Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2514
Views
14
Helpful
9
Replies

Exchange of routing table between ASA and VPN client

fabricekash
Level 1
Level 1

‎08-22-2015 09:28 PM

I am configuring VPN client and I would like an exchange of the routing table between the ASA 5505 (8.2) and VPN clients. VPN client can communicate with devices in one subnet (inside  interface for the ASA) but they cannot communicate with other subnet. Can this be achieved using the crypto map command?

Labels:
0 Helpful
9 Replies 9

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-23-2015 06:54 AM

We do this under the group-policy attributes by referencing an access-list:

 

access-list <access-list name> standard permit <network 1> <netmask>

access-list <access-list name> standard permit <network 2> <netmask>

<etc.>

group-policy <GroupPolicy_name> attributes 

 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value <access-list name>

 

fabricekash
Level 1
Level 1
In response to Marvin Rhoads

‎08-23-2015 08:06 AM

Thank you Narvin for your quick response.

I have these command under my group policy attribute, 

It works with VPN connections initiated with cisco anyconnect (SSL), but it doesn't seem to work for L2tp/IPsec.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to fabricekash

‎08-23-2015 11:12 AM

We use the group-policy attribute for both SSL VPN and IPsec VPN. See this Cisco doc confirming the latter.

It may be that your IPsec VPN clients are using a different group-policy.

0 Helpful

fabricekash
Level 1
Level 1
In response to Marvin Rhoads

‎08-23-2015 10:08 PM

I might be missing something, the VPN connection is being establish (Microsoft VPN client) but the computer receives only the VPN subnet on his routing table. Other routes are not being exchanged. I am not running into the same issue with the Cisco anyconnect client. Once I establish the VPN connection with the Cisco anyconnect  , I receive all the routes of the remote site (specified in the ACL of the split tunnel ACL) on my computer (route print).

Bellow few line code, I might be missing some thing (please have a look and let me know).

access-list l2tp_to_Inside standard permit 192.168.4.0 255.255.255.0 
access-list l2tp_to_Inside standard permit 10.1.240.0 255.255.240.0 
access-list l2tp_to_Inside standard permit 192.168.5.0 255.255.255.0 
!
crypto ipsec transform-set trans esp-3des esp-sha-hmac 
crypto ipsec transform-set trans mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyno 1 set transform-set trans
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
group-policy MS_policy internal
group-policy MS_policy attributes
 dns-server value 67.69.184.199 67.69.184.7
 vpn-tunnel-protocol l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value l2tp_to_Inside
 default-domain none
 address-pools value IPSecpool
!
username test password uPlsq/lmc/dzTf9gX9S8kA== nt-encrypted
username test  attributes
 vpn-group-policy MS_policy
 vpn-tunnel-protocol l2tp-ipsec 
!
tunnel-group DefaultRAGroup general-attributes
 address-pool IPSecpool
 default-group-policy MS_policy
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
!
!

Any though?

Thanks

Fabrice

0 Helpful

fabricekash
Level 1
Level 1
In response to fabricekash

‎08-24-2015 09:24 AM

Hi Marvin.

Based on what I have read on other forums, it seems like "push internal route using" split tunnel is not supported over L2TP/IPSec. Many people had run into the same issue and I couldn't find anyone who have sorted it out.

Any thought?

Thanks,

Fabrice

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to fabricekash

‎08-24-2015 08:31 PM

It's supported for IPsec with the Cisco IPsec VPN client. I've configured and used it that way many times.

The native Windows client may not support that though.

0 Helpful

carla.ecklin
Level 1
Level 1
In response to Marvin Rhoads

‎01-06-2017 01:26 PM

Thanks this made my day...

0 Helpful

rizwanr74
Level 7
Level 7

‎08-23-2015 06:55 AM

When you say vpn-client you mean, they are remote-access vpn-client ?

If it is site-to-site tunnel yes, you include those needed subnet in the crypto-map acl (local subnet and remote subnet) and you include them for nat-examption and last not least be sure to put in place a static-route on ASA to push the traffic (i.e. remote subnets) towards to ASA's default-gateway address.

 

If your vpn-client is a remote-access client (people remote-in), then you would need to create nat-examption those needed inside subnet that vpn-client wants to access.

 

You have split tunnel configured?

 

 

 

 

 

0 Helpful

fabricekash
Level 1
Level 1
In response to rizwanr74

‎08-24-2015 09:29 AM

Hi.

With an SSL VPN connection (Cisco anyconnect), I have no issue, VPN client receives internal routes of the remote site with the split tunnel configuration. The issue is with VPN connection established by L2TP/IPSec.  Based on what I have read on other forums, it seems like "push internal route using" split tunnel is not supported over L2TP/IPSec. Many people had run into the same issue and I couldn't find anyone who have sorted it out.

Any thought?

Thanks,

Fabrice

0 Helpful
Customers Also Viewed These Support Documents