01-25-2010 10:08 AM
I've got an ASA5505 firewall with the security add-on for VPN support. Up until recently VPN has been working but we made some changes to the subnet masks on the network and now we have lost some VPN functionality--all the devices used to be on individual networks with masks set to 255.255.255.0 and each network had a connection to the firewall which required all internal traffic to route through the firewall. To fix this we changed the subnet masks to 255.255.0.0 and removed all but one connection to the firewall.
Here’s the setup: we have a DSL line that connects to a DSL modem which then connects to the external interface of the ASA. We then have an internal connection which connects to a Netgear switch. The Internal connection is configured as 192.168.65.1/255.255.0.0 and all the devices on the switch are on the 192.168.65.0 subnet. This switch has a trunk connection that runs to another Netgear switch. The second Netgear switch supports devices on the 192.168.66.0 network. Internal PCs on the first switch with a .65.x address can talk to devices on the second switch with no problem.
When a user VPNs in he receives a 192.168.69.0/255.255.0.0 address which is issued via an ASA address pool. Once connected the user can see and communicate with any device on the 65.x network but cannot talk to anything on the 66.x network. I have tried everything I can think of including setting up split tunneling but nothing works.
Does anyone have an idea of what the problem might be and how I can fix it?
Thanks in advance,
Greg
Solved! Go to Solution.
01-25-2010 12:43 PM
make sure that the traffic is included in nonat and crypto traffic access list also try configuring split tunnel if possible
below is the sample config for it
Step#1 - Create standard access list allowing the Lan network which you want to access.
access-list Split_Tunnel_List standard permit
Step#2 - specify the split tunnel in the group policy.
group-policy
split-tunnel-policy tunnelspecified
split-tunnel-network-list Split_Tunnel_List
Step#3 - Define pool and Exclude the VPN traffic from Nat.
ip local pool
nat(inside) 0 access-list
access-list nonat_access_list_name permit ip
01-26-2010 06:17 AM
if you are using ASDM 6.2(3)
Configuration -> Firewall -> NAT Rules -> on the inside interface "Add NAT Exempt rule". Interface = inside, source = internal network (192.168.0.0/16), destination = VPN Subnet (192.168.69.0/24)
01-25-2010 12:36 PM
do you have your NAT exempt statement for the 192.168.66.0/24 subnet to your VPN subnet?
01-25-2010 12:43 PM
make sure that the traffic is included in nonat and crypto traffic access list also try configuring split tunnel if possible
below is the sample config for it
Step#1 - Create standard access list allowing the Lan network which you want to access.
access-list Split_Tunnel_List standard permit
Step#2 - specify the split tunnel in the group policy.
group-policy
split-tunnel-policy tunnelspecified
split-tunnel-network-list Split_Tunnel_List
Step#3 - Define pool and Exclude the VPN traffic from Nat.
ip local pool
nat(inside) 0 access-list
access-list nonat_access_list_name permit ip
01-25-2010 01:47 PM
Thanks for the replies.
Kenny - No I haven't tried NAT exemption. I'm not too familiar with it but will give it a shot tomorrow.
Aarti - Yes, I have tried Split Tunneling with every combination of addresses I can think of from 192.168.0.0/16 to each individual subnet followed by /16 to 192.168.64.0/21 and nothing has made any difference.
One thing I did forget to mention is that the second switch is connected to a PIX firewall which the 66 subnet uses to send outgoing traffic. The way it works is that the PIX is 192.168.66.1, and the default gateway for all traffic leaving the 66 subnet, but the connected switches are being used to allow internal communications between the two subnets without having the traffic pass through the firewall. I hope I'm not confusing anyone but this is kind of how it looks.
DSL Modem DSL Modem
| |
ASA 5505 (65.1) PIX (66.1)
| |
Netgear Switch <----> Netgear Switch
The ASA is the default gateway for the 65 subnet and the PIX is the default gateway for the 66 subnet but since they have a /16 mask the 65 and 66 subnets can communicate internally via the switches. This setup works great on the inside, it's just when we VPN that it doesn't. The funny thing is if I VPN in and then remote desktop to a machine on the 65 subnet I can then communicate with devices on the 66 subnet with no problem.
01-26-2010 06:17 AM
if you are using ASDM 6.2(3)
Configuration -> Firewall -> NAT Rules -> on the inside interface "Add NAT Exempt rule". Interface = inside, source = internal network (192.168.0.0/16), destination = VPN Subnet (192.168.69.0/24)
01-26-2010 01:00 PM
Thank a million!
I just implemented the NAT exempt rule and it fixed the problem.
01-26-2010 01:12 PM
glad that helped. be sure to rate the answer and mark the thread as answered.
01-27-2010 02:12 PM
I hope I can help. I have the following facilities:
DSL
/ \
ASA 5510 Router
| |
pc1 pc2
Computers that have the ASA as gateway to connect remote computers via VPN customers can easily access, while those emerging on the other router can not access.
I made a static route on the router sending all the traffic that goes to remote computers out by the ASA, but has not worked.
Todos los equipos estan en el mismo segmento de red
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide