Solved: ASA 5505 - Remote access VPN to access different internal networ

joelgooding · ‎01-18-2013

Hello all,

A customer has a ASA 5505 with a remote access vpn. They are moving their internal network to a new scheme and would like users who come in on the vpn to access both the exisiting and new networks. Currently the can only access the exisiting. WHen users connect to the remote access vpn, the asa gives them an address of 192.168.199.x. The current internal network is 200.190.1.x and they would like to reach their new network of 10.120.110.x.

Below is the config:

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password xxx encrypted

passwd xxx encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 200.190.1.15 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxxxxxx 255.255.255.0

!

banner exec UNAUTHORIZED ACCESS IS STRICLY PROHIBITED

banner login UNAUTHORIZED ACCESS IS STRICLY PROHIBITED

banner asdm UNAUTHORIZED ACCESS IS STRICLY PROHIBITED

ftp mode passive

access-list inside_access_in extended permit ip 200.190.1.0 255.255.255.0 any

access-list outside_access_in extended permit icmp any interface outside

access-list outside_access_in extended permit ip 192.168.199.0 255.255.255.192 host 10.120.110.0

access-list MD_IPSEC_Tun_Gp_splitTunnelAcl standard permit 200.190.1.0 255.255.255.0

access-list MD_IPSEC_Tun_Gp_splitTunnelAcl standard permit host 10.120.110.0

access-list inside_nat0_outbound extended permit ip 200.190.1.0 255.255.255.0 192.168.199.0 255.255.255.192

access-list inside_nat0_outbound extended permit ip host 10.120.110.0 192.168.199.0 255.255.255.192

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool Remote_IPSEC_VPN_Pool 192.168.199.10-192.168.199.50 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 200.190.1.0 255.255.255.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 190.213.43.1 1

route inside 10.120.110.0 255.255.255.0 200.190.1.50 1

route inside 192.168.50.0 255.255.255.0 200.190.1.56 1

route inside 192.168.60.0 255.255.255.0 200.190.1.56 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable 10443

http server idle-timeout 5

http server session-timeout 30

http 200.190.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

(omitted)

quit

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 3600

telnet timeout 5

ssh 200.190.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 5

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

group-policy MD_SSL_Gp_Pol internal

group-policy MD_SSL_Gp_Pol attributes

vpn-tunnel-protocol webvpn

webvpn

url-list none

port-forward disable

hidden-shares none

file-entry disable

file-browsing disable

url-entry disable

group-policy MD_IPSEC_Tun_Gp internal

group-policy MD_IPSEC_Tun_Gp attributes

banner value Welcome to Remote VPN

vpn-simultaneous-logins 1

vpn-idle-timeout 5

vpn-tunnel-protocol IPSec webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value MD_IPSEC_Tun_Gp_splitTunnelAcl

address-pools value Remote_IPSEC_VPN_Pool

webvpn

url-list value RDP

username (omitted) attributes

vpn-group-policy MD_IPSEC_Tun_Gp

service-type remote-access

tunnel-group MD_SSL_Profile type remote-access

tunnel-group MD_SSL_Profile general-attributes

default-group-policy MD_SSL_Gp_Pol

tunnel-group MD_IPSEC_Tun_Gp type remote-access

tunnel-group MD_IPSEC_Tun_Gp general-attributes

address-pool Remote_IPSEC_VPN_Pool

default-group-policy MD_IPSEC_Tun_Gp

tunnel-group MD_IPSEC_Tun_Gp ipsec-attributes

pre-shared-key *****

!

prompt hostname context

: end

Joel _______________________________ Please rate helpful posts and answered questions!

Jennifer Halim · ‎01-19-2013

The following split tunnel ACL and NAT exemption ACL is incorrect:

access-list MD_IPSEC_Tun_Gp_splitTunnelAcl standard permit host 10.120.110.0

access-list inside_nat0_outbound extended permit ip host 10.120.110.0 192.168.199.0 255.255.255.192

It should have been:

access-list MD_IPSEC_Tun_Gp_splitTunnelAcl standard permit 10.120.110.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.120.110.0 255.255.255.0 192.168.199.0 255.255.255.192

Then "clear xlate" and reconnect with the VPN Client.

Hope that helps.

View solution in original post

Jennifer Halim · ‎01-19-2013

The following split tunnel ACL and NAT exemption ACL is incorrect:

access-list MD_IPSEC_Tun_Gp_splitTunnelAcl standard permit host 10.120.110.0

access-list inside_nat0_outbound extended permit ip host 10.120.110.0 192.168.199.0 255.255.255.192

It should have been:

access-list MD_IPSEC_Tun_Gp_splitTunnelAcl standard permit 10.120.110.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.120.110.0 255.255.255.0 192.168.199.0 255.255.255.192

Then "clear xlate" and reconnect with the VPN Client.

Hope that helps.

joelgooding · ‎01-22-2013

That did it! Thank you.

Joel _______________________________ Please rate helpful posts and answered questions!

ASA 5505 - Remote access VPN to access different internal networks