12-21-2006 01:53 PM
Hi - I have an ASA5520 with IPSEC and SSL VPN setup. All works fine if I am content with accessing the inside network, but I also want to access the network in the subnet called "store". The security level is set to 90 on this interface but I cannot reach any resources there from any VPN connection. I thought the VPN client was dumped into the inside security level of 100, so therefore security should flow downhill. I guess I was wrong and was wondering if anyone could set me on the right path. The config is listed below. THANKS!!!!!
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 65.x.x.8 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.31.1.8 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.2.66 255.255.255.0
!
interface GigabitEthernet0/3
nameif store
security-level 90
ip address 10.2.195.28 255.255.255.0
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
dns server-group DefaultDNS
domain-name lab.net
object-group network Inside-all
description Private Lab Networks
network-object 172.2.0.0 255.255.0.0
network-object 172.31.1.0 255.255.255.0
access-list outside_access_in extended permit ip any host xxx.xxx.83.7 log debugging
access-list inside_access_in extended permit ip any any
access-list store_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240
access-list outside_cryptomap extended permit ip any 192.168.100.0 255.255.255.240
access-list outside_cryptomap_1 extended permit ip any 192.168.100.0 255.255.255.240
access-list store-internal remark store internal network
access-list store-internal standard permit 10.0.0.0 255.0.0.0
ip local pool vpnpool 192.168.100.1-192.168.100.10 mask 255.255.255.0
global (outside) 1 interface
global (store) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.0.0.0 255.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
static (dmz,outside) 65.x.x.7 192.168.2.67 netmask 255.255.255.255
static (inside,store) 10.2.195.27 172.31.1.60 netmask 255.255.255.255
static (dmz,inside) 192.168.2.67 192.168.2.67 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group store_access_in in interface store
route outside 0.0.0.0 0.0.0.0 xxx.xxx.83.1 1
route inside 172.0.0.0 255.0.0.0 172.31.1.254 1
route store 10.0.0.0 255.0.0.0 10.2.195.1 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpnpool
tunnel-group vpntunnel type ipsec-ra
tunnel-group vpntunnel general-attributes
address-pool vpnpool
default-group-policy vpntunnel
tunnel-group vpntunnel ipsec-attributes
pre-shared-key *
!
webvpn
port 444
enable outside
enable store
svc image disk0:/sslclient-win-1.1.2.169.pkg 1
svc enable
: end
12-26-2006 10:04 AM
i think you would need another acl (VPN to store) and NAT 0 for store
access-list store_nat0_outbound ip any 192.168.100.0 255.255.255.240
nat (store) 0 access-list store_nat0_outbound
If i am not wrong those statements should help getting the VPN clients to the store interface.
06-09-2008 05:17 AM
I have the same problem of communication to LAN. Although, the nat0 setup is already there (details here attached):
access-list 101 extended permit ip 192.168.0.0 255.255.255.0 10.0.11.0 255.255.255.0
nat (inside) 0 access-list 101
SSL VPN details:
- LAN: 192.168.0.0/24
- SSL VPN pool: 10.0.11.0/24
- Tunnel Group: Test-WebVPNGroup
My environment:
- Cisco ASA 5520 v. 7.2(2)19,
- ASDM v. 5.2(2)
- SVC client: sslclient-win-1.1.4.179.pkg
- Desktop: Win XP
please assist
06-12-2008 10:41 PM
problem resolved by adding the reverse nat0 acl (ip pool -> lan):
access-list 101 extended permit ip 10.0.11.0
255.255.255.0 192.168.0.0 255.255.255.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide