Link to home
Start Free TrialLog in
Avatar of agruber85
agruber85

asked on

ASA 5505 VPN Routing

I have an ASA which is providing VPN connection to my external users. It was working perfectly until we decided to separate the network into Voice, Video, and Data (each has its own subnet). Now my users get their VPN Connection but are not being routed to the router providing the inter vlan routing.

Question: How do I route the VPN traffic to the other 10.10.X.X networks.
VPN/Data is 10.10.1.X
Voice is 10.10.10.X
Video is 10.10.20.x

Also I am using EIGRP and from the ASA itself can ping each subnet on a separate router.
ASA(VPN 10.10.1.1
Router with vlans 10.10.1.2

Configuration
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.X.X.66 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 10.10.1.0 255.255.255.0
access-list vpntunnelgroup_Split_Tunnel standard permit 10.10.1.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.10.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.1.10-10.10.1.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
!
router eigrp 100
 no auto-summary
 network 10.0.0.0 255.0.0.0
!
route outside 0.0.0.0 0.0.0.0 65.X.X.66 1
route inside 10.10.1.0 255.255.255.0 10.10.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vtctransform esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vtcdynam 1 set transform-set vtctransform
crypto dynamic-map vtcdynam 1 set reverse-route
crypto map vtcmap 1 ipsec-isakmp dynamic vtcdynam
crypto map vtcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
tunnel-group vtctunnelgroup type remote-access
tunnel-group vtctunnelgroup general-attributes
 address-pool vtcpool
tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****
Avatar of John Meggers
John Meggers
Flag of United States of America image

I suspect you need to expand your split tunneling ACL to list traffic to the other subnets.  You also have a NAT0 access-list but no NAT 0 command entry, so you need to add:

nat (inside) 0 access-list inside_nat0_outbound
Avatar of Ernie Beek
Furthermore I see static and eigrp routes. Are all the needed networks routed correctly?
Just to add: make sure devices on other networks have route back to your vpn clients.
Avatar of agruber85
agruber85

ASKER

jmeggers,

You are right, i added the..
 Nat (inside) 0 access-list inside_nat0_outbound line.

I also made the change to the Split Tunnel...
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0

Still I am not able to access the 10.10.10.1 network from the VPN.



Does the asa have a route to that network?
ASKER CERTIFIED SOLUTION
Avatar of fgasimzade
fgasimzade
Flag of Azerbaijan image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I have run this for all ports connected from the router to the switch

router eigrp 100
network 10.0.0.0 255.0.0.0
no auto-summary

that should cover the route back unless it has to be more specific
just to be sure, could you do a 'sh route' on the asa?
I suspect your problems is related to routing, since you have configured Slit tunneling and nonat properly.
Gateway of last resort is 65.X.X..65 to network 0.0.0.0

C    65.2X.X.64 255.255.255.192 is directly connected, outside
C    10.10.1.0 255.255.255.0 is directly connected, inside
D    10.10.10.0 255.255.255.0 [90/30720] via 10.10.1.2, 0:10:28, inside
S    10.10.1.10 255.255.255.255 [1/0] via 65.210.111.65, outside
D    10.10.20.0 255.255.255.0 [90/30720] via 10.10.1.2, 0:10:28, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 65.210.111.65, outside
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You dont need this route

10.10.1.10 255.255.255.255 [1/0] via 65.210.111.65
I did add

access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.20.0 255.255.255.0

Still not able to access those networks through the VPN
Ok.

When you look at the (ASDM) logging, does something show up?
I am not sure how to do that through the command prompt and don't have access to the GUI.

I do have an issue on my 2911 router though. when i run a show ip route eigrp I get  "Gateway of last resort is not set"
Perhaps its an idea to first set all the routes statically to see if we can get this working and after that have a look at routing protocols (?).
I will get the static routes setup and let you know if it is working.
We'll be waiting :)
ok. so I have the static routes made on the ASA to the 10.10.10.0 and 10.10.20.0 subnets and can ping the interfaces from the ASA itself but not from the VPN connection.


interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.XX.66 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 10.10.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.20.0 255.255.255.0
access-list vpntunnelgroup_Split_Tunnel standard permit 10.10.1.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.1.10-10.10.1.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.X.X.65 1
route inside 10.10.1.0 255.255.255.0 10.10.1.1 1
route inside 10.10.10.0 255.255.255.0 10.10.1.2 1
route inside 10.10.20.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vtctransform esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vtcdynam 1 set transform-set vtctransform
crypto dynamic-map vtcdynam 1 set reverse-route
crypto map vtcmap 1 ipsec-isakmp dynamic vtcdynam
crypto map vtcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5

ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
tunnel-group vtctunnelgroup type remote-access
tunnel-group vtctunnelgroup general-attributes
 address-pool vtcpool
tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
What about the router? Have you configured static routes on it?
If I can ping it from the ASA then I should be able to do so from the VPN connection correct?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The VPN subnet is one in the same for my  inside interface (Vlan1) and I was previously able to access the hardware handing off the switch when it was on that schema.

Is that what you were referring to or do I need to setup a different route somehow?
 
 
Am I running into this issue because my my vpn ip address range is within the same subnet my inside vlan is onfigured for?
Try using different subnet for vpn
the Remote access vpn must use a different subnet.  
also,
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.255.0

add in an ip address for the additional subnets in question:
 ip address 10.10.1.1 255.255.255.0
 ip address 10.10.10.1 255.255.255.0 secondary
 ip address 10.10.20.1 255.255.255.0 secondary

Looks like you're getting there.

As said, use a different subnet for the vpn range. Because there is a kind of routing between the subnets, you get in trouble when the same subnet is on the in- and outside (vpns terminate on the outside interface).
naughton,

I can only assign 1 ip address to my Int Vlan1. Is there another place to add the additional subnets?
OK,
For a minute I was able to ping the following from the VPN connection but now it is lost.
10.X
20.X

any ideas what I might have changed?


interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.X.X.X 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 10.10.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.40.0 255.255.255.0
access-list vpntunnelgroup_Split_Tunnel standard permit 10.10.40.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.40.1-10.10.40.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.210.111.65 1
route inside 10.10.1.0 255.255.255.0 10.10.1.1 1
route inside 10.10.10.0 255.255.255.0 10.10.1.2 2
route inside 10.10.20.0 255.255.255.0 10.10.1.2 3
route inside 10.10.40.0 255.255.255.0 10.10.1.1 4
Also noticed I cannot ping the routers gateway from the VPN
10.10.1.2
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Assuming 10.10.40.0 is the VPN range, you only need:
access-list inside_nat0_outbound extended permit ip any 10.10.40.0 255.255.255.0
for NAT exempt. Get rid of the others.
I made the changes

no route inside 10.10.40.0 255.255.255.0 10.10.1.1 4
no access-list inside_nat0_outbound extended permit ip any 10.10.1.0 255.255.255.0
no access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0
no access-list inside_nat0_outbound extended permit ip any 10.10.20.0 255.255.255.0
no access-list inside_nat0_outbound extended permit ip any 10.10.30.0 255.255.255.0

For some reason I still cannot ping 10.10.1.2 from the VPN

Here is my ASA Sh Route
C    65.X.X.X 255.255.255.192 is directly connected, outside
C    10.10.1.0 255.255.255.0 is directly connected, inside
S    10.10.10.0 255.255.255.0 [2/0] via 10.10.1.2, inside
S    10.10.20.0 255.255.255.0 [3/0] via 10.10.1.2, inside
S    10.10.40.1 255.255.255.255 [1/0] via 65.X.X.65, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 65.X.X.65, outside

Here is the 2900 Sh ip Route
C 10.10.1.0/24 is directly connected
L 10.10.1.2/32 is directly connected
C 10.10.10.0/24 is directly connected
L 10.10.10.1/32 is directly connected
C 10.10.20.0/24 is directly connected
L 10.10.20.1/32 is directly connected
S 10.10.40.0/24 [1/0] via 10.10.1.1
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
fgasimzade:

10.10.40.1 255.255.255.255 [1/0] via 65.X.X.65, outside

That is my VPN connected client.
Oops, sorry, can you post your config again as well as your routers config
Furthermore, any showing in the log when trying to connect?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
@fgasimzade: Did I just overlook that? :-~
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASA Config:

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.X.X.X 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 10.10.40.0 255.255.255.0
access-list vpntunnelgroup_Split_Tunnel standard permit 10.10.40.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.40.1-10.10.40.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.X.X.X 1
route inside 10.10.1.0 255.255.255.0 10.10.1.1 1
route inside 10.10.10.0 255.255.255.0 10.10.1.2 2
route inside 10.10.20.0 255.255.255.0 10.10.1.2 3


2900 Config - Not easily cut and pasted as its on a different network
0/0
10.10.1.2 255.255.255.0
Duplex Auto
speed auto
no mop enabled

0/1
10.10.10.1 255.255.255.0
Duplex Auto
speed auto

0/2
10.10.20.1 255.255.255.0
Duplex Auto
speed auto

ip route 10.10.1.0 255.255.255.0 10.10.1.1
ip route 10.10.20.0 255.255.255.0 10.10.1.1
ip route 10.10.40.0 255.255.255.0 10.10.1.1
Take a look at my previous post please :)
added:
access-list outside_access_in extended permit ip 10.10.40.0 255.255.255.0 any

Wouldn't take
access-group outside_access_in in outside
Sorry,

access-group outside_access_in in interface outside
I cannot ping my VPN client from the ASA (10.10.1.X Network)
I believe that is where my LARGE problem lies.
Have you assigned the access-list to the outside interface?
@fgasimzade:

This command took ,
access-group outside_access_in in interface outside

Still not able to ping the 10.10.40.1 client from the ASA or the Router.
I can ping the ASA from the VPN Client but not the 2900 Router (10.10.1.2)
I cant see no nat statement

nat (inside) 0 access-list inside_nat0_outbound extended permit ip any 10.10.40.0 255.255.255.0
@ erniebeek:

I do not know the log commands to do what you asked. If you tell me what they are I will get the information.
fgasimzade:

nat (inside) 0 access-list inside_nat0_outbound extended permit ip any 10.10.40.0 255.255.255.0

The extended posed a problem in the syntax
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
here is what I have now - Still not able to ping the inside from the VPN client or ping the VPN client from the ASA


interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.X.X.66 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 10.10.40.0 255.255.255.0
access-list vpntunnelgroup_Split_Tunnel standard permit 10.10.40.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
access-list outside_access_in extended permit ip 10.10.40.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.40.1-10.10.40.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 65..X.X 1
route inside 10.10.1.0 255.255.255.0 10.10.1.1 1
route inside 10.10.10.0 255.255.255.0 10.10.1.2 2
route inside 10.10.20.0 255.255.255.0 10.10.1.2 3
Sorry, i CAN! ping the interfaces from the VPN client now!!

Cannot pint the VPN client IP from the ASA though, is that normal?
Good! Do you have any firewall configured on your vpn client? It might be blocking icmp pings
The Windows Firewall is off and the antivirus was turned off as well.

Any other ideas? I am also having an issue pinging a pc that is on the 10.10.20.X network but can hit the 10.10.10.101 Unit I have up.

Possible 2911 routing issue?
What is your default gateway on pc in 10.10.20.x
it was 10.10.20.1
Any firewall installed on this pc?
no firewall is installed on the pc.

I seem to be having trouble accessing any machine on the 10.10.20.x network other than being able to ping the 10.10.20.1 gateway/interface..
So you can ping 10.10.20.1 but the the PCs in this subnet?

What about PCs in other subnets?
I did some troubleshooting and during a tracert I get this. Routing or vlan issue?

H:\>tracert 10.10.10.1
Tracing route to 10.10.10.1 over a maximum of 30 hops
  1     3 ms     2 ms     2 ms  10.10.10.1
Trace complete.

H:\>tracert 10.10.10.101
Tracing route to 10.10.10.101 over a maximum of 30 hops
  1     2 ms     1 ms     1 ms  10.10.1.2
  2     2 ms     2 ms     2 ms  10.10.10.101
Trace complete.

H:\>tracert 10.10.20.1
Tracing route to 10.10.20.1 over a maximum of 30 hops
  1     2 ms     2 ms     1 ms  10.10.20.1
Trace complete.

H:\>tracert 10.10.20.101
Tracing route to 10.10.20.101 over a maximum of 30 hops
  1     2 ms     1 ms     1 ms  10.10.1.2
  2     *     ^C
Hm, can you ping PCs in 10.10.20.0 from any other network?
Ok, I'm back.

Regarding logging, can you access the asdm? That would be the easiest way.
ok I added the Laptop to the 10.10.10.x subnet and can ping 10.10.20.1 and 10.10.20.101 successfully!

From the VPN side (10.10.40.x) I can ping 10.10.20.1 but not 10.10.20.101
Erniebeek and fgasimzade,

Thanks for all of the support! Since I am able to VPN into the network and reach 75% of my network I am calling this one complete and will open a new question to help my routing issues and switch over to EIGRP.

Thanks again, you guys make it possible for people like me to operate in areas where we are clueless!

-agruber85
Always glad if we can help :)

Thx for the points.