to add a route the following way...

route inside 10.71.1.0 255.255.255.0 10.71.1.1 1

... this in turn gives me the error "Cannot add route, connected route exists".  Any ideas?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Arvo Bowen

‎09-20-2011 01:51 AM

Yes, 10.71.1.0/24 is directly connected to ASA inside interface, so you don't have to configure any route for that subnet as the ASA already knows the subnet as directly connected subnet.

ASA also already knows about the SCCA LAN subnet and how to route it correctly via the scca interface. The question now is SCCA LAN needs to know to route the VPN Pool subnet (10.71.2.0/24) towards the ASA scca interface.

0 Helpful

Arvo Bowen
Level 1
Level 1
In response to Jennifer Halim

‎09-20-2011 04:31 AM

Yea I get that, but how do I make that route??  What interface do I use?  What gateway would I use?  The only thing I know for sure is to use subnet 10.71.2.0/24 when adding the route.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Arvo Bowen

‎09-20-2011 08:29 PM

Base on your network diagram, you would need to ensure that Support router 2 and Support router 1 has the 10.71.2.0/24 route.

Support router 2, needs to route 10.71.2.0/24 towards the VPN tunnel to Support router 1.

Support router 1, needs to route 10.71.2.0/24 towards ASA5505 scca interface (10.22.161.2)

And since Support router 2 and 1 is connected via VPN tunnel, you would also need to ensure that 10.71.2.0/24 subnet is included as the crypto ACL.

0 Helpful

Arvo Bowen
Level 1
Level 1
In response to Jennifer Halim

‎09-22-2011 12:02 PM

Sorry for not sharing sooner but I figured it out right after my last post.

Jennifer, I say this in the nicest possible way...  That's completely wrong.

People have been telling me that it was an issue with it not knowing how to get back to the source machine and now that I have to mess with routes on the support routers...  Why would that be the case at all??  I didn't have to add anything to the support routers for my inside network (the bottom Workstation 2), and it worked great!

The solution was a simple PAT that I needed to add to PAT the traffic coming from the VPN clients.  Once I did that everything started working smoothly!

I also added a few more ACLs and had to allow traffic of the scca interface.  I'll post my new config a little later to show you the exact changes..

0 Helpful

Arvo Bowen
Level 1
Level 1
In response to Arvo Bowen

‎09-22-2011 01:59 PM

Actually...  I think I had my NATs in place correctly when I posted my config file...  These were the only things that were different in my new config that allowed it to work...

>> I added the following lines in my config...

access-list vpn_ciscoclient_in standard permit 10.22.0.0 255.255.0.0

I also moved to using a more secure policy so now I don't just the "Standard ACL" for my VPN traffic...  I now use the "ACL Manager" so that I can restrict it down to the ports and have control on what comes and goes...

>> So I also added...  (vpn_ipsecclient_in is a new ACL I created using "vpn-filter value vpn_ipsecclient_in")

access-list vpn_ipsecclient_in extended permit ip object LAN-VPN object LAN-INSIDE

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card