cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
985
Views
10
Helpful
5
Replies

allow remote vpn clients to access other networks

gretnapd
Level 1
Level 1

Hi, I have an ASA 5520 8.2(3) and need some help with allowing my remote client-to-site-vpn clients to access resources directly connected to my ASA on seperate lower security interfaces (not the outside) besides just clients on my internal networks.  Someone mentioned to me configuring 'VPN on a stick' however from what I've read this seems to be only applicable when it comes to split-tunneling back out the outside interface (could be off on that).  Is this possible on other lower security interfaces as well, and if so what would a mock config that accomplishes that look like (acl's, nat, etc)?  Also, if I want internal users to be able to connect to these remote clients once they are active, are there any nat statements necessary (such as nonatting them) or are the vpn clients just seen as internal clients from the rest of the internal network's standpoint by default?

Thank you,

Jared Dufrene

5 Replies 5

Hi Jared,

This is a quick example:

interface f0/0

     ip address 192.168.1.0 255.255.255.0

     nameif inside

     security-level 100

!

interface f0/1

     ip address 192.168.2.0 255.255.255.0

     nameif dmz

     security-level 50

!

interface f0/2

     ip address 192.168.3.0 255.255.255.0

     nameif wireless

     security-level 30

!


access-list nat_inside_0 permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list nat_dmz_0 permit ip 192.168.2.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list nat_wireless_0 permit ip 192.168.3.0 255.255.255.0 192.168.254.0 255.255.255.0


nat (inside) 0 access-list nat_inside_0

nat (dmz) 0 access-list nat_dmz_0

nat (wireless) 0 nat_wireless_0


access-list VPN_CLIENT_SPLIT permit 192.168.1.0 255.255.255.0

access-list VPN_CLIENT_SPLIT permit 192.168.2.0 255.255.255.0

access-list VPN_CLIENT_SPLIT permit 192.168.3.0 255.255.255.0


ip local pool VPN_CLIENT_POOL 192.168.254.1-192.168.254.254


group-policy VPN_RA internal

group-policy VPN_RA attributes

     split-tunnel-network-list VPN_CLIENT_SPLIT

     split-tunnel-policy tunnelspecified

!

tunnel-group VPN_RA type remote-access

tunnel-group VPN_RA general-attributes

     default-group-policy VPN_RA

This is a simple example of what you need in order to access other interfaces:

1- Add the specific network to the split ACL.

2- Add the NAT rules.

The complete configuration is here:

Configuring Remote Access VPNs

HTH.

Portu.

Please rate any helpful posts.

Message was edited by: Javier Portuguez Jared and Eric found an error in the group-policy settings, I just added the correct entry "split-tunnel-network-list VPN_CLIENT_SPLIT "

looks great! thx (looks like the split-tunnel commands were the biggest thing i had missing). 

... I'll give it a shot

Thanks Eric!

I am sorry, am not sure where the "Jared" name came from

Keep me posted.

Portu.

No prob Portu.

...actually my name is Jared, i'm just helping Eric out with this issue.  Eric looked at the response as well and was wondering about the following statements:

group-policy VPN_RA attributes

     split-tunnel-network-list VPN_CLIENT_POOL

     split-tunnel-policy tunnelspecified

!

Is the referenced VPN_CLIENT_POOL suppose to be VPN_CLIENT_SPLIT  here?  I told him I believe it is.

thx!

Thanks for letting me know about my error! You are correct, 5 stars!!

Please check the post again, I just updated it.

Let me know if you have any other questions.

Portu.

Please rate any helpful posts