VPN clients getting addresses assigned in different subnets

Unanswered Question
Sep 16th, 2008

I have some general questions about VPN groups getting addresses assigned in different subnets.

I have seen posts about having RA clients getting addresses assigned in different subnets than the ASA interface subnets are in, but I an not quite sure what needs to be done to accomplish this.

If my ASA inside address is 10.1.1.0l, how do I get a client to have an address assigned in the 192.168.1.0 subnet?

When I have tried this, I can get an address, but I can not ping anything, I am thinking because I have no default gateway assinged in my subnet of 192.168.1.0.

I have looked at the below link, is this what needs to be done?

I have no available interfaces on our ASA, but I do have some logical interfaces assigned.

Do I need to create logical interfaces in the subnets I want the clients assigned?

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806ab788.shtml

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
felixjai Wed, 09/17/2008 - 10:52

There are several things you have to check.

1. First of all, are you converting your existing RA vpn to use a different subnet for the RA vpn clients? If so, was the RA vpn working before?

2. Did you configure split-tunnel as in the example from your link? If so, were you pinging the IP within the split-tunnel subnet?

3. Check your network topology, I am not sure what other subnets are in your network or behind your ASA inside interface. If you use a new subnet for the RA vpn, in this example, 192.168.1.x needs to be present on the routing table on your core switch/router via your ASA inside IP. If not, use routing protocol such as static routes, OSPF, EIGRP, or RIP (depending what is being used in the network) to advertise 192.168.1.x.

4. Make sure this command is present in your running-config "sysopt connection permit-vpn". This will permit all VPN traffic without specifying an ACL.

Lastly, if possible, post your ASA config here so that we can all look at it and let you know the suggested config for your need.

wilson_1234_2 Wed, 09/17/2008 - 15:05

To answer your questions:

1. Yes, we have RA working, but with address pools in the same subnet of the inside interface of the ASA.

2. I do not want to use Split Tunnel, but I do want to use hairpin type connection for users to access Internet once connected.

3. We have OSPF configured on ASA and the subnet was in route table. Also both 6509 switches have an SVI interface of the desired subnet.

The ASA inside interface is its own subnet.

One thing I do not understand is, once the ASA has assigned me an address (in the dedicated subnet different than ASA interface), how does my workstation communicate with anything in that subnet if the ASA does not have an interface in it?

4. I do not have this command, but I don't think an acl blocking my connection was the problem

felixjai Wed, 09/17/2008 - 18:01

The routing table makes the decision. Here is how-

- When your workstation is trying to communicate with the VPN subnet 192.168.1.x, it will most likely send the traffic to your default gateway and I assume that's your 6509.

- And your 6509 has a route to 192.168.1.x on its routing table because your ASA is advertising the route via OSPF. So the traffic is sent to ASA inside interface.

- When the ASA looks the destination address of traffic, it determines that 192.168.1.x needs to send to its outside interface according to its routing table. (When a RA VPN connection is established, a static route is created for the client IP, "show route" on your ASA will show you).

- When the traffic gets to the outside interface, the vpn engine intercepts the traffic because it matches the vpn policies for de/encryption based on the source and destination address.

- It then encapsulates the traffic with IPSec header (ESP and/or AH) and send it out to the Internet to reach its remote client's IP

So as you can see, ASA doesn't need to have an interface for it because it's just routing the traffic. But the VPN engine will intercept and apply the IPSec encryption or decryption. So you can think of a PC is trying to get an Internet web page. The IP of the web page doesn't present on your ASA, but it will just route the traffic from inside to outside interface and then to the Internet to the web server. But since the VPN policies didn't specify to encrypt the traffic, IPSec won't be applied.

Again, please apply "sysopt connection permit-vpn" to allow VPN traffic. If you have a reason not to do, then you will need to specify an ACL on your outside interface to allow 192.168.1.x to get to your inside subnets.

Please post your ASA config so that I can explain better. You can remove all the private info before you post, such as the IP addresses, passwords, usernames, preshared keys, etc

wilson_1234_2 Thu, 09/18/2008 - 11:06

I noticed the route that gets installed by the ASA is a static route.

I see the static route to the RA host pointing to the edge router as the next hop, but at the same time, I also have this subnet being advertised from my switch (SVI) that uplinks the ASA to the internel network.

I added the static route to my RA host via the firewall in the core switch.

This allows me to establish connectivity, but brings up a question:

The static route is a route to my RA host,

x.x.x.x 255.255.255.255

Do I have to have the ASA distribute static routes into my internal network, which will then advertise the RA hosts so my core switch picks it up?

Suppose I want to have the ASA assign a different dedicated ip address to each host that connects and each group have a different subnet?

Actions

This Discussion