Avatar of vvandeweyer
vvandeweyer
 asked on

Cisco ASA 5505, VPN, Second Network and Static Route

Hi Experts,


I've an ASA 5505 installed on my network and I've configured the remote VPN Access on It.

I also have on my network a gateway allowing the internal users to access another network connected through a leased line.  The route for this network is added on client computer by the internal DHCP server.

What I want to do is being able to see the internal network, but also the other network when I'm connected using the VPN.

Actually, when connected to the VPN, I'm able to see the internal network, but not the other one.
When I try to add manually the route on the remote computer (the one connected to the VPN) I'm not able to reach the second network.

What can I do for being able to see the two networks when connected through VPN ?
Do I have to change the configuration on the ASA or on the computer connecting remotely ?

Here are some information about my network :
Internal Network IP Pool: 10.0.0.0/24
ASA 5505 IP : 10.0.0.1
Second Network IP Pool: 192.168.192.0/24
Second Network Gateway IP : 10.0.0.250
ASA 5505 VPN IP Pool : 172.16.0.0/24


Thank you for your help.


Vincent


VPNRouters

Avatar of undefined
Last Comment
vvandeweyer

8/22/2022 - Mon
fgasimzade

You need to change your ASA config, but before that we need to see what is already done on ASA, so please post your config
Joris VS

In the client VPN config of your asa you need to add the 192.168.192.0/24
network you want to get to as local to the ASA.
vvandeweyer

ASKER
Hello,
Sorry for the late answer.  I was out of the office till now.

Here is the configuration :




: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.0.2 255.255.255.0
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host 172.16.0.2 eq smtp
access-list outside_access_in extended permit tcp any host 172.16.0.2 eq www
access-list outside_access_in extended permit tcp any host 172.16.0.2 eq https  
access-list outside_access_in extended permit gre any host 172.16.0.2
access-list outside_access_in extended permit tcp any host 172.16.0.2 eq pptp
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 172.16.45.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.45.0 255.255.255.0  
access-list inside_access_in extended permit ip any any
access-list VPN-splitTunnelAcl standard permit any
pager lines 24
logging enable
mtu inside 1500
mtu outside 1500
ip local pool VPN2 172.16.45.100-172.16.45.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.0.0.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.0.0.2 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.0.0.2 https netmask 255.255.255.255
static (inside,outside) tcp interface pptp 10.0.0.2 pptp netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 192.168.192.2 255.255.255.255 10.0.0.250 1
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server LDAP protocol radius
aaa-server LDAP (inside) host 10.0.0.2
 timeout 5
 key mykey---
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs group1
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy VPN internal
group-policy VPN attributes
 dns-server value 10.0.0.2
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-splitTunnelAcl
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
 address-pool VPN
 authentication-server-group LDAP
 default-group-policy VPN
tunnel-group VPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2dec0b3bb0b53992d39b13aa790db490
: end
asdm image disk0:/asdm-524.bin
asdm location 10.0.0.2 255.255.255.255 inside
asdm location 172.16.0.2 255.255.255.255 inside
asdm location 10.0.0.5 255.255.255.255 inside
no asdm history enable




Thanks for your help !

Vincent
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Joris VS

Small remarks, but nothing that is really wrong :
"You can't access internet either when connected to VPN ?
"
"access-list inside_nat0_outbound extended permit ip 192.168.192.0 255.255.255.0 172.16.45.0 255.255.255.0
"instead of : access-list inside_nat0_outbound extended permit ip any 172.16.45.0 255.255.255.0  

"Is this line to just specify the one IP ? route inside 192.168.192.2 255.255.255.255 10.0.0.250 1


I think your config is actually OK on the ASA, but do you have a route back to the ASA from the other subnet ?  I see you're using ospf ?
Joris VS

show the ospf output on the asa and the next router please.
vvandeweyer

ASKER

The "show ospf" command doesn't return me any results.
I also tried modifying the access list but with no luck.

In fact, this line "route inside 192.168.192.2 255.255.255.255 10.0.0.250 1" is just for test purposes.
As soon as I'm able to ping this IP, I'll be able to ping any IP

What I can tell you is that when I change de VPN IP Pool to a range in the same as the internal network (10.0.0.150-10.0.0.200) and I add manually the route on the remote computer, I can ping the other network.  But it is not working on all OS (working on Windows 7 but not on Windows XP) !

Maybe I'm missing something with XP

Also I'm not sure it is a good configuration to have the same range of IP for the VPN as the one for my Internal network.

thx
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Joris VS

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
vvandeweyer

ASKER
Sorry for the late answer again.

I don't have access to the configuration of the second router because it came with the leased line.
I'll ask my provider to change the configuration and let you know.

thx
vvandeweyer

ASKER
Finaly got a technician from my provider who manage to change the configuration of their router.
Everything is working fine now.
Thank you for your help