05-10-2012 04:10 AM
Hello!I have a VPN network (in ASA 5520) with two VLAN (999 and 997) and two remote clients (User1 and User2). The VPN connection with both users is correctly connected but I can't make a ping to another computer of the same VPN network, when the VPN network is connected. For eg: When User1 is connected, has the IP: 172.16.1.230, but can't make ping to another connected PC (IP:172.16.1.236).
I need some command more??The running configuration is:
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.16.31.252 255.255.255.248
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.997
vlan 997
nameif vlan997
security-level 100
ip address 172.16.126.237 255.255.255.240
!
interface GigabitEthernet0/1.999
vlan 999
nameif vlan999
security-level 100
ip address 172.16.1.237 255.255.255.240
!
access-list ACLnonat_VLAN999 extended permit ip 172.16.1.224 255.255.255.240 172.16.1.224 255.255.255.240
access-list ACLnonat_VLAN997 extended permit ip 172.16.126.224 255.255.255.240 172.16.126.224 255.255.255.240
access-list Split_tunnel_VLAN999 standard permit 172.16.1.224 255.255.255.240
access-list Split_tunnel_VLAN997 standard permit 172.16.126.224 255.255.255.240
ip local pool user1 172.16.1.230-172.16.1.232 mask 255.255.255.240
ip local pool user2 172.16.126.230-172.16.126.232 mask 255.255.255.240
no failover
route outside 0.0.0.0 0.0.0.0 172.16.31.254 1
crypto ipsec transform-set VPN_trans esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn_map 1 set transform-set VPN_trans
crypto dynamic-map dyn_map 1 set reverse-route
crypto map stat_map 10000 ipsec-isakmp dynamic dyn_map
crypto map stat_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
group-policy VLAN997 internal
group-policy VLAN997 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_tunnel_VLAN997
group-policy VLAN999 internal
group-policy VLAN999 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_tunnel_VLAN999
username User1 password .PQ9SoxHVoZYGh3K encrypted privilege 0
username User2 password CgX0iETg8gi5QdzU encrypted privilege 0
tunnel-group VLAN999 type remote-access
tunnel-group VLAN999 general-attributes
address-pool user1
default-group-policy VLAN999
tunnel-group VLAN999 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 30 retry 5
tunnel-group VLAN997 type remote-access
tunnel-group VLAN997 general-attributes
address-pool user2
default-group-policy VLAN997
tunnel-group VLAN997 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 30 retry 5
Thanks in Advance!
05-10-2012 07:20 AM
Hi Eagle,
You do not need to have a sub-interface created for each VPN group. ASA is smart enough to know, which interface those VPN clients are coming off.
What you need is no-nat between your internal networks and remote vpn-pools you have created.
Please follow the example below.
Lets say you have an internal network(s) connected on L3 switches and this switch inside interface is connected to your ASA and your internal networks are 10.10.10.0/24 and 10.255.255.0/24.
And so your create ACL.
access-list inside_nonat extended permit ip 10.10.10.0 255.255.255.0 172.16.126.128 255.255.255.240
access-list inside_nonat extended permit ip 10.255.255.0 255.255.255.0 172.16.126.128 255.255.255.240
access-list inside_nonat extended permit ip 10.10.10.0 255.255.255.0 172.16.1.128 255.255.255.240
access-list inside_nonat extended permit ip 10.255.255.0 255.255.255.0 172.16.1.128 255.255.255.240
nat (inside) 0 access-list inside_nonat
This will give your remote vpn-clinet to access these respective networks while connected on vpn-clinet.
hope that answers your question.
thanks
05-14-2012 01:48 AM
Hi rizwanr74,
I have two sub-interfaces because I have two VLANs differents connected to the same port, Can I do this or must connect each VLAN to different ports??
05-15-2012 05:41 AM
Hi rizwanr74,
the network is working now correctly, but the problem was the switch L3 that hasn't the port in mode trunk. I take your solution for futures configurations that I will make.
Thank you for all!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: