getting VPN client to other internal networks

Answered Question
Sep 2nd, 2008

I am currently using an ASA5520 and the ASDM app to configure VPN clients in split-tunnel mode. As of now remote clients can access the internal network of the ASA, their own local LAN and the Internet. I have static routes on the ASA so that it can get to other internal networks. I have also added these internal networks to the split-tunnel list thinking that this would allow my clients to get to those networks but it isn't working. I can see the remote networks added to the clients route table but pings and traces die at the ASA and go no further. What I'm I missing here?


Thanks,

Diego


Correct Answer by Marwan ALshawi about 8 years 5 months ago

not it is not because ASDM and ASA have no idea what inernal networks u have u might have tens of internal networks through routers connected to inside or DMZ so i see it is better to do it manuly to have control which network can the vpn client communicate with and which not


hope this helpful

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Marwan ALshawi Tue, 09/02/2008 - 18:28

did u make the Nat exmption (NAT 0) for this network


for example if u have internal network

like 10.1.1.0/24

and u have route to it in ur ASA as u mentioned

and the vpn pool for example 192.168.1.0/24


u need these lines :


access-list 100 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0


then


nat (inside) 0 access-list 100




good luck


if helpful rate

DIEGO ALONSO Wed, 09/03/2008 - 07:45

Yes, you are right. I assumed that the ASDM would add all the NAT0 commands but it only added the first line for the internal LAN. I can add the rest manually but it would be nice if the ASDM did it. Do you think this is a bug or simply a shortcoming of ASDM?

Correct Answer
Marwan ALshawi Wed, 09/03/2008 - 18:31

not it is not because ASDM and ASA have no idea what inernal networks u have u might have tens of internal networks through routers connected to inside or DMZ so i see it is better to do it manuly to have control which network can the vpn client communicate with and which not


hope this helpful

DIEGO ALONSO Thu, 09/04/2008 - 04:52

I see your point but ASDM added the first network in the split-tunnel list to the Nat0 ACL why didn't it add the other networks that I added to the split-tunnel? In any case I guess ASDM did a good job getting me going and your info helped me close the deal. Thank you very much.


Rgds,

Diego

Actions

This Discussion