Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1423
Views
4
Helpful
3
Replies

ASA5520 two VPN Group Clients to use two VLAN

eagle_mk4
Level 1
Level 1

‎05-10-2012 04:10 AM

Hello!I have a VPN network (in ASA 5520) with two VLAN (999 and 997) and two remote clients (User1 and User2). The VPN connection with both users is correctly connected but I can't make a ping to another computer of the same VPN network, when the VPN network is connected. For eg: When User1 is connected, has the IP: 172.16.1.230, but can't make ping to another connected PC (IP:172.16.1.236).

I need some command more??The running configuration is:

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.16.31.252 255.255.255.248

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.997

vlan 997

nameif vlan997

security-level 100

ip address 172.16.126.237 255.255.255.240

!

interface GigabitEthernet0/1.999

vlan 999

nameif vlan999

security-level 100

ip address 172.16.1.237 255.255.255.240

!

access-list ACLnonat_VLAN999 extended permit ip 172.16.1.224 255.255.255.240 172.16.1.224 255.255.255.240

access-list ACLnonat_VLAN997 extended permit ip 172.16.126.224 255.255.255.240 172.16.126.224 255.255.255.240

access-list Split_tunnel_VLAN999 standard permit 172.16.1.224 255.255.255.240

access-list Split_tunnel_VLAN997 standard permit 172.16.126.224 255.255.255.240

ip local pool user1 172.16.1.230-172.16.1.232 mask 255.255.255.240

ip local pool user2 172.16.126.230-172.16.126.232 mask 255.255.255.240

no failover

route outside 0.0.0.0 0.0.0.0 172.16.31.254 1

crypto ipsec transform-set VPN_trans esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn_map 1 set transform-set VPN_trans

crypto dynamic-map dyn_map 1 set reverse-route

crypto map stat_map 10000 ipsec-isakmp dynamic dyn_map

crypto map stat_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

group-policy VLAN997 internal

group-policy VLAN997 attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_tunnel_VLAN997

group-policy VLAN999 internal

group-policy VLAN999 attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_tunnel_VLAN999

username User1 password .PQ9SoxHVoZYGh3K encrypted privilege 0

username User2 password CgX0iETg8gi5QdzU encrypted privilege 0

tunnel-group VLAN999 type remote-access

tunnel-group VLAN999 general-attributes

address-pool user1

default-group-policy VLAN999

tunnel-group VLAN999 ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 30 retry 5

tunnel-group VLAN997 type remote-access

tunnel-group VLAN997 general-attributes

address-pool user2

default-group-policy VLAN997

tunnel-group VLAN997 ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 30 retry 5

Thanks in Advance!

Labels:
0 Helpful
3 Replies 3

rizwanr74
Level 7
Level 7

‎05-10-2012 07:20 AM

Hi Eagle,

You do not need to have a sub-interface created for each VPN group.  ASA is smart enough to know, which interface those VPN clients are coming off.

What you need is no-nat between your internal networks and remote vpn-pools you have created.

Please follow the example below.

Lets say you have an internal network(s) connected on L3 switches and this switch inside interface is connected to your ASA and your internal networks are 10.10.10.0/24 and 10.255.255.0/24.

And so your create ACL.

access-list inside_nonat extended permit ip 10.10.10.0 255.255.255.0 172.16.126.128 255.255.255.240

access-list inside_nonat extended permit ip 10.255.255.0 255.255.255.0 172.16.126.128 255.255.255.240

access-list inside_nonat extended permit ip 10.10.10.0 255.255.255.0 172.16.1.128 255.255.255.240

access-list inside_nonat extended permit ip 10.255.255.0 255.255.255.0 172.16.1.128 255.255.255.240

nat (inside) 0 access-list inside_nonat

This will give your remote vpn-clinet to access these respective networks while connected on vpn-clinet.

hope that answers your question.

thanks

eagle_mk4
Level 1
Level 1
In response to rizwanr74

‎05-14-2012 01:48 AM

Hi rizwanr74,

I have two sub-interfaces because I have two VLANs differents connected to the same port, Can I do this or must connect each VLAN to different ports??

0 Helpful

eagle_mk4
Level 1
Level 1
In response to rizwanr74

‎05-15-2012 05:41 AM

Hi rizwanr74,

the network is working now correctly, but the problem was the switch L3 that hasn't the port in mode trunk. I take your solution for futures configurations that I will make.

Thank you for all!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents