Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2615
Views
0
Helpful
4
Replies

How to enable routing to a subnet in ASA 5510

Go to solution
Mohamed Raffiudeen
Level 1
Level 1

‎09-22-2014 05:59 AM

Dear,

 

We are using cisco ASA 5510 and we provide VPN access to external users through cisco anyconnect. When users get connected they can access to only one subnet. How can we enable route to another subnet in CLI or ASDM?

 

Thanks & Regards,

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Mohamed Raffiudeen

‎09-25-2014 01:15 AM

Hi,

 

Seems to me that you dont atleast have a NAT0 configuration for the traffic between this LAN subnet and the VPN Pool

 

This is your current NAT0 configuration ACL

access-list nonat extended permit ip 172.16.0.0 255.255.254.0 172.16.2.0 255.255.255.0 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 host 10.212.61.32 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.192 255.255.255.192 
access-list nonat extended permit ip 172.16.0.0 255.255.254.0 10.1.12.0 255.255.255.0 
access-list nonat extended permit ip 10.1.12.0 255.255.255.0 10.1.12.0 255.255.255.0 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 10.1.12.0 255.255.255.0

 

You VPN Pool seems to be 172.16.240.0/24 so you would need to add the following ACL line

access-list nonat extended permit ip 10.1.12.0 255.255.255.0 172.16.240.0 255.255.255.0

 

Hope this helps :)

 

- Jouni

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-22-2014 06:13 AM

Hi,

 

This might have nothing to do with actual routing but your VPN configurations.

 

At the moment you have not provided enough information for us to give you a specific answer. It would be best if you could describe what kind of network you have between the LAN subnets and the VPN device. Does for example all the LAN subnets have a route towards the VPN device for the VPN Pool used?

 

There are 2 main things to look at when you have a VPN Client connection and connections to some subnets are not working.

  • Are you using Full Tunnel or Split Tunnel? You can check this from the "group-policy" configuration used for the VPN connection. You can use the command "show run group-policy" to check this on the CLI or you can use the ASDM to find the Group Policy used and check what its Split Tunnel settings are. If you are using Split Tunnel VPN then you will have to configure all the internal subnets in the Split Tunnel ACL for the VPN Client to tunnel traffic to them. If you are using Full Tunnel VPN then you wont have to add subnets to any ACL
  • Have you configured NAT0 for all the internal subnet you want to access through the VPN Client connection? Even if the above mentioned Split Tunnel configuration includes all the required subnets (or you are using Full Tunnel) you might be missing a NAT0 configuration for some of the internal subnets which blocks connectivity. Make sure you have the correct NAT configurations.

 

Then there are some more uncommon settings that might cause problems. If you for example are using a VPN Filter ACL you need to allow the traffic in that ACL. Or if you are using the global setting "no sysopt connection permit-vpn" it will mean that you have to allow required traffic in the ACL of the interface to which the user connects with the VPN Client.

 

So as I said, we need more information to help you or perhaps the above points might help you find the problem in the configurations.

 

Hope this helps :)

 

- Jouni

 

0 Helpful

Go to solution
Mohamed Raffiudeen
Level 1
Level 1
In response to Jouni Forss

‎09-23-2014 11:40 PM

Hi Jouni,

Our LAN subnet : 172.16.0.0/23 & 10.1.12.0/24

Pls find the attached config.

Let me know the changes to be made to reach the network 10.1.12.0/24 through cisco anyconnect.

Right now only 172.16.0.0/23 subnet is reachable from outside.

Thanks & Regards,

 

 

Preview file
25 KB
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Mohamed Raffiudeen

‎09-25-2014 01:15 AM

Hi,

 

Seems to me that you dont atleast have a NAT0 configuration for the traffic between this LAN subnet and the VPN Pool

 

This is your current NAT0 configuration ACL

access-list nonat extended permit ip 172.16.0.0 255.255.254.0 172.16.2.0 255.255.255.0 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 host 10.212.61.32 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.192 255.255.255.192 
access-list nonat extended permit ip 172.16.0.0 255.255.254.0 10.1.12.0 255.255.255.0 
access-list nonat extended permit ip 10.1.12.0 255.255.255.0 10.1.12.0 255.255.255.0 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 10.1.12.0 255.255.255.0

 

You VPN Pool seems to be 172.16.240.0/24 so you would need to add the following ACL line

access-list nonat extended permit ip 10.1.12.0 255.255.255.0 172.16.240.0 255.255.255.0

 

Hope this helps :)

 

- Jouni

 

0 Helpful

Go to solution
Mohamed Raffiudeen
Level 1
Level 1
In response to Jouni Forss

‎09-25-2014 01:31 AM

Thnx jouni, It works...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents