Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1712
Views
0
Helpful
1
Replies

Help with ASA5505 AnyConnect behind UBNT EdgeRouter

Go to solution
miketranosky
Level 1
Level 1

‎12-13-2017 08:50 AM - edited ‎03-12-2019 04:49 AM

I am looking for some help getting my AnyConnect VPN (namely split-tunneling) working correctly behind my Ubiquity EdgeRouter.  Currently, my (cable) Internet connection is coming into eth0/0 of my UBNT EdgeRouter, I have some vLANs configured on my EdgeRouter being passed from there (eth0/3 on the EdgeRouter) to my HP ProCurve (eth0/1) as a trunk - pvid on eth0/1 of the ProCurve is 1).  My ASA5505 is connected to ports eth0/2 and eth0/3 on the ProCurve.  On port eth0/2 of the ProCurve, I have that configured as an access port only passing my DMZ vLAN (where I plan to terminate the AnyConnect VPN connections-- I call it the DMZ, but there are currently no ACLs in place to restrict access from that vLAN to others). This is connected to eth0/0 of the ASA.   Then, I connect eth0/3 of the ProCurve to eth0/1 of the ASA for my "inside" interface.  That port on the ProCurve is configured as a trunk passing all of the vLANs I want my VPN users to have access to, with the pvid just being my "LAN" vLAN of 10.  I am port forwarding my EdgeRouter though to my "outside" interface IP on the ASA and can get to it remotely without an issue.  

I am even able to connect to my AnyConnect vPN remotely and I see the non-secured route of 0.0.0.0 and secured routes including the DNS servers I am using for the vPN as well as the networks I am allowing through the VPN.  So Split-Tunneling appears to be working, but I am unable to access any of the inside networks.  I can; however, ping from the ASA to any of the inside hosts/networks.  

I am certain I am missing something simple, but wanted to ask the experts here for a little help.  

EDIT: I have attached my sanitized config: 

To add some context to my vLANs:

 5 - "DMZ"

10 - lan for wired connections

11 - network I am using to manage the ASA

25 - lab network 

125 - extension of my lab network 

The only network not accounted for is the 172.20.50.0/28 network, which only resides on the ASA for the VPN users. This doesn't exist anywhere but the ASA. 

 

Thanks everyone!

Labels:
Preview file
26 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
miketranosky
Level 1
Level 1

‎12-15-2017 05:30 AM

Just a quick update on this;  I was able to resolve this by adding a route within my Ubiquity EdgeRouter for the IP range of my VPN pool that is local to the ASA (In this case it is 172.20.50.0/28).  So within the EdgeRouter, I did a static route from 172.20.50.0/28 > next hop: 172.20.5.10, which is the IP address of the dmz interface of the ASA.  Everything seems to now be working. 

 

Thanks everyone for your help. 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
miketranosky
Level 1
Level 1

‎12-15-2017 05:30 AM

Just a quick update on this;  I was able to resolve this by adding a route within my Ubiquity EdgeRouter for the IP range of my VPN pool that is local to the ASA (In this case it is 172.20.50.0/28).  So within the EdgeRouter, I did a static route from 172.20.50.0/28 > next hop: 172.20.5.10, which is the IP address of the dmz interface of the ASA.  Everything seems to now be working. 

 

Thanks everyone for your help. 

0 Helpful
Customers Also Viewed These Support Documents