Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4959
Views
5
Helpful
17
Replies

Allow VPN users to access a different VLAN

Go to solution
yllw98stng
Level 1
Level 1

‎01-18-2012 10:14 AM

I have an ASA 5505.  I have configured Remote Access VPN so that users can connect to VPN and access my main VLAN (Inside).  I would like to secure it so that when a user VPN's in, they are only allowed access to the HVAC vlan (Vlan 2) as seen in my configuration.  Please note there is also a LAN-2-LAN VPN which has been configured as well.

What am I missing?

!
interface Ethernet0/0
switchport access vlan 4
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.240.0.1 255.255.0.0
!
interface Vlan2
no forward interface Vlan1
nameif HVAC
security-level 100
ip address 172.16.128.1 255.255.255.0
!
interface Vlan4
nameif outside
security-level 0
ip address 12.x.x.x 255.255.255.0
!
ftp mode passive
access-list CDEO extended permit ip 10.240.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list NoNAT extended permit ip 10.240.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list NoNAT extended permit ip 10.240.0.0 255.255.0.0 172.16.129.0 255.255
.255.0
access-list NoNAT extended permit ip 10.102.229.0 255.255.255.0 172.16.129.0 255
.255.255.0
access-list NoNAT extended permit ip 172.16.129.0 255.255.255.0 10.102.229.0 255
.255.255.0
access-list NoNAT extended permit ip 172.16.128.0 255.255.255.0 172.16.129.0 255
.255.255.0
access-list NoNAT extended permit ip 172.16.129.0 255.255.255.0 172.16.128.0 255
.255.255.0
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any source-quench
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any time-exceeded
access-list outbound extended permit ip any any
access-list vpn standard permit 10.240.0.0 255.255.0.0
access-list vpn standard permit 10.102.229.0 255.255.255.0
access-list vpn standard permit 172.16.128.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu HVAC 1500
ip local pool shhfvpnpool 172.16.129.1-172.16.129.5 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outbound out interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 12.x.x.x 1
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Main esp-des esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set reverse-route
crypto map CDEOVPN 35 match address CDEO
crypto map CDEOVPN 35 set peer 64.x.x.x
crypto map CDEOVPN 35 set transform-set Main
crypto map CDEOVPN 100 ipsec-isakmp dynamic dynmap
crypto map CDEOVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400

console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy shhf internal
group-policy shhf attributes
vpn-idle-timeout 30
vpn-session-timeout 1440
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn

tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group shhf type remote-access
tunnel-group shhf general-attributes
address-pool shhfvpnpool
default-group-policy shhf
tunnel-group shhf ipsec-attributes
pre-shared-key *****
tunnel-group vpnclient type remote-access
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1cbd55e987f9b41cd2ebcb320fa2e3b2
: end

Labels:
0 Helpful
17 Replies 17

Go to solution
rizwanr74
Level 7
Level 7
In response to yllw98stng

‎01-18-2012 02:05 PM

at last, please be sure to rate the helpful post.

thanks

Rizwan Rafeek

Go to solution
rizwanr74
Level 7
Level 7
In response to rizwanr74

‎01-18-2012 12:49 PM

This route to be applied on the switch, if your eth0/7 port on ASA is connected to a later3 switch.

"ip route 172.16.129.0 255.255.255.0 172.16.128.1"

So, do not worry about this route, if you cannot applied on the ASA.

So you say that, a PC is directly connected to eth0/7 on the ASA.

what is the IP address, mask and gateway address on the PC connected on eth0/7?

The packet-trace looks good to me.

0 Helpful

Go to solution
yllw98stng
Level 1
Level 1
In response to rizwanr74

‎01-18-2012 12:36 PM

I disconnected and reconnected to VPN with each change that I made.  Yes, I'm able to ping the inside interface on VLAN1 while VPN'd in.  Here is the output:

SHHF-ASA# packet-tracer input HVAC icmp 172.16.129.1 8 0 172.16.128.1

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.128.1    255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 448177, packet dispatched to next module

Result:
input-interface: HVAC
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

0 Helpful
Customers Also Viewed These Support Documents