Solved

I need to add for our VPN clients a secure route to one of pur networks

Posted on 2008-10-08
2
2,151 Views
Last Modified: 2010-04-21
Dear experts:

I need to enter routes for our VPN client sessions.

We have a p2p connection with a remote office. We can connect with no problems between offices.

See when I connect from lets say office A via VPN client. I can connect to office B no problems.
I need to do the same now from office B via cisco VPN Client connecting to office A.

I see that I need to add secure routes on my VPN client for sessions office B.

When I am connected VPN client to office A, I can see in my tunnel statistic all the routes to all the networks I need to connect to.

When I am connected VPN client  to office B, I only see the routes for network B only. I need to add the routes to network A.

The difference between the two office is that office A has a VPN concentrator and office B has a ASA 5505.

I am going to paste some of the configuration of the ASA 5505.

The A network is 172.16.0.0 and the B network is 10.2.0.0

Thanks! M

hostname Network B

domain-name blah blah

enable password uxjOBquo8dFnKLVb encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.2.99.10 255.255.255.0

 ospf cost 10

!

interface Vlan2

 nameif outside

 security-level 0

 ip address x.x.x.x 255.255.255.248

 ospf cost 10

!
 
 

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring
 

object-group network Phones

 network-object 10.2.101.0 255.255.255.0

object-group network Wireless

 network-object 10.2.2.0 255.255.255.0

object-group network Wireless2

 network-object 10.2.102.0 255.255.255.0

object-group service rdp tcp

 port-object range 3388 3389

object-group network NYoffice

 description Connection for the VPN client to New york office

 network-object 172.16.0.0 255.255.0.0

access-list inside_nat_outbound extended permit ip 10.2.0.0 255.255.0.0 interface inside

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any time-exceeded

access-list TPG-VPN_splitTunnelAcl standard permit 10.2.1.0 255.255.255.0

access-list TPG-VPN_splitTunnelAcl standard permit 10.2.2.0 255.255.255.0

access-list TPG-VPN_splitTunnelAcl standard permit 10.2.99.0 255.255.255.0

access-list TPG-VPN_splitTunnelAcl standard permit 10.2.101.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.2.1.0 255.255.255.0 10.2.250.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 10.2.250.0 255.255.255.128

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit ip 10.2.0.0 255.255.0.0 172.16.0.0 255.255.0.0

access-list inside_access_in extended permit icmp any 172.16.0.0 255.255.0.0

access-list TPGVPN2_splitTunnelAcl standard permit 10.2.99.0 255.255.255.0

access-list LIVPN_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0

access-list inside_access_out extended permit ip any 172.16.0.0 255.255.0.0

access-list inside_access_out extended permit ip 10.2.0.0 255.255.0.0 172.16.0.0 255.255.0.0

pager lines 24

logging enable

logging asdm informational

logging host inside 172.16.5.29

mtu inside 1500

mtu outside 1500

mtu Public-Wireless 1500

ip local pool VPN-Pool 10.2.250.50-10.2.250.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply inside

icmp permit any time-exceeded inside

icmp permit any echo inside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 access-list inside_nat_outbound
 

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

route inside 10.2.0.0 255.255.0.0 10.2.99.1 1

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

http server enable

http 10.2.250.0 255.255.255.0 outside

http x.x.x.x.x 255.255.255.255 outside
 
 

http 172.16.0.0 255.255.0.0 inside

sinkup linkdown coldstart

snmp-server enable traps syslog

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400
 

telnetx.x.x.x.x x.x.x.x outside

telnet timeout 5

ssh 10.2.0.0 255.255.0.0 inside

ssh 172.16.11.0 255.255.255.0 inside

ssh 172.16.5.0 255.255.255.0 inside

ssh x.x.x.x.x. 255.255.255.255 outside

ssh 10.2.250.0 255.255.255.0 outside

ssh 68.173.0.233 255.255.255.255 outside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

console timeout 0

dhcpd auto_config inside vpnclient-wins-override

!

dhcpd dns 10.2.99.x x.x.x.x.x interface inside

!
 
 
 

!
 

group-policy DfltGrpPolicy attributes

 banner none

 wins-server none

 dns-server none

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs disable

 ipsec-udp disable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list none

 default-domain none

 split-dns none

 intercept-dhcp 255.255.255.255 disable

<--- More --->
 

user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 smartcard-removal-disconnect enable

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

<--- More --->
 

 customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy LIVPN internal

group-policy LIVPN attributes

 dns-server value 10.2.99.x 207.172.3.8

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value LIVPN_splitTunnelAcl

username admin password ei0NpACRsMnfQvBF encrypted privilege 15

username marcelo attributes xxxxxx 15

 vpn-framed-ip-address 10.2.99.50 255.255.255.0

tunnel-group LIVPN type ipsec-ra

tunnel-group LIVPN general-attributes

 address-pool VPN-Pool

 authorization-server-group LOCAL

 default-group-policy LIVPN

 authorization-required

tunnel-group LIVPN ipsec-attributes

 pre-shared-key *

Open in new window

0
Comment
Question by:marceloNYC
2 Comments
 
LVL 8

Accepted Solution

by:
Jay_Gridley earned 250 total points
Comment Utility
To add the extra network to the list of protected networks for the VPN client you need to add the network to your split tunnel access-list:
access-list LIVPN_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0

You might need to also add the network to your NAT0 access-list.
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.2.250.0 255.255.255.128

That should do the trick.
0
 

Author Closing Comment

by:marceloNYC
Comment Utility
Just excellent!!!! Thanks so much!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now