12-13-2017 08:50 AM - edited 03-12-2019 04:49 AM
I am looking for some help getting my AnyConnect VPN (namely split-tunneling) working correctly behind my Ubiquity EdgeRouter. Currently, my (cable) Internet connection is coming into eth0/0 of my UBNT EdgeRouter, I have some vLANs configured on my EdgeRouter being passed from there (eth0/3 on the EdgeRouter) to my HP ProCurve (eth0/1) as a trunk - pvid on eth0/1 of the ProCurve is 1). My ASA5505 is connected to ports eth0/2 and eth0/3 on the ProCurve. On port eth0/2 of the ProCurve, I have that configured as an access port only passing my DMZ vLAN (where I plan to terminate the AnyConnect VPN connections-- I call it the DMZ, but there are currently no ACLs in place to restrict access from that vLAN to others). This is connected to eth0/0 of the ASA. Then, I connect eth0/3 of the ProCurve to eth0/1 of the ASA for my "inside" interface. That port on the ProCurve is configured as a trunk passing all of the vLANs I want my VPN users to have access to, with the pvid just being my "LAN" vLAN of 10. I am port forwarding my EdgeRouter though to my "outside" interface IP on the ASA and can get to it remotely without an issue.
I am even able to connect to my AnyConnect vPN remotely and I see the non-secured route of 0.0.0.0 and secured routes including the DNS servers I am using for the vPN as well as the networks I am allowing through the VPN. So Split-Tunneling appears to be working, but I am unable to access any of the inside networks. I can; however, ping from the ASA to any of the inside hosts/networks.
I am certain I am missing something simple, but wanted to ask the experts here for a little help.
EDIT: I have attached my sanitized config:
To add some context to my vLANs:
5 - "DMZ"
10 - lan for wired connections
11 - network I am using to manage the ASA
25 - lab network
125 - extension of my lab network
The only network not accounted for is the 172.20.50.0/28 network, which only resides on the ASA for the VPN users. This doesn't exist anywhere but the ASA.
Thanks everyone!
Solved! Go to Solution.
12-15-2017 05:30 AM
Just a quick update on this; I was able to resolve this by adding a route within my Ubiquity EdgeRouter for the IP range of my VPN pool that is local to the ASA (In this case it is 172.20.50.0/28). So within the EdgeRouter, I did a static route from 172.20.50.0/28 > next hop: 172.20.5.10, which is the IP address of the dmz interface of the ASA. Everything seems to now be working.
Thanks everyone for your help.
12-15-2017 05:30 AM
Just a quick update on this; I was able to resolve this by adding a route within my Ubiquity EdgeRouter for the IP range of my VPN pool that is local to the ASA (In this case it is 172.20.50.0/28). So within the EdgeRouter, I did a static route from 172.20.50.0/28 > next hop: 172.20.5.10, which is the IP address of the dmz interface of the ASA. Everything seems to now be working.
Thanks everyone for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide