06-23-2012 11:33 AM - edited 02-21-2020 06:09 PM
Iam able to authenticate on VPN network with my username password & also able to get IP address from VPN pool
But Not able to access any thing on my inside network (i.e lan ) or remote desktop on server 172.17.100.10 ,172.17.100.20
ip local pool Q8-VPN-Pool 172.16.37.10-172.16.37.200 mask 255.255.255.0
access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.10 eq 3389 any
access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.20 eq 3389 any
access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.30 eq 22 any
group-policy NetworkTest-VPN internal
group-policy NetworkTest-VPN attributes
dns-server value 192.168.0.122 192.168.0.123
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NetworkTest_splitTunnelAcl
default-domain value Q8.com
tunnel-group NetworkTest-VPN type remote-access
tunnel-group NetworkTest-VPN general-attributes
address-pool (inside) Q8-VPN-Pool
address-pool Q8-VPN-Pool
authentication-server-group ACS
authentication-server-group (inside) ACS LOCAL
accounting-server-group ACS
default-group-policy NetworkTest-VPN
tunnel-group NetworkTest-VPN ipsec-attributes
pre-shared-key ******
Below nat didnt work So I created new Nat for 8.4
access-list inside_nat0_outbound extended permit ip any 172.16.37.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
New Nat for 8.4
object network RA-VPN-HOST
subnet 172.16.37.0 255.255.255.0
!
nat (inside,outside) source static any any destination static RA-VPN-HOST RA-VPN-HOST
Solved! Go to Solution.
06-24-2012 02:33 AM
Split-Tunneling controlles the routing into the tunnel. And this is done without L4-information (knowing that there are cases where this is done, but I can't see that in your szenario). And as said before, filtering is done with the vpn-filter.
For the nat to work you have to use the right order of nat-statements (top-down). So this NAT-Exemption has to be above the general NAT for internet-access. You can control that with "show nat".
06-23-2012 02:36 PM
On the ASA the Split-Tunnel-ACL should be a standard-ACL only listing the networks you want to communicate with (when you specify "split-tunnel-policy tunnelspecified"). The filtering you want to achieve should go into the "vpn-filter" which also can be configured in the group-policy.
regards, Karsten
06-24-2012 01:45 AM
Dear Karsten
If I work with standard I cant define ports
But for sake of argument I did your solution but it didnt worked
Do u feel my nat statemnet is correct
object network RA-VPN-HOST
subnet 172.16.37.0 255.255.255.0
!
nat (inside,outside) source static any any destination static RA-VPN-HOST RA-VPN-HOST
I will obliged if you can provide me soem other alternate solution
06-24-2012 02:33 AM
Split-Tunneling controlles the routing into the tunnel. And this is done without L4-information (knowing that there are cases where this is done, but I can't see that in your szenario). And as said before, filtering is done with the vpn-filter.
For the nat to work you have to use the right order of nat-statements (top-down). So this NAT-Exemption has to be above the general NAT for internet-access. You can control that with "show nat".
07-11-2012 04:55 AM
The issuse Iam facing is Iam able to get IP address from VPN pool but not able to get Default gateway
In the VPN Status statistics Able to send packet But not able to recive packets
Iam able to authenticate on VPN network with my username password & also
But Not able to access any thing on my inside network (i.e lan ) or remote desktop on server 172.17.100.10 ,172.17.100.20
Below is the configuration
ip local pool Q8-VPN-Pool 172.16.37.10-172.16.37.200 mask 255.255.255.0
access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.10 eq 3389 any
access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.20 eq 3389 any
access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.30 eq 22 any
group-policy NetworkTest-VPN internal
group-policy NetworkTest-VPN attributes
dns-server value 192.168.0.122 192.168.0.123
vpn-filter value Network-Admin_splitTunnelAcl
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NetworkTest_splitTunnelAcl
default-domain value Q8.com
tunnel-group NetworkTest-VPN type remote-access
tunnel-group NetworkTest-VPN general-attributes
address-pool (inside) Q8-VPN-Pool
address-pool Q8-VPN-Pool
authentication-server-group ACS
authentication-server-group (inside) ACS LOCAL
accounting-server-group ACS
default-group-policy NetworkTest-VPN
tunnel-group NetworkTest-VPN ipsec-attributes
pre-shared-key ******
object network RA-VPN-HOST
subnet 172.16.37.0 255.255.255.0
!
nat (inside,outside) source static any any destination static RA-VPN-HOST RA-VPN-HOST
I have static routes but I have read in one document to apply default route pointing toward ASA with tunnled
But the query is what about other tunnels which are working form outside to DMZ
If I apply default route all tunneled traffic will flow towards inside interface of ASA or Only split tunnel tarffic willflow towards inside interface
07-11-2012 06:34 AM
Your Split-Tunneling and vpn-filter is still wrong. The way to configure it is the following:
For Split-Tunneling a standard ACL is typically used to specify which networks should be reached through the tunnel:
access-list SPLIT-ACL standard permit 172.17.100.0 255.255.255.0
!
group-policy NetworkTest-VPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-ACL
A different ACL is used to filter the traffic that can be sent inside the tunnel. In that ACL the meaning of the fields is different to a normal ACL. The vpn-filter works with Remote and Local instead of Source and Destination.
Your VPN-Filter has to look like that:
access-list VPN-FILTER-TEST extended permit tcp object RA-VPN-HOST host 172.17.100.10 eq 3389
access-list VPN-FILTER-TEST extended permit tcp object RA-VPN-HOST host 172.17.100.20 eq 3389
access-list VPN-FILTER-TEST extended permit tcp object RA-VPN-HOST host 172.17.100.30 eq 22
!
group-policy NetworkTest-VPN attributes
vpn-filter value VPN-FILTER-TEST
07-15-2012 05:01 AM
Dear Karen
Thanks for the reply
So to make more simple I created an ACL as below to avoid routing issuse
access-list 20 standard permit any
I applied this ACL in my split tunnel
group-policy NetworkTest-VPN internal
group-policy NetworkTest-VPN attributes
dns-server value 192.168.0.122 192.168.0.123
vpn-tunnel-protocol IPSec
vpn-filter value Network-Admin_splitTunnelAcl
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 20
default-domain value Q8.com
Dear Karen
My query now is vpn filter which will provide access to vpn group users for the inside servers
VPN Pool is 172.16.37.x/24
SERVER Inside IP Address is 172.16.100.9 on 3389
Behind my ASA my juniper is install So all traffic come to ASA with IP Address as 172.16.14.1
Server which needs to be access from vpn in my inside network IP ADDRESS is 172.16.100.9 on 3389
So how to I create ACL for vpn filter
Please do reply
07-15-2012 05:37 AM
if your internal network is hidden by one IP on the juniper firewall, then your vpn-filter will look like that:
access-list VPN-FILTER extended permit tcp 172.16.37.0 255.255.255.0 host 172.16.14.1 eq 3389
On the Juniper you have to configure the port-forwarding to the desired host.
07-16-2012 11:34 PM
Dear Karen
Thanks & much appreciated
My VPN is working fine & able to access the required server with specific ports
I created the below access-list & I called the below access list in my VPN -Filter value
access-list Network-Admin_splitTunnelAcl extended permit tcp any host 172.17.100.10 eq domain
My VPN & Everything is working fine
One more help for below query
For standard ACL we use to create as access-list ABC webtype permit url http://Q8.bombay.com
I want to known how to created WEBTYPE access-list in extended acl of mine as above
( i.e access-list Network-Admin_splitTunnelAcl extended )
Please do reply
07-16-2012 11:42 PM
I'm not really sure what you mean, but the simplified rule for ACLs is:
- extended ACLs for Access-Control on L3/L4
- standard ACLs for controlling routing
- webtype ACLs for clientless VPNs
- ethertype ACLs for controlling L2-traffic in transparent firewall setups.
07-17-2012 12:04 AM
Dear Karen
q8.bombay.com is internal web site which resolves with IP Address 172.16.3.210
I have created below ACL & called this acl in my web filter as below
access-list Network-Admin_splitTunnelAcl extended permit tcp any host 172.16.3.210 eq https
access-list Network-Admin_splitTunnelAcl extended permit tcp any host 192.168.0.122 eq 53
access-list Network-Admin_splitTunnelAcl extended permit tcp any host 192.168.0.123 eq 53
access-list SPLIT-ACL standard permit 172.17.100.0 255.255.255.0
access-list SPLIT-ACL standard permit 172.16.0.0 255.255.0.0
group-policy NetworkTest-VPN internal
group-policy NetworkTest-VPN attributes
dns-server value 192.168.0.122 192.168.0.123
vpn-filter value Network-Admin_splitTunnelAcl
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-ACL
default-domain value Q8.com
QUERY
If i do telnet 172.16.3.210 443 ( Iam able to see in cmd port is open )
But i write the IP Address in the browser IE or FireFox 172.16.3.210 teh website does open
If I write the url https://Q8.bombay.com also it does open
Where can be the mistake What need to be added more in my ACL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide