Routing VPN clients

Answered Question
Apr 30th, 2008

I have an ASA 5510 with IPSec VPN setup. The VPN clients are given 172.17.0.0 addresses and given access to 172.16.0.0 network (ASA's inside interface is 172.16.1.1). I need these clients to be able to reach 172.20.0.0 via an internal router (172.16.3.7).

How do I set this up? Currently the client just sends the 172.20.0.0 traffic out it's normal internet connection as split-tunneling is enabled. I tried using a static route on the client, but that didn't work.

Any insight would be greatly appreciated.

Rick

I have this problem too.
0 votes
Correct Answer by michael.leblanc about 8 years 8 months ago

I can only site an IOS example that you might be able to translate to your needs.

On the IOS Easy VPN Server we configure a client configuration group (i.e.: policies pushed to the client during mode config).

crypto isakmp client configuration group psk-grp

acl 108

The ACL specified in the configuration group defines the scope of the crypto protection (i.e.: what traffic is to receive crypto treatment).

I believe this ACL determines the routes that will be installed on the VPN Client. If this ACL includes an Access Control Entry (ACE) for the 172.20.0.0 network, I think you will succeed.

e.g.: for a pool of client addresses 172.17.0.16 - 172.17.0.31

access-list 108 permit ip 172.16.0.0 0.0.255.255 172.17.0.16 0.0.0.15

access-list 108 permit ip 172.20.0.0 0.0.255.255 172.17.0.16 0.0.0.15

Maybe that will help.

Correct Answer by JORGE RODRIGUEZ about 8 years 8 months ago

from the asa do you have a route to each 172.20.0.0 network via 172.16.3.7 gateway?

I would check that.

1- from asa , a route to reach 172.20.0.0 net.

2- If asa does have a route, does 172.16.3.7 router knows how to get to your vpn pool network ?

3- Access list on asa to allow/permit vpn pool network to access 172.20.0.0 network.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
JORGE RODRIGUEZ Wed, 04/30/2008 - 18:24

from the asa do you have a route to each 172.20.0.0 network via 172.16.3.7 gateway?

I would check that.

1- from asa , a route to reach 172.20.0.0 net.

2- If asa does have a route, does 172.16.3.7 router knows how to get to your vpn pool network ?

3- Access list on asa to allow/permit vpn pool network to access 172.20.0.0 network.

Correct Answer
michael.leblanc Thu, 05/01/2008 - 20:17

I can only site an IOS example that you might be able to translate to your needs.

On the IOS Easy VPN Server we configure a client configuration group (i.e.: policies pushed to the client during mode config).

crypto isakmp client configuration group psk-grp

acl 108

The ACL specified in the configuration group defines the scope of the crypto protection (i.e.: what traffic is to receive crypto treatment).

I believe this ACL determines the routes that will be installed on the VPN Client. If this ACL includes an Access Control Entry (ACE) for the 172.20.0.0 network, I think you will succeed.

e.g.: for a pool of client addresses 172.17.0.16 - 172.17.0.31

access-list 108 permit ip 172.16.0.0 0.0.255.255 172.17.0.16 0.0.0.15

access-list 108 permit ip 172.20.0.0 0.0.255.255 172.17.0.16 0.0.0.15

Maybe that will help.

Actions

This Discussion