01-09-2014 05:52 AM - edited 03-12-2019 06:06 PM
good morning folks
I have recently add a ASA 5525-x as a edge on my network, everything works fine. but when I try to setup a IPsec remote vpn things gets complicated.
here is my topology.
I have the ASA on top following with a L3 3750 cisco doing the routing for my LAN (two vlan are define on it)
lets say
vlan 202 for servers
vlan 201 for users
NATting is already done for internet access
on the ASA profile is define for RA. and a pool is assign to it.
vpn client can get a correct IP addre from my inside dhcp serve but cannot communicate with the LAN .
I m new in cisco security .
Some help will be appreciate..
here is my config on ASA
01-09-2014 09:19 AM
Hi,
I am not sure why this "route" is configured
route inside 172.20.6.32 255.255.255.240 172.20.6.66 1
It essentially tells the ASA that your VPN pool is supposedly located behind the "inside" interface which its not. Its located behind the "outside" interface of the ASA when a Client is connected
So you should probably remove the above "route"
no route inside 172.20.6.32 255.255.255.240 172.20.6.66 1
Next you seem to have the NAT configurations ordered so that the traffic cant flow between the LAN networks and the VPN users.
Try these changes
object-group network LAN-NETWORKS
network-object 172.20.1.0 255.255.255.0
network-object 172.20.2.0 255.255.255.0
object network VPN-POOL
subnet 172.20.6.32 255.255.255.240
nat (inside,outside) 1 source static LAN-NETWORKS LAN-NETWORKS destination static VPN-POOL VPN-POOL
no nat (any,any) source static RA_VPN_Hosts RA_VPN_Hosts destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1
The above configurations creates a NAT0 configuration for traffic between your LAN networks and the VPN Pool. It also removes the current NAT0 rule that is not in use.
I would probably also remove this Dynamic PAT rule as I am not sure if there is a reason to PAT traffic from the VPN users to the LANs
no nat (outside,inside) source dynamic NETWORK_OBJ_172.20.6.32_28 interface
If you want to move your Dynamic PAT rule to a better position so that it doesnt override other NAT configurations in the future then you can do the following
object-group network PAT-SOURCE
network-object 172.20.1.0 255.255.255.0
network-object 172.20.2.0 255.255.255.0
nat (inside,outside) after-auto source dynamic PAT-SOURCE interface
no nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
This might cause a short outage for the LAN users since we add a new Dynamic PAT and remove the old one (which probably will teardown the existing translations active on the firewall. I will leave it to you to device whether to do the change now.
Hope this helps
- Jouni
01-09-2014 10:49 AM
hello Jouni
thank you for your quick reply.
I modify my config according to what you mention. and yes you were right for the default route.
but still I not able to access the network behind L3 switch.
question: actually the vpn pool is on the ASA it self , sorry if i misunderstand I do need a gateway for that network but ASA didn't allow me to create the gateway. Where do I define that?
as info: vpn user need to access a particular server on the vlan 202
vlan was define as follow
172.20.2.0/25
172.20.1.0/24
in the netwrk object you send me both are define /24
I assume that I can modfy according to my subneting schema.
please advise
01-09-2014 11:05 AM
Hi,
Yes, I had the wrong network mask in the configurations. You can modify those to the correct ones.
The ASA will handle the routing for the VPN Pool without adding any separate "route" command. Only thing you need to confirm is that the traffic from the internal network has a route for the VPN Pool. But 99% of the time this is handled by the default route on the internal router. If you had a separate firewall and separate VPN device then it would be likely you would need some additional routing configurations.
I noticed one thing now that I forgot to mention in my original reply
You have a VPN Filter ACL configured that should be removed.
group-policy ONA-RA_VPN attributes
no vpn-filter value RA_VPN
If you look at the ACL RA_VPN you will notice it only allows traffic from VPN Pool to the link network between ASA and the internal Router. It has no mention of the actual LAN networks.
So please remove it from the "group-policy" as shown above then test again.
- Jouni
01-10-2014 06:25 AM
hello Jouni...
everything woks fine now
thank you for your precious help.
01-10-2014 06:26 AM
Hi,
Great to hear its working
Please do remember to mark a reply as the correct answer if it has answered your question.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide