Link to home
Start Free TrialLog in
Avatar of vvandeweyer
vvandeweyer

asked on

Cisco ASA 5505, VPN, Second Network and Static Route

Hi Experts,


I've an ASA 5505 installed on my network and I've configured the remote VPN Access on It.

I also have on my network a gateway allowing the internal users to access another network connected through a leased line.  The route for this network is added on client computer by the internal DHCP server.

What I want to do is being able to see the internal network, but also the other network when I'm connected using the VPN.

Actually, when connected to the VPN, I'm able to see the internal network, but not the other one.
When I try to add manually the route on the remote computer (the one connected to the VPN) I'm not able to reach the second network.

What can I do for being able to see the two networks when connected through VPN ?
Do I have to change the configuration on the ASA or on the computer connecting remotely ?

Here are some information about my network :
Internal Network IP Pool: 10.0.0.0/24
ASA 5505 IP : 10.0.0.1
Second Network IP Pool: 192.168.192.0/24
Second Network Gateway IP : 10.0.0.250
ASA 5505 VPN IP Pool : 172.16.0.0/24


Thank you for your help.


Vincent


Avatar of fgasimzade
fgasimzade
Flag of Azerbaijan image

You need to change your ASA config, but before that we need to see what is already done on ASA, so please post your config
In the client VPN config of your asa you need to add the 192.168.192.0/24
network you want to get to as local to the ASA.
Avatar of vvandeweyer
vvandeweyer

ASKER

Hello,
Sorry for the late answer.  I was out of the office till now.

Here is the configuration :




: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.0.2 255.255.255.0
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host 172.16.0.2 eq smtp
access-list outside_access_in extended permit tcp any host 172.16.0.2 eq www
access-list outside_access_in extended permit tcp any host 172.16.0.2 eq https  
access-list outside_access_in extended permit gre any host 172.16.0.2
access-list outside_access_in extended permit tcp any host 172.16.0.2 eq pptp
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 172.16.45.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.45.0 255.255.255.0  
access-list inside_access_in extended permit ip any any
access-list VPN-splitTunnelAcl standard permit any
pager lines 24
logging enable
mtu inside 1500
mtu outside 1500
ip local pool VPN2 172.16.45.100-172.16.45.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.0.0.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.0.0.2 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.0.0.2 https netmask 255.255.255.255
static (inside,outside) tcp interface pptp 10.0.0.2 pptp netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 192.168.192.2 255.255.255.255 10.0.0.250 1
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server LDAP protocol radius
aaa-server LDAP (inside) host 10.0.0.2
 timeout 5
 key mykey---
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs group1
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy VPN internal
group-policy VPN attributes
 dns-server value 10.0.0.2
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-splitTunnelAcl
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
 address-pool VPN
 authentication-server-group LDAP
 default-group-policy VPN
tunnel-group VPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2dec0b3bb0b53992d39b13aa790db490
: end
asdm image disk0:/asdm-524.bin
asdm location 10.0.0.2 255.255.255.255 inside
asdm location 172.16.0.2 255.255.255.255 inside
asdm location 10.0.0.5 255.255.255.255 inside
no asdm history enable




Thanks for your help !

Vincent
Small remarks, but nothing that is really wrong :
"You can't access internet either when connected to VPN ?
"
"access-list inside_nat0_outbound extended permit ip 192.168.192.0 255.255.255.0 172.16.45.0 255.255.255.0
"instead of : access-list inside_nat0_outbound extended permit ip any 172.16.45.0 255.255.255.0  

"Is this line to just specify the one IP ? route inside 192.168.192.2 255.255.255.255 10.0.0.250 1


I think your config is actually OK on the ASA, but do you have a route back to the ASA from the other subnet ?  I see you're using ospf ?
show the ospf output on the asa and the next router please.

The "show ospf" command doesn't return me any results.
I also tried modifying the access list but with no luck.

In fact, this line "route inside 192.168.192.2 255.255.255.255 10.0.0.250 1" is just for test purposes.
As soon as I'm able to ping this IP, I'll be able to ping any IP

What I can tell you is that when I change de VPN IP Pool to a range in the same as the internal network (10.0.0.150-10.0.0.200) and I add manually the route on the remote computer, I can ping the other network.  But it is not working on all OS (working on Windows 7 but not on Windows XP) !

Maybe I'm missing something with XP

Also I'm not sure it is a good configuration to have the same range of IP for the VPN as the one for my Internal network.

thx
ASKER CERTIFIED SOLUTION
Avatar of Joris VS
Joris VS
Flag of Belgium image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sorry for the late answer again.

I don't have access to the configuration of the second router because it came with the leased line.
I'll ask my provider to change the configuration and let you know.

thx
Finaly got a technician from my provider who manage to change the configuration of their router.
Everything is working fine now.
Thank you for your help