Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA 5510 - Client VPN Subnet 1

Status
Not open for further replies.
NoWittyName

NoWittyName

Technical User
Dec 28, 2001
82
GB
I am trying to setup the above system so that my clients are on a separate subnet .11.x to the rest of the network. Clients authenticate OK, but I cannot ping the main .3.x network. Works OK if they are on the same subnet, surely the system knows of the route and can deal with this (also tried adding a static route on the ASA box, but no luck)

CISCO VPN Client version is 4.6

Any ideas?





Master of Disaster.....Recovery
 
Sort by date Sort by votes
Is this a site to site, or is the ASA the VPN server, and all networks you are talking about are behind it???

Burt
 
Upvote 0 Downvote
You can't configure the VPN users to use any ip addresses that reside behind the firewall. Such as if your internal subnets include 192.168.1.x, 192.168.2.x and so on you can not use any of them for your VPN pool. You should instead use a scope that is way outside of your other IP addresses.
 
Upvote 0 Downvote
Thanks for your help so far,

The ASA is the VPN Server and I want it to give out addresses from its own static address pool. The reason for this is I am transferring to this VPN server from an old one which is configured to give out addresses on the main network, and we are about to run out of spare addresses.

All the networks are behind the firewall

What do you mean way outside the other IP addresses - no other machines use the .11 - and the subnet is 255.255.255.0 - that would be outside the main network? + it works if the addreses are on the main network

Everywhere I read it says it can be done quite simply, some suggest forwarding the .11 to another router that knows the route - but can't get that to work either, other suggest using RIP, but RIP is pretty new to me - want a simply solution for a fairly basic problem.

I think there is a newer client version, that is only available if you have a support contract with CISCO - perhaps this software is what I need?

Thanks, in advance

Master of Disaster.....Recovery
 
Upvote 0 Downvote
Okay I understand what you are saying now. Please post a sanitazied copy of your configuration
 
Upvote 0 Downvote
OK, here it is, thanks in advance

: Saved
:
ASA Version 7.2(2)
!
hostname bsa-ciscoASA5510
domain-name companyname.org.uk
enable password xxxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
nameif companynameDM
security-level 100
ip address 192.168.3.248 255.255.255.0
ospf cost 10
!
interface Ethernet0/1
nameif JANETDM
security-level 0
ip address 100.100.21.254 255.255.255.224
ospf cost 10
!
interface Ethernet0/2
nameif ADSL
security-level 50
ip address 192.168.10.2 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd xxxxxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name companyname.org.uk
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list companynameDM_access_out extended permit ip any any
access-list JANETDM_access_out extended permit ip any any
access-list companynameDM_access_in extended permit ip any any
access-list companynameDM_access_in extended permit tcp any any
access-list JANETDM_access_in extended permit ip any any inactive
access-list JANETDM_access_in extended permit ip host 150.150.205.2 any
access-list companynameDM_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list companynameDM_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list companynameDM_nat0_outbound extended permit ip any 192.168.3.176 255.255.255.248
access-list JANETDM_20_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list JANETDM_cryptomap_1 extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list companyname-InternalAddresses remark Demonfort LAN
access-list companyname-InternalAddresses standard permit 192.168.3.0 255.255.255.0
access-list companyname-InternalAddresses remark RenHouse LAN
access-list companyname-InternalAddresses standard permit 192.168.6.0 255.255.255.0
access-list companyname-InternalAddresses remark Demonfort LAN
access-list companyname-InternalAddresses remark RenHouse LAN
pager lines 24
logging enable
logging asdm informational
logging permit-hostdown
mtu companynameDM 1500
mtu JANETDM 1500
mtu ADSL 1500
mtu management 1500
ip local pool VPNIPPool 192.168.3.179-192.168.3.180 mask 255.255.255.0
ip local pool VPN-Subnet 192.168.11.1-192.168.11.100 mask 255.255.255.0
no failover
monitor-interface companynameDM
monitor-interface JANETDM
monitor-interface ADSL
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (companynameDM) 1 interface
global (JANETDM) 1 interface
global (ADSL) 1 interface
nat (companynameDM) 0 access-list companynameDM_nat0_outbound
nat (companynameDM) 1 192.168.3.0 255.255.255.0
nat (management) 0 0.0.0.0 0.0.0.0
access-group companynameDM_access_in in interface companynameDM
access-group companynameDM_access_out out interface companynameDM
access-group JANETDM_access_in in interface JANETDM
access-group JANETDM_access_out out interface JANETDM
route companynameDM 192.168.6.0 255.255.255.0 192.168.3.239 1
route companynameDM 192.168.5.0 255.255.255.0 192.168.3.239 1
route companynameDM 192.168.8.0 255.255.255.0 192.168.3.246 1
route companynameDM 192.168.9.0 255.255.255.0 192.168.3.251 1
route companynameDM 192.168.11.0 255.255.255.0 125.125.121.82 1
route JANETDM 192.168.0.0 255.255.255.0 125.125.121.82 1
route JANETDM 150.150.205.2 255.255.255.254 125.125.121.82 1
route JANETDM 0.0.0.0 0.0.0.0 125.125.121.82 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy RemoteUserVPN internal
group-policy RemoteUserVPN attributes
banner value WELCOME
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value companyname-InternalAddresses
default-domain value companyname.org.uk
client-firewall none
username xx password xxxxxxxxxxxx encrypted privilege 0
http server enable
http 192.168.3.0 255.255.255.0 companynameDM
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map JANETDM_dyn_map 20 set pfs
crypto dynamic-map JANETDM_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map JANETDM_map 1 match address JANETDM_cryptomap_1
crypto map JANETDM_map 1 set peer 150.150.205.2
crypto map JANETDM_map 1 set transform-set ESP-AES-256-SHA
crypto map JANETDM_map 21 match address JANETDM_20_cryptomap
crypto map JANETDM_map 21 set peer 150.150.205.2
crypto map JANETDM_map 21 set transform-set ESP-AES-256-SHA
crypto map JANETDM_map 65535 ipsec-isakmp dynamic JANETDM_dyn_map
crypto map JANETDM_map interface JANETDM
crypto isakmp enable JANETDM
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group 150.150.205.2 type ipsec-l2l
tunnel-group 150.150.205.2 ipsec-attributes
pre-shared-key *
tunnel-group RemoteUserVPN type ipsec-ra
tunnel-group RemoteUserVPN general-attributes
address-pool VPN-Subnet
default-group-policy RemoteUserVPN
tunnel-group RemoteUserVPN ipsec-attributes
pre-shared-key *
tunnel-group RemoteUserVPN ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:gggggggggggggggg
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

Master of Disaster.....Recovery
 
Upvote 0 Downvote
You need


access-list companynameDM_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.11.0 255.255.25

 
Upvote 0 Downvote
Thankyou very much that worked!

Master of Disaster.....Recovery
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
317
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
301
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
288
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
292
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
371
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top