We help IT Professionals succeed at work.

Cisco ASA remote access vpn: connecting to multiple internal networks

Netrinc
Netrinc asked
on
Medium Priority
1,880 Views
Last Modified: 2012-05-12
recently i successfully setup remote access vpn (SSLVPN) on the ASA 5510. the remote user is assinged an ip address on an already existing (internal) subnet. the issue is that the user cannot access the other internal subnets that usually are accessable.

i did some reading and looked at some configuration examples for split tunneling. none seem to address the issue that i have. they were more based on providing internet access to the remote user (which i am not interested in). how would i go about giving the remote users access to the other internal networks?
Comment
Watch Question

Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010

Commented:
Hi,

I advise to move the SSL ip pool address to individual subnet, and create nonat for reaching internel subnets.

Best regards,
Istvan

Commented:
Split Tunnel alows the remote VPN user to access thier local subnet (like thier home net) and any resources there, such as printers or local Internet access.

Split tunnel doesn't affect the VPN inside networks

What is the router for the internal networks? Using the ASA for a router  would require same-security interface to be enabled
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

Next I would look at the route table on the VPN client. What default gateway does it get.

Of course, this assumes you gave the VPN Clients permission to access the other subnets. You can use a object group for all your inside networks or add multiple ACL entries. The default is it only has access to the subnet it's on.

If you still need help, post a sanitized config




Top Expert 2011

Commented:
I would suggest change your SSL VPN pool to a new subnet and make sure your internal routing is set up correctly

Author

Commented:
"Of course, this assumes you gave the VPN Clients permission to access the other subnets. You can use a object group for all your inside networks or add multiple ACL entries. The default is it only has access to the subnet it's on."

how do i give the VPN clients this permission? the internal networks communicate fine on their own.

the default gateway on the VPN client is the same as the internal network. its as if its on that local network with the exception that it cannot access the other internal networks.

i dont think changing the SSLVPN pool is an option. but how would that be implemented? (i want to keep my options open).
Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010

Commented:
please show the whole config,.,

Commented:
You need to add all the internal subnets to the Networks Allowed for the vpn.

Are you using the ADSM or command line? You need to look to see what ACl is used by the VPN then edit it to allow ANY inside network

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806ab788.shtml

Author

Commented:
i am using ASDM

here is the config:

sho run
: Saved
:
ASA Version 8.2(2)
!
hostname ROFW1
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 100
 ip address dhcp setroute
!
interface Ethernet0/1
 nameif ROCS_SWA
 security-level 100
 no ip address
!
interface Ethernet0/1.51
 vlan 51
 nameif DMZ_A
 security-level 100
ip address 172.17.1.254 255.255.255.0
!
interface Ethernet0/1.100
 vlan 100
 nameif ROCS_A
 security-level 100
 ip address 10.6.11.1 255.255.255.0
!
interface Ethernet0/2
 nameif PADS_A
 security-level 100
 ip address 10.6.13.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list PADS_A_nat0_outbound extended permit ip 10.6.13.0 255.255.255.0 10.6.11.0 255.255.255.0
access-list ROCS_LAN_A_nat0_outbound extended permit ip 10.6.11.0 255.255.255.0 10.6.13.0 255.255.255.0
access-list ROCS_A_nat0_outbound extended permit ip 10.6.11.0 255.255.255.0 10.6.11.0 255.255.255.0
access-list Split_Tunnel_ACL extended permit ip 10.6.11.0 255.255.255.0 10.6.13.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu ROCS_SWA 1500
mtu DMZ_A 1500
mtu ROCS_A 1500
mtu PADS_A 1500
mtu management 1500
ip local pool ROCS_VPN_POOL 10.6.11.201-10.6.11.210 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 144 interface
nat (DMZ_A) 144 172.17.1.0 255.255.255.0
nat (ROCS_A) 0 access-list ROCS_A_nat0_outbound outside
nat (ROCS_A) 144 10.6.11.0 255.255.255.0
nat (PADS_A) 0 access-list PADS_A_nat0_outbound
nat (PADS_A) 144 10.6.13.0 255.255.255.0
static (ROCS_A,DMZ_A) 10.6.11.0 10.6.11.0 netmask 255.255.255.0
static (DMZ_A,ROCS_A) 172.17.1.0 172.17.1.0 netmask 255.255.255.0
static (DMZ_A,PADS_A) 172.17.1.0 172.17.1.0 netmask 255.255.255.0
static (PADS_A,DMZ_A) 10.6.13.0 10.6.13.0 netmask 255.255.255.0
static (PADS_A,ROCS_A) 10.6.13.0 10.6.13.0 netmask 255.255.255.0
static (ROCS_A,PADS_A) 10.6.11.0 10.6.11.0 netmask 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RSA_GRP protocol radius
aaa-server RSA_GRP (ROCS_A) host 10.6.11.3
key *****
 radius-common-pw *****
 acl-netmask-convert auto-detect
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint localtrust
 enrollment self
 fqdn rofw1.rocs.loc
 subject-name CN=rofw1.rocs.loc
 keypair sslvpnkeypair
 crl configure
crypto ca certificate chain localtrust
 certificate 8230a84e
    308201e7 30820150 a0030201 02020482 30a84e30 0d06092a 864886f7 0d010105
    05003038 31173015 06035504 03130e72 6f667731 2e726f63 732e6c6f 63311d30
    1b06092a 864886f7 0d010902 160e726f 6677312e 726f6373 2e6c6f63 301e170d
    31313130 32363136 30383334 5a170d32 31313032 33313630 3833345a 30383117
    30150603 55040313 0e726f66 77312e72 6f63732e 6c6f6331 1d301b06 092a8648
    86f70d01 0902160e 726f6677 312e726f 63732e6c 6f633081 9f300d06 092a8648
   86f70d01 01010500 03818d00 30818902 818100b5 2d263f43 ae641363 3a42f079
    b4cc4521 a3ea7b93 48cf9330 d0381962 2f9c2859 27914d9c 16a32958 4ff19905
    45a07351 960d9396 288d84b1 0df18b5c bd1a959f 453d3612 e1b7a22b f5b62e39
    98a18146 6034ccc8 ed59039a 981d3f1c 00dfa777 668787a2 11eb0ffa 7b326edc
    3795d749 e1fafbd6 4fdc9ec7 219a08b1 6c03ed02 03010001 300d0609 2a864886
    f70d0101 05050003 8181004d 60493a92 efca8e46 67d27d28 254e366a 8a3ed16b
    fd784ce4 8445d561 af439a3d 6dfa7b1a 0f4ed3f7 4f7fda02 5d2bc3dd 49fb474f
    4a73ce1d c281ffc0 6301a349 ba80ec46 c6c53a8f 0ea62a72 8e39a806 90d98dfc
    489a73e7 8cd014f4 626f39ff 4234f2db f919d58b e32a3e2b 1125ce05 eaa75ab1
    60c637df a0541422 fbf546
  quit
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc enable
 tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
 wins-server none
 dns-server value 10.6.11.11 10.6.11.111
 vpn-tunnel-protocol svc
 default-domain value rocs.loc
 address-pools value ROCS_VPN_POOL
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username testuser password qdcCjoOulhCLdBgM encrypted
username testuser attributes
 service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
 authentication-server-group RSA_GRP
 default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
 group-alias ROCS_VPN enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:65173f20f27047628d7d01f683825668
: end

Author

Commented:
bump
Head of IT Security Division
CERTIFIED EXPERT
Top Expert 2010
Commented:
Hi,

You need:

no ip local pool ROCS_VPN_POOL 10.6.11.201-10.6.11.210 mask 255.255.255.0
ip local pool ROCS_VPN_POOL 10.6.15.201-10.6.15.210 mask 255.255.255.0

access-list PADS_A_nat0_outbound extended permit ip 10.6.13.0 255.255.255.0 10.6.11.0 255.255.255.0
access-list PADS_A_nat0_outbound extended permit ip 10.6.13.0 255.255.255.0 10.6.15.0 255.255.255.0
access-list ROCS_A_nat0_outbound extended permit ip 10.6.11.0 255.255.255.0 10.6.15.0 255.255.255.0
access-list ROCS_A_nat0_outbound extended permit ip 10.6.11.0 255.255.255.0 10.6.13.0 255.255.255.0
nat (ROCS_A) 0 access-list ROCS_A_nat0_outbound outside
nat (PADS_A) 0 access-list PADS_A_nat0_outbound

access-list ROCS_A_nat0_outbound extended permit ip 10.6.11.0 255.255.255.0 10.6.11.0 255.255.255.0
access-list Split_Tunnel_ACL standard permit ip 10.6.11.0 255.255.255.0
access-list Split_Tunnel_ACL standard permit ip  10.6.13.0 255.255.255.0
clear xlate

Author

Commented:
whats wrong with using the ROCS_VPN_POOL as is? i'd like to avoid having to change that if possible.
Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010

Commented:
It is on same subnet with :

interface Ethernet0/1.100
 vlan 100
 nameif ROCS_A

so you need to chage it...

Author

Commented:
well im trying to understand why we cant make it work with the current one. the VPN client successfully authenticates and is put on the 10.6.11.x network. it should follow all the rules for everything on that subnet, right? currently the client has access to everything else on that subnet. so why or how is it not following the other rules that allow access to the other subnets? that is what i am trying to understand.

changing the pool would require a design change that is outside of my control.
Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010

Commented:
you need it, if you want to reach the other subnet....
Commented:
I've not used VLAN sub interfaces on a ASA before. You may need:
         same-security-traffic permit intra-interface

Normally, you use a separate subnet for the VPN pool. I've not tried to use the same and I don't see ANY documentation showing it in use. The ASA treats the VPN client as on a virtual interface.

Have you looked at debug while a client is connected and trying to reach a resource?

What is the business driver for wanting to use the same subnet?

Author

Commented:
well the IP scheme was selected and approved by our client. we're eventually going to deploy the system at their facility, as such we have to follow their IP designations. we could request a change to the design but it would take too long.

btw turns out the configuration i posted works, sorry for not responding earlier.  unbeknownst to me the lab computer being used had symmantec endpoint protection turned on and was blocking the ping commands.  

im still going to reward you guys with some points for yuor effort. thanks.

Author

Commented:
Solved the issue on my own but got good ideas and input from the experts.