allow remote vpn clients to access other networks

gretnapd · ‎10-25-2012

Hi, I have an ASA 5520 8.2(3) and need some help with allowing my remote client-to-site-vpn clients to access resources directly connected to my ASA on seperate lower security interfaces (not the outside) besides just clients on my internal networks. Someone mentioned to me configuring 'VPN on a stick' however from what I've read this seems to be only applicable when it comes to split-tunneling back out the outside interface (could be off on that). Is this possible on other lower security interfaces as well, and if so what would a mock config that accomplishes that look like (acl's, nat, etc)? Also, if I want internal users to be able to connect to these remote clients once they are active, are there any nat statements necessary (such as nonatting them) or are the vpn clients just seen as internal clients from the rest of the internal network's standpoint by default?

Thank you,

Jared Dufrene

Javier Portuguez · ‎10-25-2012

Hi Jared,

This is a quick example:

interface f0/0

ip address 192.168.1.0 255.255.255.0

nameif inside

security-level 100

!

interface f0/1

ip address 192.168.2.0 255.255.255.0

nameif dmz

security-level 50

!

interface f0/2

ip address 192.168.3.0 255.255.255.0

nameif wireless

security-level 30

!

access-list nat_inside_0 permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list nat_dmz_0 permit ip 192.168.2.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list nat_wireless_0 permit ip 192.168.3.0 255.255.255.0 192.168.254.0 255.255.255.0

nat (inside) 0 access-list nat_inside_0

nat (dmz) 0 access-list nat_dmz_0

nat (wireless) 0 nat_wireless_0

access-list VPN_CLIENT_SPLIT permit 192.168.1.0 255.255.255.0

access-list VPN_CLIENT_SPLIT permit 192.168.2.0 255.255.255.0

access-list VPN_CLIENT_SPLIT permit 192.168.3.0 255.255.255.0

ip local pool VPN_CLIENT_POOL 192.168.254.1-192.168.254.254

group-policy VPN_RA internal

group-policy VPN_RA attributes

split-tunnel-network-list VPN_CLIENT_SPLIT

split-tunnel-policy tunnelspecified

!

tunnel-group VPN_RA type remote-access

tunnel-group VPN_RA general-attributes

default-group-policy VPN_RA

This is a simple example of what you need in order to access other interfaces:

1- Add the specific network to the split ACL.

2- Add the NAT rules.

The complete configuration is here:

Configuring Remote Access VPNs

HTH.

Portu.

Please rate any helpful posts.

Message was edited by: Javier Portuguez Jared and Eric found an error in the group-policy settings, I just added the correct entry "split-tunnel-network-list VPN_CLIENT_SPLIT "

gretnapd · ‎10-25-2012

looks great! thx (looks like the split-tunnel commands were the biggest thing i had missing).

... I'll give it a shot

Javier Portuguez · ‎10-25-2012

Thanks Eric!

I am sorry, am not sure where the "Jared" name came from

Keep me posted.

Portu.

gretnapd · ‎10-25-2012

No prob Portu.

...actually my name is Jared, i'm just helping Eric out with this issue. Eric looked at the response as well and was wondering about the following statements:

group-policy VPN_RA attributes

split-tunnel-network-list VPN_CLIENT_POOL

split-tunnel-policy tunnelspecified

!

Is the referenced VPN_CLIENT_POOL suppose to be VPN_CLIENT_SPLIT here? I told him I believe it is.

thx!

Javier Portuguez · ‎10-25-2012

Thanks for letting me know about my error! You are correct, 5 stars!!

Please check the post again, I just updated it.

Let me know if you have any other questions.

Portu.

Please rate any helpful posts