Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1136
Views
5
Helpful
1
Replies

Remote VPN to Sub Interface Network

anon3776
Level 1
Level 1

‎01-15-2016 08:16 AM

Hi all,

I have a simple topology where clients are connected to core switch and core switch to ASA.

Right now the ASA is connected to access port (VLAN 152 subnet 172.10.101.0/24) and I created remote VPN and the remote clients can access the PCs in the same VLAN.

Now I added a link from core switch to ASA as a trunk link (subinterface on ASA) and want the remote clients to be able to access the PCs in VLAN 1001 subnet 192.168.11.0/24 (will add more later). The thing is, I have not be able to access the clients on VLAN 1001 even the ASA's subinterface IP while I can do so in the other tunnel to VLAN 152. The VPN profile I created is exactly the same as the working tunnel and only change the subnet IP and ACL but it won't connect to anything in the network.

I really hope anyone could help me solve this as it is frustrating not being able to do a simple vpn connection. Below is the config:

: Saved
:
ASA Version 8.4(6)5 
!
hostname FW1
!
interface Ethernet0/0
 description to Internet
 nameif outside
 security-level 0
 ip address 220.x.x.x 255.255.255.252 
!
interface Ethernet0/1
 description to Core Switch
 nameif inside
 security-level 100
 ip address 172.10.101.3 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3.152
 vlan 152
 nameif VLAN152
 security-level 100
 ip address 172.10.102.3 255.255.255.0 
!
interface Ethernet0/3.1001
 vlan 1001
 nameif VLAN1001
 security-level 100
 ip address 192.168.11.3 255.255.255.0 
!
interface Ethernet0/3.2002
 vlan 2002
 nameif VLAN2002
 security-level 100
 ip address 192.168.12.3 255.255.255.0 
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa846-5-k8.bin
ftp mode passive
clock timezone JAVT 7
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Net_VLAN1001
 subnet 192.168.11.0 255.255.255.0
object network Net_VLAN2002
 subnet 192.168.12.0 255.255.255.0
object network Net_VLAN152
 subnet 172.10.102.0 255.255.255.0
object network NETWORK_OBJ_172.16.10.0_27
 subnet 172.16.10.0 255.255.255.224
object network NETWORK_OBJ_192.170.11.0_27
 subnet 192.170.11.0 255.255.255.224
object network NETWORK_OBJ_192.168.11.0_24
 subnet 192.168.11.0 255.255.255.0
object-group network NETWORK_OBJ_172.10.101.0_24
object-group network NETWORK_OBJ_172.16.10.0_28
object-group network LAN-101
access-list ACL-VL1001 standard permit 192.168.11.0 255.255.255.0 
access-list Inside-Split-Tunnel standard permit 172.10.101.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu VLAN152 1500
mtu VLAN1001 1500
mtu VLAN2002 1500
ip local pool VPN-Pool 172.16.10.2-172.16.10.20 mask 255.255.255.0
ip local pool Cust_Pool 192.170.11.10-192.170.11.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.10.0_27 NETWORK_OBJ_172.16.10.0_27 no-proxy-arp route-lookup
nat (VLAN1001,outside) source static NETWORK_OBJ_192.168.11.0_24 NETWORK_OBJ_192.168.11.0_24 destination static NETWORK_OBJ_192.170.11.0_27 NETWORK_OBJ_192.170.11.0_27 

no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic any interface
nat (VLAN152,outside) after-auto source dynamic any interface
nat (VLAN1001,outside) after-auto source dynamic any interface
nat (VLAN2002,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 220.x.x.13 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 172.10.101.0 255.255.255.0 inside
http 172.16.10.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh 172.10.101.0 255.255.255.0 inside
ssh 172.16.10.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.02040-k9.pkg 1
 anyconnect profiles BHp_client_profile disk0:/BHp_client_profile.xml
 anyconnect profiles Customer_client_profile disk0:/Customer_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_Customer internal
group-policy GroupPolicy_Customer attributes
 wins-server none
 dns-server none
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL-VL1001
 default-domain none
group-policy GroupPolicy_BHp internal
group-policy GroupPolicy_BHp attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Inside-Split-Tunnel
 default-domain none
username cust1 password 4jja6fD/vovAGkVT encrypted
username vpn1 password Qr9Uo2I.DinqQ9V/ encrypted
username cisco password sJpEhD8Vr/bMrdWa encrypted
tunnel-group BHp type remote-access
tunnel-group BHp general-attributes
 address-pool VPN-Pool
 default-group-policy GroupPolicy_BHp
tunnel-group BHp webvpn-attributes
 group-alias BHp enable
tunnel-group Customer type remote-access
tunnel-group Customer general-attributes
 address-pool Cust_Pool
 default-group-policy GroupPolicy_Customer
tunnel-group Customer webvpn-attributes
 group-alias Customer enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f42fcac17177d0058c2811a80bd7c2ae
: end

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-16-2016 01:14 AM

What is the default gateway for VLAN1001?  If it is not the ASA then you should not be creating a sub-interface on the ASA, but simply adding a route to whatever is the default gateway for that VLAN for the subnet used in that VLAN.

Customers Also Viewed These Support Documents