Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
592
Views
0
Helpful
3
Replies

VPN IP Pool routing

dprakken1
Level 1
Level 1

‎12-21-2006 01:53 PM

Hi - I have an ASA5520 with IPSEC and SSL VPN setup. All works fine if I am content with accessing the inside network, but I also want to access the network in the subnet called "store". The security level is set to 90 on this interface but I cannot reach any resources there from any VPN connection. I thought the VPN client was dumped into the inside security level of 100, so therefore security should flow downhill. I guess I was wrong and was wondering if anyone could set me on the right path. The config is listed below. THANKS!!!!!

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 65.x.x.8 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.31.1.8 255.255.255.0

!

interface GigabitEthernet0/2

nameif dmz

security-level 50

ip address 192.168.2.66 255.255.255.0

!

interface GigabitEthernet0/3

nameif store

security-level 90

ip address 10.2.195.28 255.255.255.0

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

dns server-group DefaultDNS

domain-name lab.net

object-group network Inside-all

description Private Lab Networks

network-object 172.2.0.0 255.255.0.0

network-object 172.31.1.0 255.255.255.0

access-list outside_access_in extended permit ip any host xxx.xxx.83.7 log debugging

access-list inside_access_in extended permit ip any any

access-list store_access_in extended permit ip any any

access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240

access-list outside_cryptomap extended permit ip any 192.168.100.0 255.255.255.240

access-list outside_cryptomap_1 extended permit ip any 192.168.100.0 255.255.255.240

access-list store-internal remark store internal network

access-list store-internal standard permit 10.0.0.0 255.0.0.0

ip local pool vpnpool 192.168.100.1-192.168.100.10 mask 255.255.255.0

global (outside) 1 interface

global (store) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.0.0.0 255.0.0.0

nat (management) 0 0.0.0.0 0.0.0.0

static (dmz,outside) 65.x.x.7 192.168.2.67 netmask 255.255.255.255

static (inside,store) 10.2.195.27 172.31.1.60 netmask 255.255.255.255

static (dmz,inside) 192.168.2.67 192.168.2.67 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group store_access_in in interface store

route outside 0.0.0.0 0.0.0.0 xxx.xxx.83.1 1

route inside 172.0.0.0 255.0.0.0 172.31.1.254 1

route store 10.0.0.0 255.0.0.0 10.2.195.1 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool vpnpool

tunnel-group vpntunnel type ipsec-ra

tunnel-group vpntunnel general-attributes

address-pool vpnpool

default-group-policy vpntunnel

tunnel-group vpntunnel ipsec-attributes

pre-shared-key *

!

webvpn

port 444

enable outside

enable store

svc image disk0:/sslclient-win-1.1.2.169.pkg 1

svc enable

: end

Labels:
0 Helpful
3 Replies 3

namradi15
Level 1
Level 1

‎12-26-2006 10:04 AM

i think you would need another acl (VPN to store) and NAT 0 for store

access-list store_nat0_outbound ip any 192.168.100.0 255.255.255.240

nat (store) 0 access-list store_nat0_outbound

If i am not wrong those statements should help getting the VPN clients to the store interface.

0 Helpful

dourix
Level 1
Level 1
In response to namradi15

‎06-09-2008 05:17 AM

I have the same problem of communication to LAN. Although, the nat0 setup is already there (details here attached):

access-list 101 extended permit ip 192.168.0.0 255.255.255.0 10.0.11.0 255.255.255.0

nat (inside) 0 access-list 101

SSL VPN details:

- LAN: 192.168.0.0/24

- SSL VPN pool: 10.0.11.0/24

- Tunnel Group: Test-WebVPNGroup

My environment:

- Cisco ASA 5520 v. 7.2(2)19,

- ASDM v. 5.2(2)

- SVC client: sslclient-win-1.1.4.179.pkg

- Desktop: Win XP

please assist

Preview file
7 KB
0 Helpful

dourix
Level 1
Level 1
In response to dourix

‎06-12-2008 10:41 PM

problem resolved by adding the reverse nat0 acl (ip pool -> lan):

access-list 101 extended permit ip 10.0.11.0

255.255.255.0 192.168.0.0 255.255.255.0

0 Helpful
Customers Also Viewed These Support Documents