Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ASA 5505 issues, routing I guess..

Posted on 2007-11-29
4
Medium Priority
?
1,897 Views
Last Modified: 2013-11-16
I have these really annoying issues with an ASA5505..
When I connect using the cisco VP client I can access internal network and Lan2Lan networks but not the internet.
When I connect to WebVPN I can not access any sites.
I found that the problems must be routing related and that theory is somewhat proved if I add a default tunneling route WebVPN access will work but the route will break the VPN clients Lan2Lan network access. Sure this could be solved by using another box as a router but wy would I buy a firewall/gateway/vpn thing if it can't route..
So is there a magic setting somewhere in ASDM that says don't route packets going to either local och lan2lan networks (I do have exempt rules for these networks).
If I try to ping one of the lan2lan networks from the ASDM ping util it will fail and a route error is logged, can not find next hop, but the host on the LAN have no problem accessing the remote network so it does work the ASA box just don't know how to reach it..
Except the route error the debug logs shows nothing except build and teardown connections
0
Comment
Question by:maho01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 2000 total points
ID: 20374969
>>When I connect using the cisco VP client I can access internal network and Lan2Lan networks but not the internet.

You will need to either:

1) Implement split tunneling so that you specifically define the traffic you want sent down the tunnel and then everything else goes straight out your local network connection.  In other words, if you're internal network behind the ASA is 192.168.10.0/24, for example, then you would set up your VPN configuration to send only traffic destined for 192.168.10.x down the tunnel.  Here is a URL on how to do that for PIX/ASA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

2) Implement hairpin traffic flows such that you are allowed to send traffic down the tunnel and then when the ASA realizes that the destination exists on the Internet, it will perform a hairpin turn on that traffic and send it back out to the Internet on the ASA's outside interface.  Here is how to allow "intra interface" traffic on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnsysop.html#wp1042114

You don't necessarily need a tunnel default gateway to get the WebVPN to work, but you will need to put in some static routes so that the ASA knows how to get to all the internal subnets that you have on your corporate network.  Basically, any host that you have configured for access from the WebVPN page you will need to have a route for.  For example, if you reference 5 hosts in your WebVPN page such as:

192.168.2.16
192.168.3.5
192.168.14.5
192.168.12.33
192.168.10.123

You will need route statements for all of these subnets that points to the next hop gateway (router) on your internal network.  So if you have a core router at 192.168.1.254 (your ASA's inside interface needs to be on the same subnet as the interface you use for your route statements), then you might have something like this for your static routes:

route inside 192.168.0.0 255.255.0.0 192.168.1.254

This would cover all of the 192.168.x.x networks.  The traffic for any host on the 192.168.1.x segment in this example would be handled via ARP since the ASA's inside interface is directly connected to this network...
0
 
LVL 1

Author Comment

by:maho01
ID: 20401902
The internet access for connecting VPN clients had a quite embarrassing solution, it works better if you enable NAT for the IP range used by connecting clients..

Just resetted the configuration so I have not tried webvpn yet, however I don't really understand how to set the routes, my ASA is the only local router and the webvpn targets are located at another site. The ASA does not have any routes to these sites since it by some magic knows that traffic to hosts in other sites should be tunneled, however noone seems to tell webvpn to tunnel that traffic. So how do I make wpnvpn understand that it should send traffic through the tunnels?
0
 
LVL 1

Author Comment

by:maho01
ID: 20426221
Just to let anyone that might care know, there is an enhancment request for this called,  CSCsc51918, with the title "Allow Clientless WebVPN to U-turn for service access through a L2L".

So WebVPN currently does not allow connections to web sites hosted on another site connected through lan2lan.
0
 
LVL 1

Author Comment

by:maho01
ID: 20426229
And what I forgot in my last post, to make webvpn access web site in remote location, add a router on the lan where the webvpn lives and just set routes to that router which has the ASA as default route and WebVPN should be able to access the website.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question