cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
691
Views
0
Helpful
5
Replies

multiple networks access through remote vpn

M09041985
Level 1
Level 1

Hi guys!

I have remote vpn configured on my ASA 8.6.1 and it works fine but i want to access to multiple networks which are situated behind inside interface of ASA.

Vlan 3(192.168.3.0/24) <=Cat 3750=>  Inside int ASA (192.168.10.0/24) == Outside interface <== remote vpn access==> VPN CLient (network 192.168.100.0/24)

I tried to add new nat rule, but it doesnt works.

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 192.168.10.252 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 93.174.55.182 255.255.255.252

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.2.40 255.255.255.0

management-only

!

ip local pool VPN-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0

object network LAN

subnet 192.168.10.0 255.255.255.0

object network VPN-POOL

subnet 192.168.100.0 255.255.255.0

object network MGMT

subnet 192.168.2.0 255.255.255.0

access-list split_tunnel remark LAN_VLAN_10

access-list split_tunnel standard permit 192.168.10.0 255.255.255.0

access-list split_tunnel remark MGMT_LAN

access-list split_tunnel standard permit 192.168.2.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

nat (inside,outside) source static MGMT MGMT destination static VPN-POOL VPN-POOL

5 Replies 5

The new network has to be included also in your Split-Tiunnel-ACL:

access-list split_tunnel remark VLAN3

access-list split_tunnel standard permit 192.168.3.0 255.255.255.0

And NAT-Excemption has to be extended for this network:

object network VLAN3

  subnet 192.168.3.0 255.255.255.0

nat (inside,outside) source static VLAN3 VLAN3 destination static VPN-POOL VPN-POOL no-proxy-arp route-lookup description NAT-Excempt for VPN

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

It doesnt work

"It doesn't work" is not really a problem-description ... ;-)

What's your actual config and how did you test it?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

asa-msk-azlk-01# show configuration

: Saved

: Written by admin at 04:35:45.119 UTC Tue Nov 5 2013

!

ASA Version 8.6(1)2

!

hostname

names

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 192.168.10.252 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.252

!

interface GigabitEthernet0/2

description DMZ

nameif dmz

security-level 50

ip address 192.168.20.252 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

description FAILOVER

shutdown

nameif failover

security-level 100

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.2.40 255.255.255.0

management-only

!

boot system disk0:/asa861-2-smp-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network inside-subnet

subnet 192.168.10.0 255.255.255.0

object network dmz-subnet

subnet 192.168.20.0 255.255.255.0

object network LAN

subnet 192.168.10.0 255.255.255.0

object network VPN-POOL

subnet 192.168.100.0 255.255.255.0

object network MGMT

subnet 192.168.2.0 255.255.255.0

access-list split_tunnel remark LAN_VLAN_10

access-list split_tunnel standard permit 192.168.10.0 255.255.255.0

access-list split_tunnel remark MGMT_LAN

access-list split_tunnel standard permit 192.168.2.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu management 1500

mtu failover 1500

ip local pool VPN-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

nat (inside,outside) source static MGMT MGMT destination static VPN-POOL VPN-POOL no-proxy-arp rout

e-lookup

!

object network inside-subnet

nat (inside,outside) dynamic interface

object network dmz-subnet

nat (dmz,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 93.174.55.181 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.0.0 255.255.0.0 management

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set firstset esp-des esp-md5-hmac

crypto dynamic-map dyn1 1 set ikev1 transform-set firstset

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption des

hash md5

group 2

lifetime 43200

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 management

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl server-version sslv3

ssl encryption aes128-sha1 3des-sha1

webvpn

group-policy testgroup internal

group-policy testgroup attributes

vpn-filter value split_tunnel

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

username admin password 7HrPnJeDyLD75Q8h encrypted privilege 15

username sdanilov password IJfT2i56/.i5F.RA encrypted

username netapp password uQsNBfoIPDy6CwWY encrypted

username mbychkov password fvosA8L1anfyxTw3 encrypted

tunnel-group testgroup type remote-access

tunnel-group testgroup general-attributes

address-pool VPN-POOL

default-group-policy testgroup

tunnel-group testgroup ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:8dd0a30eff147b8a7d114f31d21b5c7c

This is the whole config. I made a mistake in first scheme when i said about vlan 3. I tried to have routing into vlan MGMT but now i dont have it.

Also i have route on my cat3750: ip route 192.168.100.0 255.255.255.0 192.168.10.252

The mentioned config is still missing (split-tunnel and NAT-excemption for the additional network). And your ASA needs a static route for the network behind the 3750.


Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: