Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7832
Views
0
Helpful
15
Replies

ASA 5505 -- Multiple Subnet VPN

Go to solution
mtehonica
Level 5
Level 5

‎04-30-2012 11:36 AM

I am trying to configure a VPN for use with the Cisco VPN Client.  I currently have the VPN operational but I am having trouble allowing access to multiple subnets that are connected to the ASA.  My current VPN DHCP pool is 10.0.0.0/24.  I want VPN users to be able to talk to one of my other vlans (172.16.20.0/24).  This is what I can't figure out.  If I change my VPN DHCP pool to something like 172.16.20.100-110 then I can talk to everything on that subnet fine.  But as soon as I change the DHCP pool back to the other subnet then I can't.  Any suggestions??

Here is my config:

nysyr-sbo-asa(config)# sh run

: Saved

:

ASA Version 8.4(1)

!

<REMOVED>

names

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

description Connection to Primary ISP (FiOS)

nameif primaryisp

security-level 0

ip address <removed>

!

interface Vlan3

description Connection to Secondary ISP (Time Warner)

nameif backupisp

security-level 0

ip address <removed>

!

interface Vlan5

description Connection to internal internet access subnet (192.168.5.0/24)

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Vlan20

description Connection to internal management network (172.16.20.0/24)

nameif insidemgmt

security-level 100

ip address 172.16.20.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 5

!

interface Ethernet0/3

switchport access vlan 20

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

object network inside-network

subnet 192.168.5.0 255.255.255.0

object network asp-wss-1-tw

host 192.168.5.11

object network asp-wss-1-vz

host 192.168.5.11

object network vpn-ip-pool

subnet 10.0.0.0 255.255.255.0

access-list outside_access_in_1 remark Access list to allow outside traffic in

access-list outside_access_in_1 extended permit tcp any object asp-wss-1-vz eq www

access-list outside_access_in_1 extended permit tcp any object asp-wss-1-vz eq https

access-list outside_access_in_1 extended permit tcp any object asp-wss-1-tw eq www

access-list outside_access_in_1 extended permit tcp any object asp-wss-1-tw eq https

access-list SBOnet_VPN_Tunnel_splitTunnelAcl standard permit 172.16.20.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu primaryisp 1500

mtu backupisp 1500

mtu inside 1500

mtu insidemgmt 1500

ip local pool vpn-ip-pool 10.0.0.10-10.0.0.250 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,primaryisp) source dynamic any interface

nat (inside,backupisp) source dynamic any interface

!

object network asp-wss-1-tw

nat (inside,backupisp) static <removed>

object network asp-wss-1-vz

nat (inside,primaryisp) static <removed>

access-group outside_access_in_1 in interface primaryisp

access-group outside_access_in_1 in interface backupisp

route primaryisp 0.0.0.0 0.0.0.0 <removed> 1 track 1

route backupisp 0.0.0.0 0.0.0.0 <removed> 10

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.5.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 primaryisp

http 0.0.0.0 0.0.0.0 backupisp

http 0.0.0.0 0.0.0.0 insidemgmt

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sla monitor 123

type echo protocol ipIcmpEcho 8.8.8.8 interface primaryisp

threshold 3000

frequency 10

sla monitor schedule 123 life forever start-time now

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA

crypto map primaryisp_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map primaryisp_map interface primaryisp

crypto map backupisp_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map backupisp_map interface backupisp

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=<removed>

crl configure

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 enable primaryisp

crypto ikev2 enable backupisp

crypto ikev1 enable primaryisp

crypto ikev1 enable backupisp

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

!

track 1 rtr 123 reachability

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 primaryisp

ssh 0.0.0.0 0.0.0.0 backupisp

ssh 0.0.0.0 0.0.0.0 insidemgmt

ssh timeout 20

console timeout 20

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy SBOnet_VPN_Tunnel internal

group-policy SBOnet_VPN_Tunnel attributes

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelall

split-tunnel-network-list value SBOnet_VPN_Tunnel_splitTunnelAcl

group-policy DfltGrpPolicy attributes

split-tunnel-network-list value SBOnet_VPN_Tunnel_splitTunnelAcl

tunnel-group DefaultRAGroup general-attributes

address-pool (primaryisp) vpn-ip-pool

address-pool vpn-ip-pool

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group SBOnet_VPN_Tunnel type remote-access

tunnel-group SBOnet_VPN_Tunnel general-attributes

address-pool vpn-ip-pool

default-group-policy SBOnet_VPN_Tunnel

tunnel-group SBOnet_VPN_Tunnel ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:7a817a8679e586dc829c06582c60811d

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rizwanr74
Level 7
Level 7
In response to mtehonica

‎05-01-2012 11:47 AM

keep thos lines removed, you do not need those lines for your Remote Access VPN.

Please tell me, what is the default-gateway assigned on those hosts sitting on mgmt network segment?

View solution in original post

0 Helpful
15 Replies 15

Go to solution
rizwanr74
Level 7
Level 7

‎04-30-2012 12:07 PM

Try this and let me know.

object network vpn-ip-pool
subnet 10.0.0.0 255.255.255.0

object network my-mgmt
subnet 172.16.20.0 255.255.255.0

nat (insidemgmt,primaryisp) source static vpn-ip-pool vpn-ip-pool destination static my-mgmt my-mgmt unidirectional

If you have L3 switch on my-mgmt network please make sure, you have a static-route in place on that switch as well, like shown below.

ip route 10.0.0.0 255.255.255.0 172.16.20.1

Please let me know, if this helps.

thanks

Rizwan Rafeek

0 Helpful

Go to solution
mtehonica
Level 5
Level 5
In response to rizwanr74

‎04-30-2012 12:20 PM

Thanks for the quick response.  I tried those commands and it didn't appear to help.  My 172.16.20.x network is connected to an unmanged switch so there is not config to do there.  I still can't ping anything on the 172.16.20.x subnet nor can I rdp to any other those machines.

Here is what I added:

object network vpn-ip-pool

subnet 10.0.0.0 255.255.255.0

object network my-mgmt

subnet 172.16.20.0 255.255.255.0

nat (insidemgmt,backupisp) source static vpn-ip-pool vpn-ip-pool destination static my-mgmt my-mgmt unidirectional

I changed primaryisp to backupisp because that it currently my outside interface that I'm VPNing into.  I do see the following log entry when I try to RDP to 172.16.20.10 from 10.0.0.10:

6Apr 30 201215:16:49
10.0.0.1049880172.16.20.103389Built inbound TCP connection 2405 for backupisp:10.0.0.10/49880 (10.0.0.10/49880) to insidemgmt:172.16.20.10/3389 (172.16.20.10/3389) (matt)

Here is an output from show route:

nysyr-sbo-asa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 208.125.237.113 to network 0.0.0.0

C    172.16.20.0 255.255.255.0 is directly connected, insidemgmt

S    10.0.0.10 255.255.255.255 [1/0] via 208.125.237.113, backupisp

C    208.125.237.112 255.255.255.248 is directly connected, backupisp

S*   0.0.0.0 0.0.0.0 [10/0] via 208.125.237.113, backupisp

And here is a show nat:

nysyr-sbo-asa(config)# sh nat

Manual NAT Policies (Section 1)

1 (inside) to (primaryisp) source dynamic any interface

    translate_hits = 0, untranslate_hits = 0

2 (inside) to (backupisp) source dynamic any interface

    translate_hits = 0, untranslate_hits = 0

3 (insidemgmt) to (primaryisp) source static vpn-ip-pool vpn-ip-pool destination static my-mgmt my-mgmt unidirectional

    translate_hits = 0, untranslate_hits = 0

4 (insidemgmt) to (backupisp) source static vpn-ip-pool vpn-ip-pool destination static my-mgmt my-mgmt unidirectional

    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (inside) to (backupisp) source static asp-wss-1-tw 208.125.237.114

    translate_hits = 0, untranslate_hits = 23

2 (inside) to (primaryisp) source static asp-wss-1-vz 24.97.182.141

    translate_hits = 0, untranslate_hits = 0

Anything else I should try?

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to mtehonica

‎04-30-2012 06:55 PM

Please add this hightlighted line below as well, one shown below.

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

when done, please try it and let me know.

what is the default gateway address on the hosts connected to your unmanaged L2 switch ?

Please post the output from below command.

packet-tracer input backupisp icmp 10.0.0.2 8 0 172.16.20.10

thanks

Look forward to hear from you.

0 Helpful

Go to solution
mtehonica
Level 5
Level 5
In response to rizwanr74

‎05-01-2012 05:59 AM

I tried to add that command and got an error....

nysyr-sbo-asa(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set $

ERROR: Crypto map associated with multiple interfaces. Cannot enable rri

The default gateway for the 172.16.20.0/24 network is 172.16.20.1.

Here is the packet trace....

nysyr-sbo-asa(config)# packet-tracer input backupisp icmp 10.0.0.2 8 0 172.16.$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.16.20.0     255.255.255.0   insidemgmt

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: backupisp

input-status: up

input-line-status: up

output-interface: insidemgmt

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Go to solution
mtehonica
Level 5
Level 5
In response to mtehonica

‎05-01-2012 08:07 AM

So might be on to something here.... I tried to use the packet trace command with port 3389 (RDP) and the log shows:

4May 01 201211:02:18
10.0.0.103389172.16.20.103389Deny tcp src backupisp:10.0.0.10/3389 dst insidemgmt:172.16.20.10/3389 by access-group "outside_access_in_1" [0x0, 0x0]

So it looks like my access-list on that interface is denying it?  So I add a rule to allow 3389 from tcp any to object my-mgmt eq 3389 and I see this:

6May 01 201211:04:45
10.0.0.123389172.16.20.103389Teardown TCP connection 3663 for backupisp:10.0.0.12/3389 to insidemgmt:172.16.20.10/3389 duration 0:00:00 bytes 0 Free the flow created as result of packet injection

6May 01 201211:04:45
10.0.0.123389172.16.20.103389Built inbound TCP connection 3663 for backupisp:10.0.0.12/3389 (10.0.0.12/3389) to insidemgmt:172.16.20.10/3389 (172.16.20.10/3389)

Looks like it allows it now but I still can't get RDP to connect.  It times out...

0 Helpful

Go to solution
mtehonica
Level 5
Level 5

‎04-30-2012 04:05 PM

Anyone else have any ideas??

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mtehonica

‎05-01-2012 10:09 AM

Hello Matt,

The correct NAT statement should be:

nat (insidemgmt,backupisp) source static my-mgmt my-mgmt  destination static  vpn-ip-pool vpn-ip-pool

Give it a try and let me know.

Also provide sh run all sysopt.

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mtehonica
Level 5
Level 5
In response to Julio Carvajal

‎05-01-2012 10:32 AM

Thanks for the response!  I tried that NAT rule but it's still not working.  I'm not able to RDP from a VPN connection (10.0.0.x/24) to the management network (172.16.20.x/24).

Here is my sh run all sysopt:

nysyr-sbo-asa(config)# sh run all sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

sysopt connection reclassify-vpn

no sysopt connection preserve-vpn-flows

no sysopt radius ignore-secret

no sysopt noproxyarp primaryisp

no sysopt noproxyarp backupisp

no sysopt noproxyarp inside

no sysopt noproxyarp insidemgmt

Here are my NAT rules:

nat (insidemgmt,backupisp) source static my-mgmt my-mgmt destination static vpn-ip-pool vpn-ip-pool

nat (inside,primaryisp) source dynamic any interface

nat (inside,backupisp) source dynamic any interface

Here is a packet trace...

nysyr-sbo-asa(config)# packet-tracer input backupisp tcp 10.0.0.2 3389 172.16.$

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (insidemgmt,backupisp) source static my-mgmt my-mgmt destination static vpn-ip-pool vpn-ip-pool

Additional Information:

NAT divert to egress interface insidemgmt

Untranslate 172.16.20.10/3389 to 172.16.20.10/3389

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in_1 in interface backupisp

access-list outside_access_in_1 extended permit tcp any object my-mgmt eq 3389

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (insidemgmt,backupisp) source static my-mgmt my-mgmt destination static vpn-ip-pool vpn-ip-pool

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 4451, packet dispatched to next module

Result:

input-interface: backupisp

input-status: up

input-line-status: up

output-interface: insidemgmt

output-status: up

output-line-status: up

Action: allow

Any other suggestions for me??  If I read the packet trace correctly, it looks like it's working fine....

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to mtehonica

‎05-01-2012 11:28 AM

Hi Matt,

Can you please remote these lines below and try it.

group-policy DfltGrpPolicy attributes

split-tunnel-network-list value SBOnet_VPN_Tunnel_splitTunnelAcl

tunnel-group DefaultRAGroup general-attributes

address-pool (primaryisp) vpn-ip-pool

address-pool vpn-ip-pool

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

Let me know, how this coming along.

thanks

0 Helpful

Go to solution
mtehonica
Level 5
Level 5
In response to rizwanr74

‎05-01-2012 11:44 AM

I removed those lines and I'm getting the same results as above. 

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to mtehonica

‎05-01-2012 11:47 AM

keep thos lines removed, you do not need those lines for your Remote Access VPN.

Please tell me, what is the default-gateway assigned on those hosts sitting on mgmt network segment?

0 Helpful

Go to solution
mtehonica
Level 5
Level 5
In response to rizwanr74

‎05-01-2012 12:38 PM

The default gateway was the issue.  The servers I'm connecting to are dual IP'd and were configured incorrectly.  I changed the gateway to 172.16.20.1 and I can connect fine now.  Thanks for all the help!

Now whenever I want to access a new subnet, I just need to add the following, correct?

nat (,backupisp) source static
destination static vpn-ip-pool vpn-ip-pool

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to mtehonica

‎05-01-2012 12:43 PM

"nat (,backupisp) source static
destination static vpn-ip-pool vpn-ip-pool"

You got it.

0 Helpful

Go to solution
mtehonica
Level 5
Level 5
In response to rizwanr74

‎05-01-2012 12:46 PM

So I may have jumped the gun a bit.... I forgot that I also changed the split tunnel policy before I changed the default gateway.  I changed "split-tunnel-policy tunnelspecified" to "split-tunnel-policy tunnelall".  Obviously that isn't what I want because then I can get to anything else on the internet or other local networks.  So there still appears to be an issue, more specifically an issue with split tunnel.  Any ideas on anything I can check?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents