[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 411
  • Last Modified:

Can this be done? - Remote Access VPN routing question

Have an ASA 5510 with three interfaces in use

Outside - public ip
Inside - 172.16.42.x /24
Third Interface - 172.16.52.x /24

Remote VPN Clients - 172.16.45.x /24

Both Inside and Third Interface have a security setting of 100 and routing between them works fine.

The problem is that when users connect to the ASA via the cisco vpn client, they are assigned an address from the 172.16.45.x /24 subnet. From this subnet they are able to communicate with the 172.16.42.x (Inside) subnet without any problem but can't connect to the 172.16.52.x (Third Interface) subnet.

I have these in the config -
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
and access lists that explicity allow traffic between 172.16.45.x and 172.16.52.x but traffic is being dropped.

Is it possible to have my Remote Access VPN users communicate with the Third Interface network?
0
SneakyJones
Asked:
SneakyJones
  • 3
  • 2
1 Solution
 
EyeNoVoIPCommented:
Yes.  Make sure you include traffic to your Remote VPN subnet from your Third interface network in the NO NAT or NAT exempt statements.  Please post your CLI config if you need more assistance in configuring this.
0
 
MikeKaneCommented:
I usually like to make the IP LOCAL POOL a different subnet.  That way it can be easily referenced in the configs and is very recognizable.   Its not a requirement, just a habit of mine.     EyeNoVoip is correct that to get the IP LOCAL POOL (no matter what it is) to communicate with the interfaces, you need to have the IP ranges in a NONAT and have the destination range as part of the crypto map match or split tunnel ACL as well.
0
 
SneakyJonesAuthor Commented:
hey guys, thanks for the response and sorry for the delay.
I rechecked my config to make sure that I had the NoNat statements as well as a separate IP Local Pool subnet, but it is still not working.

When users connect using Remote Access VPN they are assigned a 172.16.45.x address and can access the 172.16.42.x subnet but not the 172.16.52.x subnet.

this NoNat access list is applied to the inside interface
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.45.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.31.1.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.25.1.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.52.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.42.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.52.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.172.0 255.255.255.0

this NoNat access list is applied to the ThirdInterface
access-list NoNat-ThirdInterface-Inside extended permit ip 172.16.52.0 255.255.255.0 172.16.42.0 255.255.255.0
access-list NoNat-ThirdInterface-Inside extended permit ip 172.16.52.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list NoNat-ThirdInterface-Inside extended permit ip 172.16.52.0 255.255.255.0 172.16.45.0 255.255.255.0

I'm pretty certain my logic in applying these access lists are off.

thanks for any help
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
SneakyJonesAuthor Commented:
oh, and here is my config. thanks.

:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name company.office

names
dns-guard
!
interface Ethernet0/0
 description outside Internet Interface
 nameif outside
 security-level 0
 ip address x.x.x.x
!
interface Ethernet0/1
 description Company's Internal Network
 nameif inside
 security-level 100
 ip address 172.16.42.1 255.255.255.0
!
interface Ethernet0/2
 description Company's DMZ Network
 nameif dmz
 security-level 50
 ip address 172.31.1.1 255.255.255.0
!
interface Ethernet0/3
 description Company's ThirdInterface Network
 nameif ThirdInterface
 security-level 100
 ip address 172.16.52.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.16.1.1 255.255.255.0
 management-only
!
banner motd $ ********** Unauthorized Access is Prohibited ********** $
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name company.office
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Outside_Access_In extended permit tcp any host x.x.x.179 eq www
access-list Outside_Access_In extended permit tcp any host x.x.x.179 eq https
access-list Outside_Access_In extended permit tcp any host x.x.x.180 eq www
access-list Outside_Access_In extended permit tcp any host x.x.x.181 eq www
access-list Outside_Access_In extended permit tcp any host x.x.x.182 eq www
access-list Outside_Access_In extended permit tcp any host x.x.x.183 eq ftp
access-list Outside_Access_In extended permit tcp x.x.x.0 255.255.240.0 host x.x.x.179 eq smtp
access-list Outside_Access_In extended permit gre any host x.x.x.184
access-list Outside_Access_In extended permit tcp any host x.x.x.184 eq pptp
access-list Outside_Access_In extended permit tcp any host x.x.x.184 eq 8080
access-list Outside_Access_In extended permit tcp any host x.x.x.185 eq ssh
access-list Outside_Access_In extended permit tcp any host x.x.x.185 eq www
access-list Outside_Access_In extended permit tcp any host x.x.x.186 eq www
access-list L2L-Colo extended permit ip 172.16.42.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list L2L-Colo extended permit ip 172.16.52.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.45.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.31.1.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.25.1.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.52.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.42.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.52.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list SplitTunnel standard permit 172.16.42.0 255.255.255.0
access-list Inside_Access_In extended permit tcp host 172.16.42.14 any eq smtp
access-list Inside_Access_In extended permit tcp host 172.16.42.12 any eq smtp
access-list Inside_Access_In extended permit tcp host 172.16.42.98 any eq smtp
access-list Inside_Access_In extended permit ip any any
access-list ThirdInterface_Access_In extended permit ip any any
access-list ThirdInterface_Access_In extended permit ip 172.16.52.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list ThirdInterface_Access_In extended permit ip 172.16.52.0 255.255.255.0 172.16.45.0 255.255.255.0
access-list NoNat-ThirdInterface-Inside extended permit ip 172.16.52.0 255.255.255.0 172.16.42.0 255.255.255.0
access-list NoNat-ThirdInterface-Inside extended permit ip 172.16.52.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list NoNat-ThirdInterface-Inside extended permit ip 172.16.52.0 255.255.255.0 172.16.45.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu dmz 1500
mtu ThirdInterface 1500
ip local pool RasVPNPool 172.16.45.101-172.16.45.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNat-Colo-Tunnel
nat (inside) 1 172.16.42.0 255.255.255.0
nat (dmz) 1 172.31.1.0 255.255.255.0
nat (ThirdInterface) 0 access-list NoNat-ThirdInterface-Inside
nat (ThirdInterface) 1 172.16.52.0 255.255.255.0
static (inside,outside) tcp x.x.x.180 www 172.16.42.38 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.181 www 172.16.42.26 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.182 www 172.16.42.27 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.183 ftp 172.16.42.11 ftp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.184 pptp 172.16.42.10 pptp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.184 8080 172.16.42.38 8080 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.185 ssh 172.16.42.55 ssh netmask 255.255.255.255
static (inside,outside) tcp x.x.x.185 www 172.16.42.55 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.186 www 172.16.42.73 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.179 smtp 172.16.42.98 smtp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.179 www 172.16.42.98 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.179 https 172.16.42.98 https netmask 255.255.255.255
access-group Outside_Access_In in interface outside
access-group Inside_Access_In in interface inside
access-group ThirdInterface_Access_In in interface ThirdInterface
route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RadiusVPN protocol radius
aaa-server RadiusVPN (inside) host 172.16.42.10
 key *****
aaa authentication ssh console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 management
http 172.16.42.0 255.255.255.0 inside
http 172.16.52.0 255.255.255.0 ThirdInterface
snmp-server host inside 172.16.42.48 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server listen-port 162
crypto ipsec transform-set TripleDesSha esp-3des esp-sha-hmac
crypto ipsec transform-set AesSha esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynamicvpnmap 10 set transform-set AesSha
crypto dynamic-map dynamicvpnmap 10 set reverse-route
crypto map VPNTUNNELS 10 match address L2L-Colo
crypto map VPNTUNNELS 10 set peer x.x.x.215
crypto map VPNTUNNELS 10 set transform-set TripleDesSha
crypto map VPNTUNNELS 10 set security-association lifetime seconds 28800
crypto map VPNTUNNELS 999 ipsec-isakmp dynamic dynamicvpnmap
crypto map VPNTUNNELS interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 ThirdInterface
ssh timeout 60
console timeout 0
dhcpd address 172.16.1.2-172.16.1.254 management
dhcpd enable management
!
dhcpd address 172.16.52.25-172.16.52.250 ThirdInterface
dhcpd dns 172.16.42.50 172.16.42.10 interface ThirdInterface
dhcpd domain company.office interface ThirdInterface
dhcpd option 3 ip 172.16.52.1 interface ThirdInterface
dhcpd enable ThirdInterface
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics host number-of-rate 3
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy RemoteAccessUsersPolicy internal
group-policy RemoteAccessUsersPolicy attributes
 dns-server value 172.16.42.50 172.16.42.10
 vpn-idle-timeout 240
 vpn-tunnel-protocol IPSec
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SplitTunnel
 default-domain value company.office
tunnel-group x.x.x.40 type ipsec-l2l
tunnel-group x.x.x.40 ipsec-attributes
 pre-shared-key *****
tunnel-group insidevpnclients type remote-access
tunnel-group insidevpnclients general-attributes
 address-pool rasvpnpool
 authentication-server-group RadiusVPN
 default-group-policy RemoteAccessUsersPolicy
tunnel-group insidevpnclients ipsec-attributes
 pre-shared-key *****
tunnel-group localauthentication type remote-access
tunnel-group localauthentication general-attributes
 address-pool RasVPNPool
 default-group-policy RemoteAccessUsersPolicy
tunnel-group localauthentication ipsec-attributes
 pre-shared-key *****
tunnel-group x.x.x.215 type ipsec-l2l
tunnel-group x.x.x.215 ipsec-attributes
 pre-shared-key *****.145 ipsec-attributes
 pre-shared-key *****
!
class-map inspecton_default
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
  inspect icmp
  inspect ils
  inspect snmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa#



0
 
EyeNoVoIPCommented:
Looks like you are using split tunneling for your VPN users.  That ACL is this


access-list SplitTunnel standard permit 172.16.42.0 255.255.255.0

and should look like this

access-list SplitTunnel standard permit 172.16.42.0 255.255.255.0
access-list SplitTunnel standard permit 172.16.45.0 255.255.255.0

Now you should be able to access both subnets.

0
 
SneakyJonesAuthor Commented:
Hey EyeNoVoIP,
I added the second entry that you wrote above and it didn't work, but figured why don't I add a third entry to the ACL - access-list SplitTunnel standard permit 172.16.52.0 255.255.255.0 and it now works!

so thanks for pointing me in the right direction!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now