11-28-2013 08:54 AM
Hi
Scenario:
Cisco ASA 5505
We have Remote VPN working and we can access our office network from a remote VPN client, and the other way around also.
We would now like to extend this config, so that when accessing a set of IPs on the internet (our website), any remote VPN clients must route their traffic over the VPN (so the website sees our office IP, not the remote client's internet IP)
So,
officenetwork: 192.168.2.0/24
VPN Pool: 192.168.4.0/24
External IP of website is within the group 'rackspace-public-ips'
We can successfully ping from 192.168.2.0 <> 192.168.4.0
We can successfully access public internet addresses. However when we enable a split tunnel, we cannot access the 'rackspace-public-ips'
address any more.
Config:
access-list vpn_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list vpn_splitTunnelAcl_1 standard permit x.x.x.x 255.255.255.252
access-list vpn_splitTunnelAcl_1 standard permit x.x.x.x 255.255.255.248
(where x.x.x.x are the individual IPs defined within the rackspace-public-ips group)
access-list officenetwork_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.4.0 255.255.255.0
object-group network officenetwork-network
object-group network DM_INLINE_NETWORK_1
network-object 192.168.2.0 255.255.255.0
group-object rackspace-public-ips
global (publicinternet) 1 interface
nat (officenetwork) 0 access-list officenetwork_nat0_outbound
nat (officenetwork) 1 0.0.0.0 0.0.0.0
route publicinternet 0.0.0.0 0.0.0.0 192.168.3.1 1
group-policy vpn attributes
dns-server value 192.168.2.199
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl_1
default-domain value office.internal
split-dns value office.internal
What am I missing guys?
11-28-2013 09:12 AM
Hi,
Would really need more information.
From what I gather you have a /30 mask subnet and /29 mask subnet of public IP addresses? Are these located behind the ASA? I mean behind the "officenetwork" interface?
If these are actually public IP addresses on the "publicinternet" interface (or routed towards that interface since you have 2 subnets) used in Static NAT configurations for the servers then you are most likely running into problem with the NAT configurations.
This would be because you are doing NAT0 for the internal IP addresses while you are actually trying to reach the public IP address.
If both of these public subnets are used as NAT IP address on the edge of the firewall and not behind it in the internal network (directly on the servers) then I was thinking that trying "deny" statements on the NAT0 configuration might do the trick. (If it was supported, I do remember that it should be supported but I am not 100% sure)
access-list officenetwork_nat0_outbound line 1 remark Avoid NAT0 for Server to VPN Client
access-list officenetwork_nat0_outbound line 2 deny ip host
access-list officenetwork_nat0_outbound line 3 deny ip host
and so on.
So if anything of the above makes sense depends if the public IP addresses are located behind the ASA on the internal network or if they are actually the public NAT IP address of hosts on the network 192.168.2.0/24
- Jouni
11-28-2013 09:19 AM
Hi
I managed to fix this, by adding the following:
nat (publicinternet) 1 192.168.4.0 255.255.255.0
Many thanks
11-28-2013 09:46 AM
Hi,
That would seem to point to a situation where these servers are actually outside your network?
You are just tunneling the traffic towards some public servers through the VPN and out the ASA?
But again I have no idea what the actual setup is.
Main thing is though that its working
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: