EasyVPN software client shlould connect to Client ASA 5505

laserbrain · ‎03-21-2012

Hi Guys,

i have a question about tunneling a software EasyVPN client to a client ASA Network.

It looks like this:

EasyVPN Server 192.168.202.0/24 Network extension mode to Client EasyVPN ASA 192.168.1.0/24

This works fine in both directions. But now i want to connect the client ASA network via EasyVPN software client from outside.

The user are already able to connect to the ASA Server on its static outside IP obtaining an IP from a 192.168.21.0/24 pool. This works fine. But how am i able to connect to the 192.168.1.0/24 network from this client?

Federico Coto Fajardo · ‎03-21-2012

Hi,

If you have the ASA tunnel established, then to be able to reach it from the software client, you should include the 192.168.1.0/24 as part of the ACL that defines the VPN traffic for this client (if using split-tunneling), and make sure it bypasses NAT (if using NAT).

So, basically including the 192.168.1.0/24 as a network you want to reach from the Software client and also, include the software client pool VPN addresses in the network that should talk to the ASA client.

Hope it helps.

Federico.

laserbrain · ‎03-22-2012

Tnhanks forr this hint.

i've tried the following:

access-list no-nat extendend permit ip 192.168.21.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpn_tunnel extend permit ip 192.168.21.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpn_tunnel extend permit ip 192.168.21.0 255.255.255.0 192.168.202.0 255.255.255.0

But i still can't connect the client network.

Federico Coto Fajardo · ‎03-22-2012

The same rule that will apply for the current VPN networks, should apply to the client network.

You can check if the IPsec SA is being built by issuing ''sh cry ipsec sa''. It should show the new network.

EzVPN Server --- ASA Client (192.168.1.0/24)

|

Software Client (192.168.21.0/24)

Your previous configuration was doing the following:

From the ASA perspective:

Encrypting traffic from 192.168.1.0/24 to the 192.168.202.0/24

From the Software client perspective:

Encrypting traffic from 192.168.21.0/24 to the 192.168.202.0/24

Now....

You should add additional rules so that:

From the ASA perspective:

It also encrypts traffic from 192.168.1.0/24 to the 192.168.21.0/24

From the Software client perspective:

It also encrypts traffic from 192.168.21.0/24 to the 192.168.1.0/24

The above is accomplished including the statements in the VPN ACL, bypassing NAT and making sure there are no routing problems.

Federico.

laserbrain · ‎03-23-2012

Thanks a lot for this explanation. But i still don't get it.

What is missing in this config? I have nat excluded between the networks but i still can't access the network.

May i post the config file?

laserbrain · ‎04-10-2012

Hi again,

thanks a lot for this lines again:

Now....

You should add additional rules so that:

From the ASA perspective:

It also encrypts traffic from 192.168.1.0/24 to the 192.168.21.0/24

From the Software client perspective:

It also encrypts traffic from 192.168.21.0/24 to the 192.168.1.0/24

But i'm not sure how to handle this, because this seems to be the lines i wrote above.

So what do i need to do? I don't get this problem solved... What do you mean with encrypting the traffic?