Solved: Routing VPN clients

0rsnaric · ‎04-30-2008

I have an ASA 5510 with IPSec VPN setup. The VPN clients are given 172.17.0.0 addresses and given access to 172.16.0.0 network (ASA's inside interface is 172.16.1.1). I need these clients to be able to reach 172.20.0.0 via an internal router (172.16.3.7).

How do I set this up? Currently the client just sends the 172.20.0.0 traffic out it's normal internet connection as split-tunneling is enabled. I tried using a static route on the client, but that didn't work.

Any insight would be greatly appreciated.

Rick

JORGE RODRIGUEZ · ‎04-30-2008

from the asa do you have a route to each 172.20.0.0 network via 172.16.3.7 gateway?

I would check that.

1- from asa , a route to reach 172.20.0.0 net.

2- If asa does have a route, does 172.16.3.7 router knows how to get to your vpn pool network ?

3- Access list on asa to allow/permit vpn pool network to access 172.20.0.0 network.

Jorge Rodriguez

View solution in original post

michael.leblanc · ‎05-01-2008

I can only site an IOS example that you might be able to translate to your needs.

On the IOS Easy VPN Server we configure a client configuration group (i.e.: policies pushed to the client during mode config).

crypto isakmp client configuration group psk-grp

acl 108

The ACL specified in the configuration group defines the scope of the crypto protection (i.e.: what traffic is to receive crypto treatment).

I believe this ACL determines the routes that will be installed on the VPN Client. If this ACL includes an Access Control Entry (ACE) for the 172.20.0.0 network, I think you will succeed.

e.g.: for a pool of client addresses 172.17.0.16 - 172.17.0.31

access-list 108 permit ip 172.16.0.0 0.0.255.255 172.17.0.16 0.0.0.15

access-list 108 permit ip 172.20.0.0 0.0.255.255 172.17.0.16 0.0.0.15

Maybe that will help.