cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1382
Views
0
Helpful
8
Replies

Clientless vpn acces route to another vpn ASA5505

chnicolas
Level 1
Level 1

ello,

I have really little knowledge on how to setup an ASA5505.

I am working on one already setup but one configuration is not fully working and I can't figure how to fix it

 

network A (10.5.10.0)  <-ASA5505---VPN-- STORMSHIELD-> network B (10.10.0.0)

This is the main setting and it is working, I can access a computer on 10.10.0.0 from a computer on 10.5.10.0

client less vpn (176.16.10.0) <---VPN ASA 5505---> network A (10.5.10.0)

This is working I can access a computer on network 10.5.10.0 from a computer connected through the clientless vpn, the client less vpn give an address in the rang 176.16.10.0.

My problem is that I can't access a compute on 10.10.0.0 form the computer connected via the client less vpn.

I think it is a NAT configuration but I can't figure out.

I am using the graphical interface 8.4 (4) 1 and the device manager version is 7.1(2)

 

Thank you for your help

 

 

 

As I have really little knowledge of how to set it up I need some help there.

 

8 Replies 8

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   1. If you get an IP address when you connect to the VPN, it means you're not using clientless ssl vpn, but anyconnect.

   2. Configure on the ASA "same-security-traffic permit intra-interface".

   3. Configure a twice NAT rule to exclude traffic from users (172.16.10.0) towards the remote site protected network(10.10.0.0) from being NAT'ed, like for example:

 

object network vpn_clients

 subnet 172.16.10.0 255.255.255.0

object network vpn_remote_network

 subnet 10.10.0.0 255.255.0.0

nat (NAMEIF_OF_OUTSIDE_INT NAMEIF_OF_OUTSIDE_INT) 1 source static vpn_clients vpn_clients destination static vpn_remote_network vpn_remote_network no-proxy-arp

 

Regards,

Cristian Matei.

      

     

Hi,

 

I try it in the command line interface, but it always say me invalid input (see picture), the name of the network are correct.

Do I missed something ?

 

Hi,

 

   There is a comma missing:

 

nat (NAMEIF_OF_OUTSIDE_INT, NAMEIF_OF_OUTSIDE_INT) 1 source static vpn_clients vpn_clients destination static vpn_remote_network vpn_remote_network no-proxy-arp

 

Regards,

Cristian Matei.

Hello,

The command worked, it creates the nat (I think it is the same as I was trying yesterday) but still no ping from a computer on 176.... to 10.10...

 

Is there something else I should look at ?

Hi,

 

   Can you post the full current ASA configuration? You can PM me, if you don't want to share it here. Also, connect with the VPN client, generate some traffic towards the remote network and post the output of "show crypto ipsec sa detail" and "show vpn-sessiondb detail".

 

Regards,

Cristian Matei.

Include are the 3 files.

I changed the ip, if me know if there is a problem with this

Hope you can help me with this, I am real not familiar with this

 

Thank you

 

 

Hi,

 

   You didn't add the VPN pool to the encryption domain, everything else looks good. Do these changes on the ASA side and try again (you would also need to configure the remote VPN endpoint and add traffic from 10.10.0.0/16 to 172.16.10.0/24 to the encryption domain with the ASA tunnel):

 

object-group network DM_INLINE_NETWORK_2

  network-object object obj-172.16.10.0

 

 

Regards,

Cristian Matei.

I am actually working from home and I don't want to make the change from here, in case I will be disconnected.

I am really not a pro on this.

I will try on Monday and let you know

 

Thank you for your help.

 

Christophe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco