Solved

I need to add for our VPN clients a secure route to one of pur networks

Posted on 2008-10-08
2
2,312 Views
Last Modified: 2010-04-21
Dear experts:

I need to enter routes for our VPN client sessions.

We have a p2p connection with a remote office. We can connect with no problems between offices.

See when I connect from lets say office A via VPN client. I can connect to office B no problems.
I need to do the same now from office B via cisco VPN Client connecting to office A.

I see that I need to add secure routes on my VPN client for sessions office B.

When I am connected VPN client to office A, I can see in my tunnel statistic all the routes to all the networks I need to connect to.

When I am connected VPN client  to office B, I only see the routes for network B only. I need to add the routes to network A.

The difference between the two office is that office A has a VPN concentrator and office B has a ASA 5505.

I am going to paste some of the configuration of the ASA 5505.

The A network is 172.16.0.0 and the B network is 10.2.0.0

Thanks! M

hostname Network B
domain-name blah blah
enable password uxjOBquo8dFnKLVb encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.2.99.10 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.248
 ospf cost 10
!
 
 
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
 
object-group network Phones
 network-object 10.2.101.0 255.255.255.0
object-group network Wireless
 network-object 10.2.2.0 255.255.255.0
object-group network Wireless2
 network-object 10.2.102.0 255.255.255.0
object-group service rdp tcp
 port-object range 3388 3389
object-group network NYoffice
 description Connection for the VPN client to New york office
 network-object 172.16.0.0 255.255.0.0
access-list inside_nat_outbound extended permit ip 10.2.0.0 255.255.0.0 interface inside
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list TPG-VPN_splitTunnelAcl standard permit 10.2.1.0 255.255.255.0
access-list TPG-VPN_splitTunnelAcl standard permit 10.2.2.0 255.255.255.0
access-list TPG-VPN_splitTunnelAcl standard permit 10.2.99.0 255.255.255.0
access-list TPG-VPN_splitTunnelAcl standard permit 10.2.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.2.1.0 255.255.255.0 10.2.250.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 10.2.250.0 255.255.255.128
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 10.2.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list inside_access_in extended permit icmp any 172.16.0.0 255.255.0.0
access-list TPGVPN2_splitTunnelAcl standard permit 10.2.99.0 255.255.255.0
access-list LIVPN_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
access-list inside_access_out extended permit ip any 172.16.0.0 255.255.0.0
access-list inside_access_out extended permit ip 10.2.0.0 255.255.0.0 172.16.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
logging host inside 172.16.5.29
mtu inside 1500
mtu outside 1500
mtu Public-Wireless 1500
ip local pool VPN-Pool 10.2.250.50-10.2.250.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit any time-exceeded inside
icmp permit any echo inside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound
 
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
route inside 10.2.0.0 255.255.0.0 10.2.99.1 1
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.2.250.0 255.255.255.0 outside
http x.x.x.x.x 255.255.255.255 outside
 
 
http 172.16.0.0 255.255.0.0 inside
sinkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
telnetx.x.x.x.x x.x.x.x outside
telnet timeout 5
ssh 10.2.0.0 255.255.0.0 inside
ssh 172.16.11.0 255.255.255.0 inside
ssh 172.16.5.0 255.255.255.0 inside
ssh x.x.x.x.x. 255.255.255.255 outside
ssh 10.2.250.0 255.255.255.0 outside
ssh 68.173.0.233 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd auto_config inside vpnclient-wins-override
!
dhcpd dns 10.2.99.x x.x.x.x.x interface inside
!
 
 
 
!
 
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
<--- More --->
 
user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
<--- More --->
 
 customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy LIVPN internal
group-policy LIVPN attributes
 dns-server value 10.2.99.x 207.172.3.8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value LIVPN_splitTunnelAcl
username admin password ei0NpACRsMnfQvBF encrypted privilege 15
username marcelo attributes xxxxxx 15
 vpn-framed-ip-address 10.2.99.50 255.255.255.0
tunnel-group LIVPN type ipsec-ra
tunnel-group LIVPN general-attributes
 address-pool VPN-Pool
 authorization-server-group LOCAL
 default-group-policy LIVPN
 authorization-required
tunnel-group LIVPN ipsec-attributes
 pre-shared-key *

Open in new window

0
Comment
Question by:marceloNYC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 8

Accepted Solution

by:
Jay_Gridley earned 250 total points
ID: 22676514
To add the extra network to the list of protected networks for the VPN client you need to add the network to your split tunnel access-list:
access-list LIVPN_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0

You might need to also add the network to your NAT0 access-list.
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.2.250.0 255.255.255.128

That should do the trick.
0
 

Author Closing Comment

by:marceloNYC
ID: 31504355
Just excellent!!!! Thanks so much!
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Wireless Access Controller 3 50
Recovering ASA 5505 vpn config from flash card? 7 57
Which will last longer in a laptop, HDD or SSD? 18 128
Cisco SRST questions 5 55
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question