Remote Access VPN NAT assignment

heather.burke · ‎11-03-2010

We have currently set up our remote access VPN clients to use the AnyConnect client (eventually we would rather use IPSec, but that's for another post, most likely). Most documentation shows setting up the VPN NAT pool on a different subnet, so we currently have it set to the 192.168.3.0 network. We are able to access the network resources then only if we remote desktop in from there to an internal location. How can we allow this subnet access to our internal resources without using this workaround? I've tried assigning ACL's allowing that subnet in to the internal subnet, but it doesn't seem to make a difference.

Thanks!

Federico Coto Fajardo · ‎11-03-2010

Hi,

You're using the AnyConnect to connect to a router or ASA?

The VPN client will access the subnets that you permit/include in the split-tunneling ACL.

The range of addresses for the VPN client (either IPsec or AnyConnect) should be from a different subnet.

You can check on the client itself when it connects under secured routes, which subnets are accesible from the client.

Please provide more details to your problem.

Federico.

heather.burke · ‎11-03-2010

It connects to the ASA.

When you say it will access subnets that we provide in the split tunneling ACL, what do you mean? I notice that split tunneling is an option under group policy, but right now all the boxes are checked for "inherit"

As I indicated before, the VPN is on a different subnet from the internal subnet. It just cannot see internal resources without using remote desktop to access those resources.

(I did not do the initial setup for this VPN, I was just asked to help troubleshoot why network resources cannot be accessed.)

Federico Coto Fajardo · ‎11-03-2010

Heather,

You're saying that access to the internal resources work if using RD.

This means that you open a Remote Desktop connection from the VPN client and access the internal device?

If so... what type of access is not working that it should?

Federico.

heather.burke · ‎11-03-2010

Yes, apparently internal server access is one of the things

mentioned that is not working. Along with that, certain client programs will not start. Obviously the ideal that we are shooting for is for our users to be able to log in and have it be just like they are at their desks. While the RD element is not the end of the world, we would like to see if we could achieve access without it.

Federico Coto Fajardo · ‎11-03-2010

Heather,

When you connect with the AnyConnect or IPsec client, the access the you have is full access.

It should be exactly as if the user is sitting locally to the internal resources.

It sounds like what you're describing that the VPN users are connecting using an SSL client-less connection.

This is a web portal that redirects TCP traffic (it is a limited access).

If the AnyConnect client is being downloaded in the client machine when connecting to the ASA, the client should have full access to the internal network.

Can you confirm that the client is indeed using the AnyConnect client and not a client-less SSL connection?

Federico.

heather.burke · ‎11-03-2010

Yes, let me confirm personally how this conenction is taking place and make sure that it is as it

is being described to me. I'll get back to you after having done so. Thanks!