Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


I need to add for our VPN clients a secure route to one of pur networks

Posted on 2008-10-08
Medium Priority
Last Modified: 2010-04-21
Dear experts:

I need to enter routes for our VPN client sessions.

We have a p2p connection with a remote office. We can connect with no problems between offices.

See when I connect from lets say office A via VPN client. I can connect to office B no problems.
I need to do the same now from office B via cisco VPN Client connecting to office A.

I see that I need to add secure routes on my VPN client for sessions office B.

When I am connected VPN client to office A, I can see in my tunnel statistic all the routes to all the networks I need to connect to.

When I am connected VPN client  to office B, I only see the routes for network B only. I need to add the routes to network A.

The difference between the two office is that office A has a VPN concentrator and office B has a ASA 5505.

I am going to paste some of the configuration of the ASA 5505.

The A network is and the B network is

Thanks! M

hostname Network B
domain-name blah blah
enable password uxjOBquo8dFnKLVb encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x
 ospf cost 10
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group network Phones
object-group network Wireless
object-group network Wireless2
object-group service rdp tcp
 port-object range 3388 3389
object-group network NYoffice
 description Connection for the VPN client to New york office
access-list inside_nat_outbound extended permit ip interface inside
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list TPG-VPN_splitTunnelAcl standard permit
access-list TPG-VPN_splitTunnelAcl standard permit
access-list TPG-VPN_splitTunnelAcl standard permit
access-list TPG-VPN_splitTunnelAcl standard permit
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip
access-list inside_access_in extended permit icmp any
access-list TPGVPN2_splitTunnelAcl standard permit
access-list LIVPN_splitTunnelAcl standard permit
access-list inside_access_out extended permit ip any
access-list inside_access_out extended permit ip
pager lines 24
logging enable
logging asdm informational
logging host inside
mtu inside 1500
mtu outside 1500
mtu Public-Wireless 1500
ip local pool VPN-Pool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit any time-exceeded inside
icmp permit any echo inside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
route inside 1
route outside x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http outside
http x.x.x.x.x outside
http inside
sinkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnetx.x.x.x.x x.x.x.x outside
telnet timeout 5
ssh inside
ssh inside
ssh inside
ssh x.x.x.x.x. outside
ssh outside
ssh outside
ssh outside
ssh timeout 30
console timeout 0
dhcpd auto_config inside vpnclient-wins-override
dhcpd dns 10.2.99.x x.x.x.x.x interface inside
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp disable
<--- More --->
user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
<--- More --->
 customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy LIVPN internal
group-policy LIVPN attributes
 dns-server value 10.2.99.x
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value LIVPN_splitTunnelAcl
username admin password ei0NpACRsMnfQvBF encrypted privilege 15
username marcelo attributes xxxxxx 15
tunnel-group LIVPN type ipsec-ra
tunnel-group LIVPN general-attributes
 address-pool VPN-Pool
 authorization-server-group LOCAL
 default-group-policy LIVPN
tunnel-group LIVPN ipsec-attributes
 pre-shared-key *

Open in new window

Question by:marceloNYC
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

Jay_Gridley earned 1000 total points
ID: 22676514
To add the extra network to the list of protected networks for the VPN client you need to add the network to your split tunnel access-list:
access-list LIVPN_splitTunnelAcl standard permit

You might need to also add the network to your NAT0 access-list.
access-list inside_nat0_outbound extended permit ip

That should do the trick.

Author Closing Comment

ID: 31504355
Just excellent!!!! Thanks so much!

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question