VPN Config help

Unanswered Question
Jun 5th, 2007
User Badges:

I have an ASA5500 connected to a L2 switch which is connected to a router which hosts all the gateways for clients.


I create a VPN on the ASA5500 as a backdoor into the network. The ASA5500 has 3 subinterfaces which are on the same network as each gateway.


Subinterfaces on ASA are vlan 100,200,300


vlan 100 192.168.10.10

vlan 200 192.168.20.10

vlan 300 192.168.30.10


Router gateways:


192.168.10.1

192.168.20.1

192.168.30.1


From the ASA CLI I am able to ping all gateways and subinterfaces.


I create the ASA as a VPN Server. I create 3 different Ip Address Pools that match the vlans for each connecting vpn user.


I enable crypto isakmp nat-traversal.


I create each policy for split-tunneling allowing only access to the vlans.


When connected through VPN, I can access resources for only the vlan that I got an IP from but cannot ping or access anyother vlans. not even the gateway IP for that vlan.


What are some of the things I need to do to make this work?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Wed, 06/06/2007 - 05:16
User Badges:
  • Green, 3000 points or more

It sounds like you need a route on your inside router for the vpn client address pool via your ASA as the default gateways for inside is not the ASA. At least that's what it seems like without seeing the actual config. Also, your vpn client pool should be completely unique.

cisconoobie Wed, 06/06/2007 - 06:36
User Badges:

Ok here is what Ive done.


I have 3 subinterfaces with security level 100 on each.


I created a ICMP Group that allows echo-reply, unreachable and time-exceeded to be allowed on each subinterface. For incomming.


This fixed the Ping problem and now I can ping any IP on any vlan.


I am able to connect to any host on the vlan that my IP Address pool dished out. For ex. I get IP 192.168.10.190. I can connect to any 192.168.10.x host but when I try to connect to a 192.168.20.x host, a SYN goes out but never receives an ACK. I check the logging buffer and the conenction seems to timeout.


Is there a security setting that prevents connectivity between subinterface vlans on the ASA that will not show up in realtime logging of asdm?


I tried enabling "connectivty between same security level interfaces" but still have same problem.


I cannot post config due to security issues.


Do subinterface vlans on Firewall have to have different security levels? I will try that next.

acomiskey Wed, 06/06/2007 - 07:10
User Badges:
  • Green, 3000 points or more

"I create the ASA as a VPN Server. I create 3 different Ip Address Pools that match the vlans for each connecting vpn user."


-This is not right, your pools need to be different subnets than your inside networks.


"This fixed the Ping problem and now I can ping any IP on any vlan."


-From where, the vpn or from somewhere inside?


"I am able to connect to any host on the vlan that my IP Address pool dished out. For ex. I get IP 192.168.10.190. I can connect to any 192.168.10.x host but when I try to connect to a 192.168.20.x host, a SYN goes out but never receives an ACK. I check the logging buffer and the conenction seems to timeout."


--From where, the vpn or from somewhere inside?


cisconoobie Wed, 06/06/2007 - 08:10
User Badges:

I didnt know that the IP Pools have to be on different Network than the inside Sub interface Vlans.


The PING works from both VPN using any of those pools or from the Firewall cli.


I can connect to any host from within VPN with the IP Pool address but not to another Subnet.


I will try to create new IP Pool on different subnet and see if it works.

acomiskey Wed, 06/06/2007 - 08:26
User Badges:
  • Green, 3000 points or more

Still confused, these statements seem contradictory


"The PING works from both VPN using any of those pools or from the Firewall cli."


"I can connect to any host from within VPN with the IP Pool address but not to another Subnet."


Do you mean the ping works as long as the client is given an address from the pool in that particular vlan?

cisconoobie Wed, 06/06/2007 - 08:45
User Badges:

BTW Thanks for the assistance. I will explain in full detail what is happening.


ASA5500 is setup as VPN Server


Outside interface - Public IP

Inside Interface: SubInterface.100 = 192.168.10.10 Sec level 100


Subinterface.200 = 192.168.20.10 Sec level 100


Subinterface.300 = 192.168.30.10 Sec level 100


Firewall is connected to switch via 802.1q trunk. Switch is connected to Router. Router has gateways setup for vlan 100, 200 and 300.


Gateway 192.168.10.1, 192.168.20.1,192.168.30.1


I created 3 IP Pools for each vlan. (I'm guessing this is wrong from your previous post)


IP Pools:


192.168.10.190-200

192.168.20.190-200

192.168.30.190-200


I created a VPN Profile with LOCAL Authentication. VPN profile uses the 192.168.10.190 pool. I enabled split tunneling on this profile to allow access to 192.168.10.x,192.168.20.x,192.168.30.x


I created an ICMP Group for each vlan incomming to permit echo-reply, time-exceeded and unreachable messages for vlan 100,200 and 300. I set this permit in each vlan acl. I also set this on the outside incomming acl.


From the ASA CLI, I ping the gateways and the vlan interfaces. SUCCESS.


I connect via the VPN profile I created. I get a 192.168.10.190 address. I can ping all gateways, interfaces and all hosts on vlans 100,200 and 300.


From the VPN, I connect to a host on Vlan 100 and it works. I try to connect to a host on Vlan 200 and there is no ACK comming back, connection timesout.


Now if I setup the VPN profile to use a vlan 200 IP pool that I previously created, I can connect to any host on the vlan 200 but not on vlan 100 or 300.


What do you think?

acomiskey Wed, 06/06/2007 - 09:14
User Badges:
  • Green, 3000 points or more

Thanks for taking the time to do that, much better now. Although it still seems like you are contradicting yourself here, I'm sure I'm just reading it wrong....


"I connect via the VPN profile I created. I get a 192.168.10.190 address. I can ping all gateways, interfaces and all hosts on vlans 100,200 and 300."


"From the VPN, I connect to a host on Vlan 100 and it works. I try to connect to a host on Vlan 200 and there is no ACK comming back, connection timesout."


-You can ping all hosts on vlan 100, 200 and 300 from the vpn but you cannot connect to a host on vlan 200? Do you mean you actually are initiating traffic from vlan 100 to vlan 200?

cisconoobie Wed, 06/06/2007 - 09:49
User Badges:

yes I appoligize.


When I connect through VPN, I get a 192.168.10.190 address. I can ssh into any of my servers that reside on 192.168.10.0/24


When I try to ssh into any server on 192.168.20.0/24, it will not connect but pings go through.


Now if I change the VPN profile to issue me an IP from the 192.168.20.x pool and I connect through it, I can ssh into any server on the 192.168.20.x vlan but cannot ssh into 192.168.10.x or 30.x



Actions

This Discussion