We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Routing Subnets While Using Cisco AnyConnect VPN

hachemp
hachemp asked
on
Medium Priority
5,468 Views
Last Modified: 2012-08-14
I have recently set up VPN on our network with a 5520 ASA using AnyConnect version 2.3.0254.  I am using split tunnelling.  The inside interface of the ASA is on 192.168.8.6.  Using AnyConnect to VPN from outside the network, I can get to anything on 192.168.8.x, but I can't get to anything on any of our other subnets - for the purposes of this question I'll use 192.168.10.x as an example.  We have a Cisco Catalyst L3 switch (192.168.8.29) which acts as a gateway to route traffic between the subnets.  I have static routes on the ASA put in for each of our subnets pointing to 192.168.8.29, and I have included 192.168.10.0 in the networks to be routed through the VPN tunnel, but I can't seem to access anything on 10.x when connected to the VPN.  I can get to successfully ping to 192.168.10.0 addresses from the ASA directly.  Here's an example of the message I receive in the log when I try to connect to a 10.x address from VPN:  'No translation group found for udp src outside: 192.168.8.251/62888 dst inside: 192.168.10.31/389'.  My VPN IP pool is from 8.251-254.  I can't seem to figure out what I am missing to get this to work.  I have posted the config of the 5520 ASA.  Thanks!
ASA Version 8.0(4) 
!
hostname ptcasa
domain-name xxx.com
enable password encrypted
passwd encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.240 
!
interface GigabitEthernet0/0.1
 no vlan
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.8.6 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name xxx.com
same-security-traffic permit inter-interface
object-group icmp-type Good-ICMP
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group Good-ICMP 
access-list inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 192.168.8.248 255.255.255.248 
access-list WWVPN_splitTunnelAcl standard permit 192.168.10.0 255.255.254.0 
access-list WWVPN_splitTunnelAcl standard permit 192.168.8.0 255.255.255.0 
pager lines 24
logging enable
logging asdm warnings
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPNTest 192.168.8.251-192.168.8.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.168.9.0 255.255.255.0 192.168.8.29 1
route inside 192.168.10.0 255.255.254.0 192.168.8.29 1
route inside 192.168.12.0 255.255.254.0 192.168.8.29 1
route inside 192.168.14.0 255.255.254.0 192.168.8.29 1
route inside 192.168.16.0 255.255.254.0 192.168.8.29 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server WWDC4 protocol radius
aaa-server WWDC4 (inside) host 192.168.8.33
 timeout 5
 key xxxxxxxxxxxxxxxxxxxxx
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet 192.168.8.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.8.33 source inside prefer
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy WWVPN internal
group-policy WWVPN attributes
 wins-server value 192.168.8.33 192.168.8.22
 dns-server value 192.168.8.33 192.168.8.22
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value WWVPN_splitTunnelAcl
 default-domain value xxx.com
 webvpn
  url-list value WW
  svc ask none default svc
group-policy DfltGrpPolicy attributes
tunnel-group DefaultRAGroup webvpn-attributes
 group-alias Test disable
tunnel-group WWVPN type remote-access
tunnel-group WWVPN general-attributes
 address-pool VPNTest
 authentication-server-group WWDC4
 default-group-policy WWVPN
tunnel-group WWVPN webvpn-attributes
 group-alias WWVPN enable
tunnel-group WWVPN ipsec-attributes
 pre-shared-key *
tunnel-group WWVPN2 type remote-access
tunnel-group WWVPN2 general-attributes
 address-pool VPNTest
 authentication-server-group WWDC4
 default-group-policy WWVPN
tunnel-group WWVPN2 webvpn-attributes
 group-alias WWVPN2 enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:c315a3869e070d2c50fa28ce32bea064
: end
asdm image disk0:/asdm-613.bin
asdm location 192.168.8.248 255.255.255.248 inside
no asdm history enable

Open in new window

Comment
Watch Question

Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
Add:
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.8.248 255.255.255.248

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Could I modify this to read like this...

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.254.0 192.168.8.248 255.255.255.248

...to only include 10.0?  I'm just worried that if an end user has their local network on say, 192.168.1.0, the original ACL you posted will attempt to send that data through the tunnel.  Or am I way off base?  Thanks.

Author

Commented:
Checked myself, this did what I needed it to.  Thanks.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.