cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4512
Views
0
Helpful
11
Replies

Anyconnect Vlan access

Todd Willoughby
Level 1
Level 1

I have a asa 5505 that we setup up a vpn connection to recently. Everything on our internal vlan (120) works fine when using the VPN. Although VPN clients cannot access the Voice vlan (200). I have added the voice network to the ACL list and mapped it to the anyconnect connection profile. Still a no go. Any ideas? Config below

 

 

!
interface Vlan2
 nameif outside
 security-level 0
 ip address  255.255.255.252
!
banner login WARNING!!! This is a private network device. Authorized access only. Unauthorized access is not allowed and will be logged, proper action will be taken.
banner motd Don't access this router without proper authorization.
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 75.75.75.75
 name-server 75.75.76.76
 domain-name valleyview.local
object network obj-10.193.5.248
 subnet 10.193.5.248 255.255.255.248
object network obj-10.193.5.0
 subnet 10.193.5.0 255.255.255.0
object network obj-10.193.5.230
 host 10.193.5.230
object network obj-10.193.5.230-02
 host 10.193.5.230
object network obj-10.193.5.230-03
 host 10.193.5.230
object network obj-10.193.5.77
 host 10.193.5.77
object network obj-10.193.5.77-01
 host 10.193.5.77
object network obj-10.193.5.230-04
 host 10.193.5.230
object network obj-10.193.5.230-05
 host 10.193.5.230
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Exchange
 host 10.193.5.230
object network VPN_NETWORK
 subnet 192.168.22.0 255.255.255.248
object network Voice_Network
 subnet 10.200.1.0 255.255.255.0
 description Voice Network
object network VPN_CLIENTS
 subnet 192.168.22.0 255.255.255.248
object network NETWORK_OBJ_192.168.22.0_29
 subnet 192.168.22.0 255.255.255.248
object-group network DM_INLINE_NETWORK_1
 network-object 0.0.0.0 0.0.0.0
 network-object object Voice_Network
access-list inside_out extended permit ip host 10.193.5.230 any4
access-list inside_out extended deny tcp 10.193.5.0 255.255.255.0 any4 eq smtp log debugging
access-list inside_out extended permit ip 10.193.5.0 255.255.255.0 any4
access-list inside_out extended permit ip object Voice_Network any
access-list inside_out extended permit ip object VPN_CLIENTS any inactive
access-list extended extended permit gre any4 host 173.163.35.105
access-list oustside_in extended permit gre any4 host 173.163.35.105 inactive
access-list VPNUsers_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any4 10.193.5.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.193.5.0 255.255.255.0 10.193.5.248 255.255.255.248
access-list DefaultRAGroup_splitTunnelAcl standard permit any4
access-list VPN_splitTunnelAcl standard permit any4
access-list vvn-vpn_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq www inactive

 

2 Accepted Solutions

Accepted Solutions

Ok for the vvn-vpn_splitTunnelAcl access-list you need to remove the standard access-list you are already using and add them back in as extended access-list.

NO access-list vvn-vpn_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0 

!

access-list vvn-vpn_splitTunnelAcl extended permit ip 10.193.5.0 255.255.255.0 192.168.22.0 255.255.255.248

!

access-list vvn-vpn_splitTunnelAcl extended permit ip 10.200.1.0 255.255.255.0 192.168.22.0 255.255.255.248

!

 

The command I posted above has the word static at the beginning it does not look like you copied the complete command in yours

 

nat (inside,outside) source static Voice_Network Voice_Network destination  static  VPN_NETWORK  VPN_NETWORK

 

Try that again and let me know

Thanks

 

 


!

 

 

 

View solution in original post

Ok great ! glad its working, take care !

View solution in original post

11 Replies 11

nate fitzgerald
Level 1
Level 1

You need the route inside command, so whatever is doing your routing , lets say you have a router or layer 3 switch on the same subnet as the ASA 10.193.5.0 , and lets say the IP address of that switch/roter is 10.193.5.2 then you would need to add the command " route inside 10.200.1.0 255.255.255.0 10.193.5.2 ,also for security purposes you should ever post the outside IP of your firewall on these threads or anywhere in general, either make them same x.x.x.x or something made up like 1.1.2.2.

 

Also in your split tunnel config under your group-policy for VPN you should have an ACL that matches the split-tunnel that ACL should have look something like access-list VPN_splitTunnelAcl  extended permit ip 10.200.1.0 255.255.255.0 192.168.22.0 255.255.255.248.

I am not sure if that is the correct ACL as you have 2 referenced for VPN, also you will want to make sure you do not NAT traffic from the voice subnet 10.200.1.0 to the VPN subnet 192.168.22.0

 

Let me know if that makes sense

Thanks

 

 

 

FItz, Thanks for the reply. 

 

I do have a few questions though. The route inside command are you saying that needs to placed on my Layer 3 switch attached to the ASA? From the switches you can talk ping across vlans as they are routed interfaced on the layer 3 switch. The traffic just gets dropped when trying to ping to the 10.200.X.X vlan from the VPN client 

No, you want to place the route inside command on the ASA, because the ASA has no knowledge of that subnet so you need to tell it how to get to that subnet by the route inside command, whatever switch is the gateway for the 10.200.1.0 network should be the IP you point the route inside command to so it should look something like " route inside 10.200.1.0 255.255.255.0 10.193.5.2      <--------- 10.193.5.2 is just an example you would use whatever IP address is on the switch that does the routing for the network.

 

That should allow access from the VPN pool to the 10.200.1.0 network

I went ahead and issued the  route inside 10.200.1.0 255.255.255.0 10.193.5.1 command in the ASA and I am still unable to ping that vlan from the VPN. 

 

 

EDIT

 

From the ASA I am able to ping the 10.200.1.0 subnet just not from the VPN

Ok you get  a show running config of the ASA and send it me me or post it here, you can leave out the IP address of the outside interface and any passwords for security purposes. I can review it, you might need to modify you access-list for split-tunnel traffic.

 

Thanks

As requested

 

Result of the command: "sh run"

: Saved
:
ASA Version 9.1(4) 
!
hostname vvnrt0
domain-name valleyview.local
enable password  encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd Hex3HvOKW72M49oO encrypted
names
ip local pool VPNIPPool 10.193.5.251-10.193.5.254 mask 255.255.255.0
ip local pool VPN_IP_Pool 192.168.22.1-192.168.22.6 mask 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.193.5.193 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address  255.255.255.252 
!
banner login WARNING!!! This is a private network device. Authorized access only. Unauthorized access is not allowed and will be logged, proper action will be taken.
banner motd Don't access this router without proper authorization.
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 75.75.75.75
 name-server 75.75.76.76
 domain-name valleyview.local
object network obj-10.193.5.248
 subnet 10.193.5.248 255.255.255.248
object network obj-10.193.5.0
 subnet 10.193.5.0 255.255.255.0
object network obj-10.193.5.230
 host 10.193.5.230
object network obj-10.193.5.230-02
 host 10.193.5.230
object network obj-10.193.5.230-03
 host 10.193.5.230
object network obj-10.193.5.77
 host 10.193.5.77
object network obj-10.193.5.77-01
 host 10.193.5.77
object network obj-10.193.5.230-04
 host 10.193.5.230
object network obj-10.193.5.230-05
 host 10.193.5.230
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Exchange
 host 10.193.5.230
object network VPN_NETWORK
 subnet 192.168.22.0 255.255.255.248
object network Voice_Network
 subnet 10.200.1.0 255.255.255.0
 description Voice Network
object network VPN_CLIENTS
 subnet 192.168.22.0 255.255.255.248
object network NETWORK_OBJ_192.168.22.0_29
 subnet 192.168.22.0 255.255.255.248
object-group network DM_INLINE_NETWORK_1
 network-object 0.0.0.0 0.0.0.0
 network-object object Voice_Network
access-list inside_out extended permit ip host 10.193.5.230 any4 
access-list inside_out extended deny tcp 10.193.5.0 255.255.255.0 any4 eq smtp log debugging 
access-list inside_out extended permit ip 10.193.5.0 255.255.255.0 any4 
access-list inside_out extended permit ip object Voice_Network any 
access-list inside_out extended permit ip object VPN_CLIENTS any inactive 
access-list extended extended permit gre any4 host 173.163.35.105 
access-list oustside_in extended permit gre any4 host 173.163.35.105 inactive 
access-list VPNUsers_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any4 10.193.5.248 255.255.255.248 
access-list inside_nat0_outbound extended permit ip 10.193.5.0 255.255.255.0 10.193.5.248 255.255.255.248 
access-list DefaultRAGroup_splitTunnelAcl standard permit any4 
access-list VPN_splitTunnelAcl standard permit any4 
access-list vvn-vpn_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0 
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq www inactive 
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq https inactive 
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq 987 inactive 
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq 4125 inactive 
access-list outside_in extended permit tcp any4 host 10.193.5.77 eq 8081 inactive 
access-list outside_in extended permit tcp any4 host 10.193.5.77 eq 1099 inactive 
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq smtp inactive 
access-list outside_in extended permit ip any object Voice_Network 
access-list outside_in extended permit ip object VPN_CLIENTS 10.200.1.0 255.255.255.0 inactive 
access-list All_VPN_Access extended permit ip object NETWORK_OBJ_192.168.22.0_29 object Voice_Network 
access-list All_VPN_Access extended permit ip any object Voice_Network 
access-list All_VPN_Access extended permit ip any any 
access-list global_access extended permit ip object Voice_Network any 
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static any any destination static obj-10.193.5.248 obj-10.193.5.248 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.193.5.0 obj-10.193.5.0 destination static obj-10.193.5.248 obj-10.193.5.248 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.22.0_29 NETWORK_OBJ_192.168.22.0_29 no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.22.0_29 NETWORK_OBJ_192.168.22.0_29 no-proxy-arp route-lookup
!
object network obj-10.193.5.230-02
 nat (inside,outside) static interface service tcp 4125 4125 
object network obj-10.193.5.230-03
 nat (inside,outside) static interface service tcp 987 987 
object network obj-10.193.5.77
 nat (inside,outside) static interface service tcp 1099 1099 
object network obj-10.193.5.77-01
 nat (inside,outside) static interface service tcp 8081 8081 
object network obj-10.193.5.230-04
 nat (inside,outside) static interface service tcp smtp smtp 
object network obj-10.193.5.230-05
 nat (inside,outside) static interface service tcp pptp pptp 
object network obj_any
 nat (inside,outside) dynamic interface
access-group inside_out in interface inside
access-group outside_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 173.163.35.106 1 
route inside 10.200.1.0 255.255.255.0 10.193.5.1 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPNUGRP protocol ldap
aaa-server VPNUGRP (outside) host 10.193.5.230
 timeout 5
 server-type auto-detect
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 10.193.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.193.5.0 255.255.255.0 inside
telnet timeout 30
ssh 10.193.5.0 255.255.255.0 inside
ssh  255.255.255.255 outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 75.75.75.75 75.75.76.76
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 10.193.5.230
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vvn-vpn_splitTunnelAcl
 default-domain value valleyview.local
 address-pools value VPN_IP_Pool
group-policy DfltGrpPolicy attributes
 dns-server value 10.193.5.230
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vvn-vpn_splitTunnelAcl
 address-pools value VPN_IP_Pool
group-policy GroupPolicy_Valley_View_VPN internal
group-policy GroupPolicy_Valley_View_VPN attributes
 wins-server none
 dns-server value 10.193.5.230 75.75.75.75
 vpn-tunnel-protocol ssl-client ssl-clientless
 default-domain value valleyview.local
 split-dns value valleyview.local
 address-pools value VPN_IP_Pool
username bcleary password  encrypted privilege 15
username bcleary attributes
 vpn-group-policy DfltGrpPolicy
username test password  encrypted
username morefieldcomm password encrypted
username Vendor password  encrypted privilege 0
username Vendor attributes
 vpn-group-policy DfltGrpPolicy
username swthomas password  encrypted
username compugen password  encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool VPNIPPool
 default-group-policy GroupPolicy_Valley_View_VPN
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup general-attributes
 default-group-policy GroupPolicy_Valley_View_VPN
tunnel-group Valley_View_VPN type remote-access
tunnel-group Valley_View_VPN general-attributes
 address-pool VPN_IP_Pool
 default-group-policy GroupPolicy_Valley_View_VPN
tunnel-group Valley_View_VPN webvpn-attributes
 group-alias Valley_View_VPN enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
smtp-server 10.193.5.230
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:
: end

Try adding the following 2 commands to the ASA, disconnect from the VPN and try again

 

nat (inside,outside) source static Voice_Network Voice_Network destination static  VPN_NETWORK  VPN_NETWORK
!
!
!
access-list vvn-vpn_splitTunnelAcl extended permit ip 10.200.1.0 255.255.255.0 192.168.22.0 255.255.255.248

Didnt work look like syntax issue maybe

 

vvnrt0(config)# nat (inside,outside) source Voice_Network Voice_Network destin$

nat (inside,outside) source Voice_Network Voice_Network destination static VPN_N
                            ^ETWORK VPN_NETWORK

ERROR: % Invalid input detected at '^' marker.
vvnrt0(config)# nat (inside,outside) source 10.200.1.0 255.255.255.0 10.200.1.$

nat (inside,outside) source 10.200.1.0 255.255.255.0 10.200.1.0 255.255.255.0 de
                            ^stination static VPN_NETWORK VPN_NETWORK

ERROR: % Invalid input detected at '^' marker.
vvnrt0(config)# access
vvnrt0(config)# access-list vvn-vpn_splitTunnelAcl extended permit ip 10.200.1$
ERROR: Cannot mix different types of access lists
ERROR: <vvn-vpn_splitTunnelAcl> cannot be created

Ok for the vvn-vpn_splitTunnelAcl access-list you need to remove the standard access-list you are already using and add them back in as extended access-list.

NO access-list vvn-vpn_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0 

!

access-list vvn-vpn_splitTunnelAcl extended permit ip 10.193.5.0 255.255.255.0 192.168.22.0 255.255.255.248

!

access-list vvn-vpn_splitTunnelAcl extended permit ip 10.200.1.0 255.255.255.0 192.168.22.0 255.255.255.248

!

 

The command I posted above has the word static at the beginning it does not look like you copied the complete command in yours

 

nat (inside,outside) source static Voice_Network Voice_Network destination  static  VPN_NETWORK  VPN_NETWORK

 

Try that again and let me know

Thanks

 

 


!

 

 

 

Fitz you the man!!!. Adding the 10.200.1.0/24 network to the  vvn-vpn_splitTunnelAcl  ACL seemed to fix the issue!!

 

Thanks for all your help. 

Ok great ! glad its working, take care !

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: