I created a VPN connection through my ASA5505. The idea is to have some remote clients connected to a VPN server (10.1.70.100) and be able to access some workstations on the inside network.
My IP pool is 10.1.70.150 - 10.1.70.200.
I have a laptop connected to the outside network. When the VPN connection is established an IP address is assigned to it (For example 10.1.70.156).
The laptop is able to get remote access to the workstations that are on the 10.1.70.X network, but I have workstations that are sitting on a different networks and in order to talk to them I need the laptop to get assigned 10.1.70.1 as a gateway address. I can't find a way to do that in the ASA5505.
Any ideas for how to configure that?
Here is the scenario per the attached digram:
1) VPN client connects to the VPN server on 10.1.70.0 network (vlan7) by grabbing an IP address on the same network.
2) VPN client is able to remote to any workstation that is on 10.1.70.0 network. In this diagram it's workstation #1
3) VPN client is not able to remote to any workstation that is on 10.1.20.0 network (vlan 2) and that is because the VPN client is not getting the 10.1.70.1 gateway address.
4) Currently the VPN client is not getting assigned the gateway address mentioned above. Is there a way to do that in ASA?
Please confirm me that you are using Windows VPN server for your VPN clients. Right? It's not ASA.
If your cliecnts is connecting to ASA from outside networks, you should use a different subnet to assign to clients. Let's say 10.1.100.0/24 and then add routes on ASA to send 10.1.70.0/24,10.1.20.0/24 etc. back to layer3 switch.
Well first I'm using a Cisco VPN Client.
I understand your setup and I believe It should work, but here is my challenge: I'm not supposed to touch or reprovision the network (layer 3 switches). All layer 3 switches are divided among different system vlans.
All I'm trying to do is find a way to assign my remote client with a gatetway address (10.1.70.1) while it's picking the ip address from the VPN pool. If I can do that within the ASA config I'm all set. Is this possible?
Please provide the config of your ASA.
It sounds like you have split tunnel enabled, you will need to add all internal networks to an access list that is then associated with the vpn group policy.
Here is my config file:
ASA Version 8.2(1)
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
ip address 10.1.70.245 255.255.255.0
ip address dhcp setroute
switchport access vlan 2
ftp mode passive
access-list inside_nat0_outbound extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.1.70.0 255.255.255.0 10.1.70.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip any 10.1.70.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 10.1.20.224 255.255.255.224
access-list mia_splitTunnelAcl standard permit 10.1.70.0 255.255.255.0
access-list miami_splitTunnelAcl standard permit 10.1.70.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool miami 10.1.70.200-10.1.70.244 mask 255.255.255.0
ip local pool miami_pa 10.1.20.230-10.1.20.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
http server enable
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 10.1.70.100
dns-server value 10.1.70.100
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy miami_pa internal
group-policy miami_pa attributes
dns-server value 10.1.20.100
group-policy miami internal
group-policy miami attributes
dns-server value 10.1.70.100 10.1.70.102
split-tunnel-network-list value miami_splitTunnelAcl
group-policy ma internal
group-policy ma attributes
dns-server value 10.1.70.102
group-policy pa internal
group-policy pa attributes
dns-server value 10.1.20.100
username brian_s password SBO4Bm5LoaHQ0Tv6 encrypted privilege 0
username brian_s attributes
username ferdag_e password Zlh1yEXwHGZyYtYr encrypted privilege 0
username ferdag_e attributes
username public password mBBVqiPwFUD1.bR5 encrypted privilege 0
username public attributes
username joe_p password UaFMOOCgJGKm1vtA encrypted privilege 0
username joe_p attributes
username joe_b password UaFMOOCgJGKm1vtA encrypted privilege 0
username joe_b attributes
username walid_a password 8ohmXIroBQ0Nc.CR encrypted privilege 0
username walid_a attributes
tunnel-group DefaultRAGroup general-attributes
tunnel-group DefaultRAGroup ipsec-attributes
tunnel-group miami type remote-access
tunnel-group miami general-attributes
tunnel-group miami ipsec-attributes
prompt hostname context
no asdm history enable
My VPN server has definitely routes to other networks. The server (10.1.70.100) has a gateway address of 10.1.70.1 and all I want to do is assigning the same gateway address to my vpn clients; otherwise the clients can't route to other networks. They are just stuck within the vpn server network.
Am I missing something here? If the vpn client is not geetting assigned a gateway address, how can he access other newtorks?
Well, usually vpn clients receive VPN Server's ip address as a default gateway. VPN Server, on the other hand, has routes for the entire organization. What VPN server are you using?
Well it's a windows servers used for other purposes, but since I don't have an available server just dedicated for the vpn connections I'm using this windows unit.