My current VPN Pool is 192.168.18.0 which can view all remote network resources except for 192.168.16.254. I understand that this is the broadcast IP for the network so I can change it and see if that works but I attempted to do that before without much luck either.

Hi,

The IP address 192.168.16.255 is the broadcast address. The IP address 192.168.16.254 should be usable normally.

Have you confirmed that the system you are trying to access has a route for the network 192.168.18.0/25 that is pointing towards the ASA?

- Jouni

Alright then that still doesn't explain why that IP isn't visible to the VPN Pool. When I try to add it as a network object it wants to use 255.255.255.255 subnet. Any advise to what could be the issue or what could be done to allow this one IP to be visible?

Hi,

As I said before I am not sure if I have understood all the aspects of the problem.

It would be easier to just see the configuration.

- Jouni

Result of the command: "show startup-config"

: Saved

: Written by enable_15 at 03:48:21.617 UTC Tue Apr 9 2013

!

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name

enable password dRQK0PX7hTNcQSgv encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.18.0 VPNPool

name 192.168.16.11 Local

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address Local 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 192.168.16.6

name-server ***.***.***.***

domain-name

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_1

network-object VPNPool 255.255.255.0

network-object VPNPool 255.255.255.128

object-group network DM_INLINE_NETWORK_2

network-object VPNPool 255.255.255.0

network-object VPNPool 255.255.255.128

access-list outside_access_in extended permit ip VPNPool 255.255.255.0 192.168.16.0 255.255.255.0

access-list outside_access_in extended permit ip VPNPool 255.255.255.0 any log disable

access-list Split_Tunnel_List remark VPN network behind Firewall

access-list Split_Tunnel_List standard permit VPNPool 255.255.255.128

access-list Split_Tunnel_List standard permit any

access-list Split_Tunnel_List standard permit host 0.0.0.0

access-list Split_Tunnel_List standard permit 192.168.16.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.16.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any VPNPool 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.16.192 255.255.255.192

access-list inside_nat0_outbound extended permit ip 192.168.16.0 255.255.255.0 192.168.16.192 255.255.255.192

access-list inside_nat0_outbound_1 extended permit ip 192.168.16.0 255.255.255.0 interface inside

access-list inside_nat0_outbound_1 extended permit ip 192.168.16.0 255.255.255.0 interface outside

access-list inside_nat0_outbound_1 extended permit ip VPNPool 255.255.255.0 any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit ip VPNPool 255.255.255.0 192.168.16.0 255.255.255.0

access-list inside_access_in extended permit object-group TCPUDP 192.168.16.0 255.255.255.0 host 192.168.16.6 eq domain

access-list inside_access_in extended permit object-group TCPUDP VPNPool 255.255.255.0 host 192.168.16.6 eq domain

access-list inside_access_in extended permit object-group TCPUDP VPNPool 255.255.255.0 any log disable

access-list LAN_nat0_outbound extended permit ip any object-group DM_INLINE_NETWORK_2

access-list LAN_nat0_outbound extended permit ip any 192.168.16.0 255.255.255.0

access-list LAN_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 any

access-list LAN_nat0_outbound extended permit ip 192.168.16.0 255.255.255.0 any

access-list outside_nat0_outbound extended permit ip VPNPool 255.255.255.0 any

access-list ALANPHONE_splitTunnelAcl standard permit 192.168.16.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNPOOL2 192.168.16.200-192.168.16.250 mask 255.255.255.0

ip local pool vpnpool 192.168.18.1-192.168.18.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound_1 outside

nat (inside) 1 0.0.0.0 0.0.0.0 dns

nat (outside) 0 access-list outside_nat0_outbound outside

static (inside,inside) tcp 192.168.16.0 domain 192.168.16.6 domain netmask 255.255.255.255  dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route inside VPNPool 255.255.255.128 Local 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.16.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 8

authentication pre-share

encryption 3des

hash md5

group 5

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash md5

group 5

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns ***.***.***.***

dhcpd auto_config outside vpnclient-wins-override

!

dhcpd address 192.168.16.15-192.168.16.142 inside

!

dhcprelay server 192.168.16.6 inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

port-forward PFTest 8080 192.168.16.254 8080 Phone Service

group-policy  internal

group-policy  attributes

wins-server value 192.168.16.6

dns-server value 192.168.16.6 ***.***.***.***

vpn-tunnel-protocol IPSec l2tp-ipsec

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value LAN_nat0_outbound

split-tunnel-all-dns enable

msie-proxy method no-modify

address-pools value vpnpool

group-policy ALANPHONE internal

group-policy ALANPHONE attributes

wins-server value 192.168.16.6

dns-server value 192.168.16.6 ***.***.***.***

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

default-domain value

address-pools value VPNPOOL2

username deana@.com password 3GEmWVY8IY/ueyDP encrypted privilege 0

username deana@.com attributes

vpn-group-policy

username rphillips password AWqOctqHta028wea encrypted privilege 15

username rphillips attributes

vpn-group-policy

username louisa@.com password narwaGyAgYYIkjIv encrypted privilege 0

username louisa@.com attributes

vpn-group-policy

username mike@.com password t58/1.pF5JI/6rGg encrypted privilege 0

username mike@.com attributes

vpn-group-policy

username lisa@.com password .tLXgTWDaGynihPg encrypted privilege 0

username lisa@.com attributes

vpn-group-policy

username stacey@.com password yoWPRaILMlw1UbzG encrypted privilege 0

username stacey@.com attributes

vpn-group-policy

username jack password HkfCUxzsrACQrCGx encrypted privilege 15

username jack attributes

vpn-group-policy

vpn-idle-timeout none

vpn-session-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec

group-lock value

username jack@.com password HkfCUxzsrACQrCGx encrypted privilege 0

username jack@.com attributes

vpn-group-policy

username chris@.com password fvlpnEepOP7Jcp8m encrypted privilege 0

username chris@.com attributes

vpn-group-policy

username mary@.com password sqYY63XUIFqWCwR/ encrypted privilege 0

username mary@.com attributes

vpn-group-policy

username alison@.com password T.lRvhHqFkbDylWd encrypted privilege 0

username alison@.com attributes

vpn-group-policy

username laura@.com password XpLrLXlw8/d1ifWq encrypted privilege 0

username laura@.com attributes

vpn-group-policy

username alan@.com password ih4hxqgBLSZPAeGa encrypted privilege 0

username alan@.com attributes

vpn-group-policy

username alan password ih4hxqgBLSZPAeGa encrypted privilege 15

username alan attributes

vpn-group-policy ALANPHONE

username julieo@.com password WndLe5IWXsZE3A4U encrypted privilege 0

username julieo@.com attributes

vpn-group-policy

tunnel-group  type remote-access

tunnel-group  general-attributes

address-pool (inside) vpnpool

address-pool vpnpool

default-group-policy

dhcp-server 192.168.16.6

tunnel-group  ipsec-attributes

pre-shared-key *

tunnel-group ALANPHONE type remote-access

tunnel-group ALANPHONE general-attributes

address-pool (inside) VPNPOOL2

address-pool VPNPOOL2

default-group-policy

tunnel-group ALANPHONE ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:6c4c4efa01061392d0ea602b8222ae43

Hi,

I guess you have removed some of the "group-policy" and "tunnel-group" names from the configuration?

If you are using Split Tunnel I would configure the Split Tunnel ACL in the following way.

access-list SPLIT-TUNNEL standard permit 192.168.16.0 255.255.255.0

You shouldnt need any additional lines for the Split Tunnel for connections between 192.168.16.0/24 and 192.168.18.0/24 to work

Also the NAT0 could be really simple

access-list INSIDE-NAT0 permit ip 192.168.16.0 255.255.255.0 192.168.18.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

I am not sure what is the purpose of these configurations.

nat (inside) 0 access-list inside_nat0_outbound_1 outside

nat (outside) 0 access-list outside_nat0_outbound outside

route inside VPNPool 255.255.255.128 Local 1

To my understanding you shouldnt need these.

- Jouni