[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Routing Subnets While Using Cisco AnyConnect VPN

Posted on 2009-02-16
3
Medium Priority
?
5,081 Views
Last Modified: 2012-08-14
I have recently set up VPN on our network with a 5520 ASA using AnyConnect version 2.3.0254.  I am using split tunnelling.  The inside interface of the ASA is on 192.168.8.6.  Using AnyConnect to VPN from outside the network, I can get to anything on 192.168.8.x, but I can't get to anything on any of our other subnets - for the purposes of this question I'll use 192.168.10.x as an example.  We have a Cisco Catalyst L3 switch (192.168.8.29) which acts as a gateway to route traffic between the subnets.  I have static routes on the ASA put in for each of our subnets pointing to 192.168.8.29, and I have included 192.168.10.0 in the networks to be routed through the VPN tunnel, but I can't seem to access anything on 10.x when connected to the VPN.  I can get to successfully ping to 192.168.10.0 addresses from the ASA directly.  Here's an example of the message I receive in the log when I try to connect to a 10.x address from VPN:  'No translation group found for udp src outside: 192.168.8.251/62888 dst inside: 192.168.10.31/389'.  My VPN IP pool is from 8.251-254.  I can't seem to figure out what I am missing to get this to work.  I have posted the config of the 5520 ASA.  Thanks!
ASA Version 8.0(4) 
!
hostname ptcasa
domain-name xxx.com
enable password encrypted
passwd encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.240 
!
interface GigabitEthernet0/0.1
 no vlan
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.8.6 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name xxx.com
same-security-traffic permit inter-interface
object-group icmp-type Good-ICMP
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group Good-ICMP 
access-list inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 192.168.8.248 255.255.255.248 
access-list WWVPN_splitTunnelAcl standard permit 192.168.10.0 255.255.254.0 
access-list WWVPN_splitTunnelAcl standard permit 192.168.8.0 255.255.255.0 
pager lines 24
logging enable
logging asdm warnings
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPNTest 192.168.8.251-192.168.8.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.168.9.0 255.255.255.0 192.168.8.29 1
route inside 192.168.10.0 255.255.254.0 192.168.8.29 1
route inside 192.168.12.0 255.255.254.0 192.168.8.29 1
route inside 192.168.14.0 255.255.254.0 192.168.8.29 1
route inside 192.168.16.0 255.255.254.0 192.168.8.29 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server WWDC4 protocol radius
aaa-server WWDC4 (inside) host 192.168.8.33
 timeout 5
 key xxxxxxxxxxxxxxxxxxxxx
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet 192.168.8.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.8.33 source inside prefer
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy WWVPN internal
group-policy WWVPN attributes
 wins-server value 192.168.8.33 192.168.8.22
 dns-server value 192.168.8.33 192.168.8.22
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value WWVPN_splitTunnelAcl
 default-domain value xxx.com
 webvpn
  url-list value WW
  svc ask none default svc
group-policy DfltGrpPolicy attributes
tunnel-group DefaultRAGroup webvpn-attributes
 group-alias Test disable
tunnel-group WWVPN type remote-access
tunnel-group WWVPN general-attributes
 address-pool VPNTest
 authentication-server-group WWDC4
 default-group-policy WWVPN
tunnel-group WWVPN webvpn-attributes
 group-alias WWVPN enable
tunnel-group WWVPN ipsec-attributes
 pre-shared-key *
tunnel-group WWVPN2 type remote-access
tunnel-group WWVPN2 general-attributes
 address-pool VPNTest
 authentication-server-group WWDC4
 default-group-policy WWVPN
tunnel-group WWVPN2 webvpn-attributes
 group-alias WWVPN2 enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:c315a3869e070d2c50fa28ce32bea064
: end
asdm image disk0:/asdm-613.bin
asdm location 192.168.8.248 255.255.255.248 inside
no asdm history enable

Open in new window

0
Comment
Question by:hachemp
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 23659431
Add:
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.8.248 255.255.255.248
0
 

Author Comment

by:hachemp
ID: 23660327
Could I modify this to read like this...

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.254.0 192.168.8.248 255.255.255.248

...to only include 10.0?  I'm just worried that if an end user has their local network on say, 192.168.1.0, the original ACL you posted will attempt to send that data through the tunnel.  Or am I way off base?  Thanks.
0
 

Author Comment

by:hachemp
ID: 23661582
Checked myself, this did what I needed it to.  Thanks.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question