ASA 5505 VPN Client with 3560
I have three gateways on my corporate LAN, and have been using local ROUTE statements to allow access to the various connected subnets. To simplify my life, I have added a Cisco 3560 to take care of the routing to the gateways. All clients computers will use the 3560 as their default gateway, and have no extra ROUTE statements. The 3560 will be connected to each gateway by a /30 subnet (I'm using a /29 for testing).
Here is my test setup:
(Cisco VPN Clients) <----> (Internet) <----> (ASA 5505 : inside-42.7.20.1) <----> (vlan2-42.7.20.2 : Cisco 3560 : vlan5-10.20.1.1) <----> Client Computers
There is a DNS server on 42.7.20.3, and a PC on 42.7.20.6.
The VPN Client profile assigns an address from Test-Pool (10.50.215-10.51.1.229).
I am PATting 10.50.1.1/24 to the inside interface.
I am allowing split-tunneling to 42.7.20.0/29 and 10.20.1.0/24
With this config, I can connect to everything on the 42.7.20.0 subnet. How do I now allow access to the 10.20.1.0 subnet?
Here is my test setup:
(Cisco VPN Clients) <----> (Internet) <----> (ASA 5505 : inside-42.7.20.1) <----> (vlan2-42.7.20.2 : Cisco 3560 : vlan5-10.20.1.1) <----> Client Computers
There is a DNS server on 42.7.20.3, and a PC on 42.7.20.6.
The VPN Client profile assigns an address from Test-Pool (10.50.215-10.51.1.229).
I am PATting 10.50.1.1/24 to the inside interface.
I am allowing split-tunneling to 42.7.20.0/29 and 10.20.1.0/24
With this config, I can connect to everything on the 42.7.20.0 subnet. How do I now allow access to the 10.20.1.0 subnet?
: Saved
:
ASA Version 8.2(1)
!
hostname ma-asa5505-01
domain-name test.local
enable password xxx encrypted
passwd xxx encrypted
names
name 10.50.1.0 VPN-Client-Subnet description VPN Clients
name 10.20.1.0 A-10.20.1.0 description test LAN
name 42.7.20.0 A-42.7.20.0 description ASA 5505 to 3560
!
interface Vlan1
nameif inside
security-level 100
ip address 42.7.20.1 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address w.x.y.z 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 42.7.20.3
domain-name test.local
object-group network MA-VPN-Access-Subnets
network-object A-10.20.1.0 255.255.255.0
network-object A-42.7.20.0 255.255.255.248
access-list MA-Test_splitTunnelAcl standard permit A-42.7.20.0 255.255.255.248
access-list MA-Test_splitTunnelAcl standard permit A-10.20.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip A-42.7.20.0 255.255.255.248 10.50.1.192 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Test-Pool 10.50.1.215-10.50.1.229 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 VPN-Client-Subnet 255.255.255.0 outside
route outside 0.0.0.0 0.0.0.0 24.89.168.89 1
route inside A-10.20.1.0 255.255.255.0 42.7.20.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WinNTAuth protocol nt
aaa-server WinNTAuth (inside) host 42.7.20.3
nt-auth-domain-controller 42.7.20.3
aaa-server Win2K8-RADIUS protocol radius
aaa-server Win2K8-RADIUS (inside) host 42.7.20.3
key xxx
radius-common-pw xxx
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa local authentication attempts max-fail 3
http server enable
http A-10.20.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca certificate map DefaultCertificateMap 10
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet A-10.20.1.0 255.255.255.0 inside
telnet timeout 5
ssh A-10.20.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 42.7.20.4-42.7.20.5 inside
dhcpd dns 42.7.20.3 interface inside
dhcpd lease 86400 interface inside
dhcpd domain test.local interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
banner value Welcome to test.
banner value
banner value Access is permitted by authorized users only. All access is monitored and logged. Any unauthorized use of this connection will be prosecuted
to the fullest extent of the law.
dns-server value 42.7.20.3
vpn-idle-timeout none
vpn-tunnel-protocol l2tp-ipsec
default-domain value test.local
webvpn
url-list value MA-Internal
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
svc ask enable default webvpn timeout 7
customization value DfltCustomization
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
webvpn
svc keep-installer installed
group-policy MA-Test internal
group-policy MA-Test attributes
dns-server value 42.7.20.3
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value test.local
username bob password xxx encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
authentication-server-group Win2K8-RADIUS
password-management
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group Win2K8-RADIUS
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias AnyConnect enable
tunnel-group MA-Test type remote-access
tunnel-group MA-Test general-attributes
address-pool Test-Pool
default-group-policy MA-Test
tunnel-group MA-Test ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
: end
asdm image disk0:/asdm-621.bin
asdm location VPN-Client-Subnet 255.255.255.0 inside
no asdm history enable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You may need to enable nat traversal on the ASA.
crypto isakmp nat-traversal 120
crypto isakmp nat-traversal 120
ASKER
Simple answer -- only the few devices in my test setup are using 20.10.1.1 as their DG. All is well now.
ASKER
I can access the 10.20.1.0 subnet now, but only a few addresses. When I posted the question, I was testing the VPN Client from the office, via an AT&T broadband adapter. Now I am at home accessing a Windows box via RDC from a Mac, both behind a PIX 515. I'll have to test further tomorrow. I should be OK from here. Thanks again.