cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
591
Views
0
Helpful
5
Replies

Dhcp Pool not commnunicate with internal network

mvalcourt
Level 1
Level 1

good morning folks

I have recently add a ASA 5525-x as a edge on my network, everything works fine. but when I try to setup a IPsec remote vpn  things gets complicated.

here is my topology.

I have the ASA on top following with a L3 3750 cisco doing the routing for my LAN (two vlan are define on it)

lets say

vlan 202 for servers

vlan 201 for users

NATting is already done for internet access

on the ASA profile is define for  RA. and a pool is assign to it.

vpn client can get a correct IP addre from my inside dhcp serve but cannot communicate with the LAN .

I m new in cisco security .

Some help will be appreciate..

here is my config on ASA

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I am not sure why this "route" is configured

route inside 172.20.6.32 255.255.255.240 172.20.6.66 1

It essentially tells the ASA that your VPN pool is supposedly located behind the "inside" interface which its not. Its located behind the "outside" interface of the ASA when a Client is connected

So you should probably remove the above "route"

no route inside 172.20.6.32 255.255.255.240 172.20.6.66 1

Next you seem to have the NAT configurations ordered so that the traffic cant flow between the LAN networks and the VPN users.

Try these changes

object-group network LAN-NETWORKS

network-object 172.20.1.0 255.255.255.0

network-object 172.20.2.0 255.255.255.0

object network VPN-POOL

subnet 172.20.6.32 255.255.255.240

nat (inside,outside) 1 source static LAN-NETWORKS LAN-NETWORKS destination static VPN-POOL VPN-POOL

no nat (any,any) source static RA_VPN_Hosts RA_VPN_Hosts destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1

The above configurations creates a NAT0 configuration for traffic between your LAN networks and the VPN Pool. It also removes the current NAT0 rule that is not in use.

I would probably also remove this Dynamic PAT rule as I am not sure if there is a reason to PAT traffic from the VPN users to the LANs

no nat (outside,inside) source dynamic NETWORK_OBJ_172.20.6.32_28 interface

If you want to move your Dynamic PAT rule to a better position so that it doesnt override other NAT configurations in the future then you can do the following

object-group network PAT-SOURCE

network-object 172.20.1.0 255.255.255.0

network-object 172.20.2.0 255.255.255.0

nat (inside,outside) after-auto source dynamic PAT-SOURCE interface

no nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface

This might cause a short outage for the LAN users since we add a new Dynamic PAT and remove the old one (which probably will teardown the existing translations active on the firewall. I will leave it to you to device whether to do the change now.

Hope this helps

- Jouni

hello Jouni

thank you for your quick reply.

I modify my config according to what you mention. and yes you were right for the default route.

but still I not able to access the network behind L3 switch.

question: actually the vpn pool is on the ASA it self , sorry if i misunderstand I do need a gateway for that network but ASA didn't allow me to create the gateway. Where do I define that?

as info: vpn user need to access a particular server  on the vlan 202

vlan was define as follow

172.20.2.0/25

172.20.1.0/24

in the netwrk object you send me both are define /24

I assume that I can modfy according to my subneting schema.

please advise

Hi,

Yes, I had the wrong network mask in the configurations. You can modify those to the correct ones.

The ASA will handle the routing for the VPN Pool without adding any separate "route" command. Only thing you need to confirm is that the traffic from the internal network has a route for the VPN Pool. But 99% of the time this is handled by the default route on the internal router. If you had a separate firewall and separate VPN device then it would be likely you would need some additional routing configurations.

I noticed one thing now that I forgot to mention in my original reply

You have a VPN Filter ACL configured that should be removed.

group-policy ONA-RA_VPN attributes

no vpn-filter value RA_VPN

If you look at the ACL RA_VPN you will notice it only allows traffic from VPN Pool to the link network between ASA and the internal Router. It has no mention of the actual LAN networks.

So please remove it from the "group-policy" as shown above then test again.

- Jouni

hello Jouni...

everything woks fine now

thank you for your precious help.

Hi,

Great to hear its working

Please do remember to mark a reply as the correct answer if it has answered your question.

- Jouni

Review Cisco Networking for a $25 gift card