I have an ASA 5510 with IPSec VPN setup. The VPN clients are given 172.17.0.0 addresses and given access to 172.16.0.0 network (ASA's inside interface is 172.16.1.1). I need these clients to be able to reach 172.20.0.0 via an internal router (172.16.3.7).
How do I set this up? Currently the client just sends the 172.20.0.0 traffic out it's normal internet connection as split-tunneling is enabled. I tried using a static route on the client, but that didn't work.
Any insight would be greatly appreciated.
I can only site an IOS example that you might be able to translate to your needs.
On the IOS Easy VPN Server we configure a client configuration group (i.e.: policies pushed to the client during mode config).
crypto isakmp client configuration group psk-grp
The ACL specified in the configuration group defines the scope of the crypto protection (i.e.: what traffic is to receive crypto treatment).
I believe this ACL determines the routes that will be installed on the VPN Client. If this ACL includes an Access Control Entry (ACE) for the 172.20.0.0 network, I think you will succeed.
e.g.: for a pool of client addresses 172.17.0.16 - 172.17.0.31
access-list 108 permit ip 172.16.0.0 0.0.255.255 172.17.0.16 0.0.0.15
access-list 108 permit ip 172.20.0.0 0.0.255.255 172.17.0.16 0.0.0.15
Maybe that will help.
from the asa do you have a route to each 172.20.0.0 network via 172.16.3.7 gateway?
I would check that.
1- from asa , a route to reach 172.20.0.0 net.
2- If asa does have a route, does 172.16.3.7 router knows how to get to your vpn pool network ?
3- Access list on asa to allow/permit vpn pool network to access 172.20.0.0 network.