Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco ASA5510 VPN Clients

Posted on 2011-09-21
12
Medium Priority
?
463 Views
Last Modified: 2012-05-12
Hi
I have users connecting to ASA5510 with Cisco VPN Client. They can connect to internal LAN but not to DMZ lan or other internal LAN's connected off the internal LAN.

How can i allow access to multiple internal LANs?
I guess i first need to tell the VPN client to pass the internal LAN information to the client. As i imagine the client only knows of 10.52.0.0/16 and routes all other taffic to the internet insted of passing to ASA.

Is this correct ? If so how do i get the Client to know that 192.168.33.0/24 traffic should also get routed to ASA ?

Regards
0
Comment
Question by:Rbauckham69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 400 total points
ID: 36574942
You would need to edit the Access-list that you are using in your split tunnel config.    You need to add another line to the ACL that will allso encrypt the subnets for your DMZ.  

0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36575278
You may also have to advertise the VPN subnet to any other segments inside the LAN.  If they don't know where the VPN pool is located, they won't know how to route return traffic to it.
0
 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 400 total points
ID: 36575478
You would also need to create access lists to access DMZ and NAT0 statements as well.. Can you post your configs?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 35

Accepted Solution

by:
Ernie Beek earned 1200 total points
ID: 36575712
In addition to MikeKane and fgasimzade,

Indeed the access lists for matching the traffic going in to the tunnel and being exempted from nat. Also the ASA needs to have a route to the remote (internal) networks and machines on those networks need to have a route to the ip range of the VPN clients through the ASA.

The VPN client only knows the network(s) the ASA is telling it to recognize. If split tunneling is enabled, the rest will go out the internet connecting (local to the client). SO that's why the ASA has got to know (and be able to reach) all the other networks and allow traffic to and from those networks through the VPN.

0
 

Author Comment

by:Rbauckham69
ID: 36708729
Thanks to all for your assistance. But i'm still unsure where i should be editing / adding etc.
Is this possible thru the ASDM?

0
 

Author Comment

by:Rbauckham69
ID: 36708746
access-list Site_splitTunnelAcl standard permit 10.52.0.0 255.255.0.0

Do i just add another line such as

access-list Bracknell_splitTunnelAcl standard permit 172.22.1.0. 255.255.255.0

?


0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36708781
Yes, if this is your DMZ LAN
0
 

Author Comment

by:Rbauckham69
ID: 36709062
Bingo...easy when you know how.

I also have sites connected thru DMVPN. SHould i be able to also allow access to them the same way. Or is there further complications due to the tunnels that connect them?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36709208
When you know, everything is easy ;)

Split tunnels are for client vpn access. I assume we're talking site 2 site here?
In that case you need to make some other adjustments (also at the device at the other side of the tunnel. The tunnel settings define what networks are to be reached and exempted from nat.
In that case I think it would be easier if you could post a sanitized copy of the config so we can point out what adjustments you would need.
0
 

Author Comment

by:Rbauckham69
ID: 36709375
well i want to connect to the other site to site networks thru the VPN clients...

i have the ASA / DMZ at one site where the VPN clients connect. thru and another GW on my LAN which has 3 sites now connected with csico DMVPN.
Previously i understood that we couldn't connect to other sites when "VPN clienting" due to the fact that there was more than 1 ipsec tunnel to route over?

Should i be able to connect now?
Apologies.....Not very clearly explained no doubt!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36709686
Well I think I understand ;)

I was thinking the tunnels were terminated on the ASA. If that was the case you could use 'hairpinning' to get traffic to go the remote vpn's.
In this setup...... I don't know. I'm not too much of an expert with DMVPN, but I got the feeling that it isn't going to work this way.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36709764
Thx for the points :)

Perhaps it's an idea (if you really need it) to post a related question to see if someone can get the DMVPN to remote VPN to work.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question