Solved

I need to add for our VPN clients a secure route to one of pur networks

Posted on 2008-10-08
2
2,190 Views
Last Modified: 2010-04-21
Dear experts:

I need to enter routes for our VPN client sessions.

We have a p2p connection with a remote office. We can connect with no problems between offices.

See when I connect from lets say office A via VPN client. I can connect to office B no problems.
I need to do the same now from office B via cisco VPN Client connecting to office A.

I see that I need to add secure routes on my VPN client for sessions office B.

When I am connected VPN client to office A, I can see in my tunnel statistic all the routes to all the networks I need to connect to.

When I am connected VPN client  to office B, I only see the routes for network B only. I need to add the routes to network A.

The difference between the two office is that office A has a VPN concentrator and office B has a ASA 5505.

I am going to paste some of the configuration of the ASA 5505.

The A network is 172.16.0.0 and the B network is 10.2.0.0

Thanks! M

hostname Network B

domain-name blah blah

enable password uxjOBquo8dFnKLVb encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.2.99.10 255.255.255.0

 ospf cost 10

!

interface Vlan2

 nameif outside

 security-level 0

 ip address x.x.x.x 255.255.255.248

 ospf cost 10

!
 
 

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring
 

object-group network Phones

 network-object 10.2.101.0 255.255.255.0

object-group network Wireless

 network-object 10.2.2.0 255.255.255.0

object-group network Wireless2

 network-object 10.2.102.0 255.255.255.0

object-group service rdp tcp

 port-object range 3388 3389

object-group network NYoffice

 description Connection for the VPN client to New york office

 network-object 172.16.0.0 255.255.0.0

access-list inside_nat_outbound extended permit ip 10.2.0.0 255.255.0.0 interface inside

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any time-exceeded

access-list TPG-VPN_splitTunnelAcl standard permit 10.2.1.0 255.255.255.0

access-list TPG-VPN_splitTunnelAcl standard permit 10.2.2.0 255.255.255.0

access-list TPG-VPN_splitTunnelAcl standard permit 10.2.99.0 255.255.255.0

access-list TPG-VPN_splitTunnelAcl standard permit 10.2.101.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.2.1.0 255.255.255.0 10.2.250.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 10.2.250.0 255.255.255.128

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit ip 10.2.0.0 255.255.0.0 172.16.0.0 255.255.0.0

access-list inside_access_in extended permit icmp any 172.16.0.0 255.255.0.0

access-list TPGVPN2_splitTunnelAcl standard permit 10.2.99.0 255.255.255.0

access-list LIVPN_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0

access-list inside_access_out extended permit ip any 172.16.0.0 255.255.0.0

access-list inside_access_out extended permit ip 10.2.0.0 255.255.0.0 172.16.0.0 255.255.0.0

pager lines 24

logging enable

logging asdm informational

logging host inside 172.16.5.29

mtu inside 1500

mtu outside 1500

mtu Public-Wireless 1500

ip local pool VPN-Pool 10.2.250.50-10.2.250.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply inside

icmp permit any time-exceeded inside

icmp permit any echo inside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 access-list inside_nat_outbound
 

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

route inside 10.2.0.0 255.255.0.0 10.2.99.1 1

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

http server enable

http 10.2.250.0 255.255.255.0 outside

http x.x.x.x.x 255.255.255.255 outside
 
 

http 172.16.0.0 255.255.0.0 inside

sinkup linkdown coldstart

snmp-server enable traps syslog

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400
 

telnetx.x.x.x.x x.x.x.x outside

telnet timeout 5

ssh 10.2.0.0 255.255.0.0 inside

ssh 172.16.11.0 255.255.255.0 inside

ssh 172.16.5.0 255.255.255.0 inside

ssh x.x.x.x.x. 255.255.255.255 outside

ssh 10.2.250.0 255.255.255.0 outside

ssh 68.173.0.233 255.255.255.255 outside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

console timeout 0

dhcpd auto_config inside vpnclient-wins-override

!

dhcpd dns 10.2.99.x x.x.x.x.x interface inside

!
 
 
 

!
 

group-policy DfltGrpPolicy attributes

 banner none

 wins-server none

 dns-server none

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs disable

 ipsec-udp disable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list none

 default-domain none

 split-dns none

 intercept-dhcp 255.255.255.255 disable

<--- More --->
 

user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 smartcard-removal-disconnect enable

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

<--- More --->
 

 customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy LIVPN internal

group-policy LIVPN attributes

 dns-server value 10.2.99.x 207.172.3.8

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value LIVPN_splitTunnelAcl

username admin password ei0NpACRsMnfQvBF encrypted privilege 15

username marcelo attributes xxxxxx 15

 vpn-framed-ip-address 10.2.99.50 255.255.255.0

tunnel-group LIVPN type ipsec-ra

tunnel-group LIVPN general-attributes

 address-pool VPN-Pool

 authorization-server-group LOCAL

 default-group-policy LIVPN

 authorization-required

tunnel-group LIVPN ipsec-attributes

 pre-shared-key *

Open in new window

0
Comment
Question by:marceloNYC
2 Comments
 
LVL 8

Accepted Solution

by:
Jay_Gridley earned 250 total points
ID: 22676514
To add the extra network to the list of protected networks for the VPN client you need to add the network to your split tunnel access-list:
access-list LIVPN_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0

You might need to also add the network to your NAT0 access-list.
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.2.250.0 255.255.255.128

That should do the trick.
0
 

Author Closing Comment

by:marceloNYC
ID: 31504355
Just excellent!!!! Thanks so much!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now