Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8078
Views
0
Helpful
15
Replies

ASA 5505 -- Multiple Subnet VPN

Go to solution
mtehonica
Level 5
Level 5

‎04-30-2012 11:36 AM

I am trying to configure a VPN for use with the Cisco VPN Client.  I currently have the VPN operational but I am having trouble allowing access to multiple subnets that are connected to the ASA.  My current VPN DHCP pool is 10.0.0.0/24.  I want VPN users to be able to talk to one of my other vlans (172.16.20.0/24).  This is what I can't figure out.  If I change my VPN DHCP pool to something like 172.16.20.100-110 then I can talk to everything on that subnet fine.  But as soon as I change the DHCP pool back to the other subnet then I can't.  Any suggestions??

Here is my config:

nysyr-sbo-asa(config)# sh run

: Saved

:

ASA Version 8.4(1)

!

<REMOVED>

names

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

description Connection to Primary ISP (FiOS)

nameif primaryisp

security-level 0

ip address <removed>

!

interface Vlan3

description Connection to Secondary ISP (Time Warner)

nameif backupisp

security-level 0

ip address <removed>

!

interface Vlan5

description Connection to internal internet access subnet (192.168.5.0/24)

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Vlan20

description Connection to internal management network (172.16.20.0/24)

nameif insidemgmt

security-level 100

ip address 172.16.20.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 5

!

interface Ethernet0/3

switchport access vlan 20

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

object network inside-network

subnet 192.168.5.0 255.255.255.0

object network asp-wss-1-tw

host 192.168.5.11

object network asp-wss-1-vz

host 192.168.5.11

object network vpn-ip-pool

subnet 10.0.0.0 255.255.255.0

access-list outside_access_in_1 remark Access list to allow outside traffic in

access-list outside_access_in_1 extended permit tcp any object asp-wss-1-vz eq www

access-list outside_access_in_1 extended permit tcp any object asp-wss-1-vz eq https

access-list outside_access_in_1 extended permit tcp any object asp-wss-1-tw eq www

access-list outside_access_in_1 extended permit tcp any object asp-wss-1-tw eq https

access-list SBOnet_VPN_Tunnel_splitTunnelAcl standard permit 172.16.20.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu primaryisp 1500

mtu backupisp 1500

mtu inside 1500

mtu insidemgmt 1500

ip local pool vpn-ip-pool 10.0.0.10-10.0.0.250 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,primaryisp) source dynamic any interface

nat (inside,backupisp) source dynamic any interface

!

object network asp-wss-1-tw

nat (inside,backupisp) static <removed>

object network asp-wss-1-vz

nat (inside,primaryisp) static <removed>

access-group outside_access_in_1 in interface primaryisp

access-group outside_access_in_1 in interface backupisp

route primaryisp 0.0.0.0 0.0.0.0 <removed> 1 track 1

route backupisp 0.0.0.0 0.0.0.0 <removed> 10

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.5.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 primaryisp

http 0.0.0.0 0.0.0.0 backupisp

http 0.0.0.0 0.0.0.0 insidemgmt

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sla monitor 123

type echo protocol ipIcmpEcho 8.8.8.8 interface primaryisp

threshold 3000

frequency 10

sla monitor schedule 123 life forever start-time now

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA

crypto map primaryisp_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map primaryisp_map interface primaryisp

crypto map backupisp_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map backupisp_map interface backupisp

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=<removed>

crl configure

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 enable primaryisp

crypto ikev2 enable backupisp

crypto ikev1 enable primaryisp

crypto ikev1 enable backupisp

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

!

track 1 rtr 123 reachability

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 primaryisp

ssh 0.0.0.0 0.0.0.0 backupisp

ssh 0.0.0.0 0.0.0.0 insidemgmt

ssh timeout 20

console timeout 20

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy SBOnet_VPN_Tunnel internal

group-policy SBOnet_VPN_Tunnel attributes

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelall

split-tunnel-network-list value SBOnet_VPN_Tunnel_splitTunnelAcl

group-policy DfltGrpPolicy attributes

split-tunnel-network-list value SBOnet_VPN_Tunnel_splitTunnelAcl

tunnel-group DefaultRAGroup general-attributes

address-pool (primaryisp) vpn-ip-pool

address-pool vpn-ip-pool

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group SBOnet_VPN_Tunnel type remote-access

tunnel-group SBOnet_VPN_Tunnel general-attributes

address-pool vpn-ip-pool

default-group-policy SBOnet_VPN_Tunnel

tunnel-group SBOnet_VPN_Tunnel ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:7a817a8679e586dc829c06582c60811d

: end

Labels:
0 Helpful
15 Replies 15

Go to solution
rizwanr74
Level 7
Level 7
In response to mtehonica

‎05-01-2012 01:04 PM

If you chose to split the tunnel, please change to highlighted line below to split-tunnel-policy "tunnelspecified"

this is your current config.

group-policy SBOnet_VPN_Tunnel internal

group-policy SBOnet_VPN_Tunnel attributes

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelall

split-tunnel-network-list value SBOnet_VPN_Tunnel_splitTunnelAcl

Otherwise, if you chose to tunnel everything from the remote users', i.e. including remote-user's web-browsing traffic into the tunnel, then you could dynamic nat those traffic to your outside interface (backupisp), as shown below.

object network vpn-pool-nat

subnet 10.0.0.0 255.255.255.0

nat (backupisp,backupisp) dynamic interface

Hope that helps

0 Helpful
Customers Also Viewed These Support Documents