Link to home
Create AccountLog in
Avatar of Netrinc

asked on

Cisco ASA remote access vpn: connecting to multiple internal networks

recently i successfully setup remote access vpn (SSLVPN) on the ASA 5510. the remote user is assinged an ip address on an already existing (internal) subnet. the issue is that the user cannot access the other internal subnets that usually are accessable.

i did some reading and looked at some configuration examples for split tunneling. none seem to address the issue that i have. they were more based on providing internet access to the remote user (which i am not interested in). how would i go about giving the remote users access to the other internal networks?
Avatar of Istvan Kalmar
Istvan Kalmar
Flag of Hungary image


I advise to move the SSL ip pool address to individual subnet, and create nonat for reaching internel subnets.

Best regards,
Split Tunnel alows the remote VPN user to access thier local subnet (like thier home net) and any resources there, such as printers or local Internet access.

Split tunnel doesn't affect the VPN inside networks

What is the router for the internal networks? Using the ASA for a router  would require same-security interface to be enabled

Next I would look at the route table on the VPN client. What default gateway does it get.

Of course, this assumes you gave the VPN Clients permission to access the other subnets. You can use a object group for all your inside networks or add multiple ACL entries. The default is it only has access to the subnet it's on.

If you still need help, post a sanitized config

I would suggest change your SSL VPN pool to a new subnet and make sure your internal routing is set up correctly
Avatar of Netrinc


"Of course, this assumes you gave the VPN Clients permission to access the other subnets. You can use a object group for all your inside networks or add multiple ACL entries. The default is it only has access to the subnet it's on."

how do i give the VPN clients this permission? the internal networks communicate fine on their own.

the default gateway on the VPN client is the same as the internal network. its as if its on that local network with the exception that it cannot access the other internal networks.

i dont think changing the SSLVPN pool is an option. but how would that be implemented? (i want to keep my options open).
please show the whole config,.,
You need to add all the internal subnets to the Networks Allowed for the vpn.

Are you using the ADSM or command line? You need to look to see what ACl is used by the VPN then edit it to allow ANY inside network
Avatar of Netrinc


i am using ASDM

here is the config:

sho run
: Saved
ASA Version 8.2(2)
hostname ROFW1
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Ethernet0/0
 nameif outside
 security-level 100
 ip address dhcp setroute
interface Ethernet0/1
 nameif ROCS_SWA
 security-level 100
 no ip address
interface Ethernet0/1.51
 vlan 51
 nameif DMZ_A
 security-level 100
ip address
interface Ethernet0/1.100
 vlan 100
 nameif ROCS_A
 security-level 100
 ip address
interface Ethernet0/2
 nameif PADS_A
 security-level 100
 ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list PADS_A_nat0_outbound extended permit ip
access-list ROCS_LAN_A_nat0_outbound extended permit ip
access-list ROCS_A_nat0_outbound extended permit ip
access-list Split_Tunnel_ACL extended permit ip
pager lines 24
logging asdm informational
mtu outside 1500
mtu ROCS_SWA 1500
mtu DMZ_A 1500
mtu ROCS_A 1500
mtu PADS_A 1500
mtu management 1500
ip local pool ROCS_VPN_POOL mask
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 144 interface
nat (DMZ_A) 144
nat (ROCS_A) 0 access-list ROCS_A_nat0_outbound outside
nat (ROCS_A) 144
nat (PADS_A) 0 access-list PADS_A_nat0_outbound
nat (PADS_A) 144
static (ROCS_A,DMZ_A) netmask
static (DMZ_A,ROCS_A) netmask
static (DMZ_A,PADS_A) netmask
static (PADS_A,DMZ_A) netmask
static (PADS_A,ROCS_A) netmask
static (ROCS_A,PADS_A) netmask
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RSA_GRP protocol radius
aaa-server RSA_GRP (ROCS_A) host
key *****
 radius-common-pw *****
 acl-netmask-convert auto-detect
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint localtrust
 enrollment self
 fqdn rofw1.rocs.loc
 subject-name CN=rofw1.rocs.loc
 keypair sslvpnkeypair
 crl configure
crypto ca certificate chain localtrust
 certificate 8230a84e
    308201e7 30820150 a0030201 02020482 30a84e30 0d06092a 864886f7 0d010105
    05003038 31173015 06035504 03130e72 6f667731 2e726f63 732e6c6f 63311d30
    1b06092a 864886f7 0d010902 160e726f 6677312e 726f6373 2e6c6f63 301e170d
    31313130 32363136 30383334 5a170d32 31313032 33313630 3833345a 30383117
    30150603 55040313 0e726f66 77312e72 6f63732e 6c6f6331 1d301b06 092a8648
    86f70d01 0902160e 726f6677 312e726f 63732e6c 6f633081 9f300d06 092a8648
   86f70d01 01010500 03818d00 30818902 818100b5 2d263f43 ae641363 3a42f079
    b4cc4521 a3ea7b93 48cf9330 d0381962 2f9c2859 27914d9c 16a32958 4ff19905
    45a07351 960d9396 288d84b1 0df18b5c bd1a959f 453d3612 e1b7a22b f5b62e39
    98a18146 6034ccc8 ed59039a 981d3f1c 00dfa777 668787a2 11eb0ffa 7b326edc
    3795d749 e1fafbd6 4fdc9ec7 219a08b1 6c03ed02 03010001 300d0609 2a864886
    f70d0101 05050003 8181004d 60493a92 efca8e46 67d27d28 254e366a 8a3ed16b
    fd784ce4 8445d561 af439a3d 6dfa7b1a 0f4ed3f7 4f7fda02 5d2bc3dd 49fb474f
    4a73ce1d c281ffc0 6301a349 ba80ec46 c6c53a8f 0ea62a72 8e39a806 90d98dfc
    489a73e7 8cd014f4 626f39ff 4234f2db f919d58b e32a3e2b 1125ce05 eaa75ab1
    60c637df a0541422 fbf546
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
 enable outside
 svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc enable
 tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
 wins-server none
 dns-server value
 vpn-tunnel-protocol svc
 default-domain value rocs.loc
 address-pools value ROCS_VPN_POOL
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username testuser password qdcCjoOulhCLdBgM encrypted
username testuser attributes
 service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
 authentication-server-group RSA_GRP
 default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
 group-alias ROCS_VPN enable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
 profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end
Avatar of Netrinc


Avatar of Istvan Kalmar
Istvan Kalmar
Flag of Hungary image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Netrinc


whats wrong with using the ROCS_VPN_POOL as is? i'd like to avoid having to change that if possible.
It is on same subnet with :

interface Ethernet0/1.100
 vlan 100
 nameif ROCS_A

so you need to chage it...
Avatar of Netrinc


well im trying to understand why we cant make it work with the current one. the VPN client successfully authenticates and is put on the 10.6.11.x network. it should follow all the rules for everything on that subnet, right? currently the client has access to everything else on that subnet. so why or how is it not following the other rules that allow access to the other subnets? that is what i am trying to understand.

changing the pool would require a design change that is outside of my control.
you need it, if you want to reach the other subnet....
Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Netrinc


well the IP scheme was selected and approved by our client. we're eventually going to deploy the system at their facility, as such we have to follow their IP designations. we could request a change to the design but it would take too long.

btw turns out the configuration i posted works, sorry for not responding earlier.  unbeknownst to me the lab computer being used had symmantec endpoint protection turned on and was blocking the ping commands.  

im still going to reward you guys with some points for yuor effort. thanks.
Avatar of Netrinc


Solved the issue on my own but got good ideas and input from the experts.