cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1737
Views
0
Helpful
12
Replies
valides007
Beginner

ASA5505 VNP Client Gateway IP Address

Hi,

I created a VPN connection through my ASA5505. The idea is to have some remote clients connected to a VPN server (10.1.70.100) and be able to access some workstations on the inside network.

My IP pool is 10.1.70.150 - 10.1.70.200.

I have a laptop connected to the outside network. When the VPN connection is established an IP address is assigned to it (For example 10.1.70.156).

The laptop is able to get remote access to the workstations that are on the 10.1.70.X network, but I have workstations that are sitting on a different networks and in order to talk to them I need the laptop to get assigned 10.1.70.1 as a gateway address. I can't find a way to do that in the ASA5505.

Any ideas for how to configure that?

Thank You

12 REPLIES 12

Hi,

   Please post the network diagram. Did you mean you have other networks behind the firewall?

Toshi

Here is the scenario per the attached digram:

1) VPN client connects to the VPN server on 10.1.70.0 network (vlan7) by grabbing an IP address on the same network.

2) VPN client is able to remote to any workstation that is on 10.1.70.0 network. In this diagram it's workstation #1

3) VPN client is not able to remote to any workstation that is on 10.1.20.0 network (vlan 2) and that is because the VPN client is not getting the 10.1.70.1 gateway address.

4) Currently the VPN client is not getting assigned the gateway address mentioned above. Is there a way to do that in ASA?

Hi,

   Please confirm me that you are using Windows VPN server for your VPN clients. Right? It's not ASA.

   If your cliecnts is connecting to ASA from outside networks, you should use a different subnet to assign to clients. Let's say 10.1.100.0/24 and then add routes on ASA to send 10.1.70.0/24,10.1.20.0/24 etc. back to layer3 switch.

HTH,

Toshi

Well first I'm using a Cisco VPN Client.

I understand your setup and I believe It should work, but here is my challenge: I'm not supposed to touch or reprovision the network (layer 3 switches). All layer 3 switches are divided among different system vlans.

All I'm trying to do is find a way to assign my remote client with a gatetway address (10.1.70.1) while it's picking the ip address from the VPN pool. If I can do that within the ASA config I'm all set. Is this possible?

Please provide the config of your ASA.

It sounds like you have split tunnel enabled, you will need to add all internal networks to an access list that is then associated with the vpn group policy.

Here is my config file:

-------------------------------

ASA Version 8.2(1)

!

hostname ASAVPN

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.1.70.245 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

access-list inside_nat0_outbound extended permit ip any any

access-list inside_nat0_outbound extended permit ip 10.1.70.0 255.255.255.0 10.1.70.192 255.255.255.192

access-list inside_nat0_outbound extended permit ip any 10.1.70.192 255.255.255.192

access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 10.1.20.224 255.255.255.224

access-list mia_splitTunnelAcl standard permit 10.1.70.0 255.255.255.0

access-list miami_splitTunnelAcl standard permit 10.1.70.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool miami 10.1.70.200-10.1.70.244 mask 255.255.255.0

ip local pool miami_pa 10.1.20.230-10.1.20.240 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.1.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.1.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 10.1.70.100

dns-server value 10.1.70.100

vpn-tunnel-protocol l2tp-ipsec

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol l2tp-ipsec webvpn

group-policy miami_pa internal

group-policy miami_pa attributes

dns-server value 10.1.20.100

vpn-tunnel-protocol svc

group-policy miami internal

group-policy miami attributes

dns-server value 10.1.70.100 10.1.70.102

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value miami_splitTunnelAcl

group-policy ma internal

group-policy ma attributes

dns-server value 10.1.70.102

vpn-tunnel-protocol svc

group-policy pa internal

group-policy pa attributes

dns-server value 10.1.20.100

vpn-tunnel-protocol IPSec

username brian_s password SBO4Bm5LoaHQ0Tv6 encrypted privilege 0

username brian_s attributes

vpn-group-policy miami

username ferdag_e password Zlh1yEXwHGZyYtYr encrypted privilege 0

username ferdag_e attributes

vpn-group-policy miami

username public password mBBVqiPwFUD1.bR5 encrypted privilege 0

username public attributes

vpn-group-policy miami

username joe_p password UaFMOOCgJGKm1vtA encrypted privilege 0

username joe_p attributes

vpn-group-policy miami

username joe_b password UaFMOOCgJGKm1vtA encrypted privilege 0

username joe_b attributes

vpn-group-policy miami

username walid_a password 8ohmXIroBQ0Nc.CR encrypted privilege 0

username walid_a attributes

vpn-group-policy miami

tunnel-group DefaultRAGroup general-attributes

address-pool miami

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group miami type remote-access

tunnel-group miami general-attributes

address-pool miami

default-group-policy miami

tunnel-group miami ipsec-attributes

pre-shared-key *

!

!

prompt hostname context

Cryptochecksum:071732cd22ac1da861179b3ad61f6e6a

: end

no asdm history enable

Where does you vpn terminate? ASA or VPN server? If it is ASA, check for routes to 10.1.20.0

It does terminate at the VPN Server (10.1.70.100).

Make sure your VPN server has routes to other networks

My VPN server has definitely routes to other networks. The server (10.1.70.100) has a gateway address of 10.1.70.1 and all I want to do is assigning the same gateway address to my vpn clients; otherwise the clients can't route to other networks. They are just stuck within the vpn server network.

Am I missing something here? If the vpn client is not geetting assigned a gateway address, how can he access other newtorks?

Well, usually vpn clients receive VPN Server's ip address as a default gateway. VPN Server, on the other hand, has routes for the entire organization. What VPN server are you using?

Well it's a windows servers used for other purposes, but since I don't have an available server just dedicated for the vpn connections I'm using this windows unit.