05-23-2011 09:08 AM
Hi,
I created a VPN connection through my ASA5505. The idea is to have some remote clients connected to a VPN server (10.1.70.100) and be able to access some workstations on the inside network.
My IP pool is 10.1.70.150 - 10.1.70.200.
I have a laptop connected to the outside network. When the VPN connection is established an IP address is assigned to it (For example 10.1.70.156).
The laptop is able to get remote access to the workstations that are on the 10.1.70.X network, but I have workstations that are sitting on a different networks and in order to talk to them I need the laptop to get assigned 10.1.70.1 as a gateway address. I can't find a way to do that in the ASA5505.
Any ideas for how to configure that?
Thank You
05-26-2011 11:04 AM
Hi,
Please post the network diagram. Did you mean you have other networks behind the firewall?
Toshi
05-27-2011 05:44 PM
Here is the scenario per the attached digram:
1) VPN client connects to the VPN server on 10.1.70.0 network (vlan7) by grabbing an IP address on the same network.
2) VPN client is able to remote to any workstation that is on 10.1.70.0 network. In this diagram it's workstation #1
3) VPN client is not able to remote to any workstation that is on 10.1.20.0 network (vlan 2) and that is because the VPN client is not getting the 10.1.70.1 gateway address.
4) Currently the VPN client is not getting assigned the gateway address mentioned above. Is there a way to do that in ASA?
05-27-2011 09:59 PM
Hi,
Please confirm me that you are using Windows VPN server for your VPN clients. Right? It's not ASA.
If your cliecnts is connecting to ASA from outside networks, you should use a different subnet to assign to clients. Let's say 10.1.100.0/24 and then add routes on ASA to send 10.1.70.0/24,10.1.20.0/24 etc. back to layer3 switch.
HTH,
Toshi
05-31-2011 03:46 PM
Well first I'm using a Cisco VPN Client.
I understand your setup and I believe It should work, but here is my challenge: I'm not supposed to touch or reprovision the network (layer 3 switches). All layer 3 switches are divided among different system vlans.
All I'm trying to do is find a way to assign my remote client with a gatetway address (10.1.70.1) while it's picking the ip address from the VPN pool. If I can do that within the ASA config I'm all set. Is this possible?
06-06-2011 09:53 AM
Please provide the config of your ASA.
It sounds like you have split tunnel enabled, you will need to add all internal networks to an access list that is then associated with the vpn group policy.
06-14-2011 05:42 PM
Here is my config file:
-------------------------------
ASA Version 8.2(1)
!
hostname ASAVPN
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.70.245 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list inside_nat0_outbound extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.1.70.0 255.255.255.0 10.1.70.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip any 10.1.70.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 10.1.20.224 255.255.255.224
access-list mia_splitTunnelAcl standard permit 10.1.70.0 255.255.255.0
access-list miami_splitTunnelAcl standard permit 10.1.70.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool miami 10.1.70.200-10.1.70.244 mask 255.255.255.0
ip local pool miami_pa 10.1.20.230-10.1.20.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 10.1.70.100
dns-server value 10.1.70.100
vpn-tunnel-protocol l2tp-ipsec
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy miami_pa internal
group-policy miami_pa attributes
dns-server value 10.1.20.100
vpn-tunnel-protocol svc
group-policy miami internal
group-policy miami attributes
dns-server value 10.1.70.100 10.1.70.102
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value miami_splitTunnelAcl
group-policy ma internal
group-policy ma attributes
dns-server value 10.1.70.102
vpn-tunnel-protocol svc
group-policy pa internal
group-policy pa attributes
dns-server value 10.1.20.100
vpn-tunnel-protocol IPSec
username brian_s password SBO4Bm5LoaHQ0Tv6 encrypted privilege 0
username brian_s attributes
vpn-group-policy miami
username ferdag_e password Zlh1yEXwHGZyYtYr encrypted privilege 0
username ferdag_e attributes
vpn-group-policy miami
username public password mBBVqiPwFUD1.bR5 encrypted privilege 0
username public attributes
vpn-group-policy miami
username joe_p password UaFMOOCgJGKm1vtA encrypted privilege 0
username joe_p attributes
vpn-group-policy miami
username joe_b password UaFMOOCgJGKm1vtA encrypted privilege 0
username joe_b attributes
vpn-group-policy miami
username walid_a password 8ohmXIroBQ0Nc.CR encrypted privilege 0
username walid_a attributes
vpn-group-policy miami
tunnel-group DefaultRAGroup general-attributes
address-pool miami
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group miami type remote-access
tunnel-group miami general-attributes
address-pool miami
default-group-policy miami
tunnel-group miami ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:071732cd22ac1da861179b3ad61f6e6a
: end
no asdm history enable
06-11-2011 09:29 AM
Where does you vpn terminate? ASA or VPN server? If it is ASA, check for routes to 10.1.20.0
06-14-2011 05:42 PM
It does terminate at the VPN Server (10.1.70.100).
06-15-2011 01:15 AM
Make sure your VPN server has routes to other networks
06-16-2011 04:24 PM
My VPN server has definitely routes to other networks. The server (10.1.70.100) has a gateway address of 10.1.70.1 and all I want to do is assigning the same gateway address to my vpn clients; otherwise the clients can't route to other networks. They are just stuck within the vpn server network.
Am I missing something here? If the vpn client is not geetting assigned a gateway address, how can he access other newtorks?
06-17-2011 08:11 AM
Well, usually vpn clients receive VPN Server's ip address as a default gateway. VPN Server, on the other hand, has routes for the entire organization. What VPN server are you using?
06-20-2011 04:40 AM
Well it's a windows servers used for other purposes, but since I don't have an available server just dedicated for the vpn connections I'm using this windows unit.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide