11-17-2009 02:03 AM
Hi all,
I have a cisco ASA 5505 which has 2 different connection profiles configured. 1 of them is an old connection profile which used a local user database for authentication and a local DHCP IP pool for giving out IP addresses.
I have created a new profile which now authenticates remote access clients to our internal LDAP server and hands out DHCP addresses from our internal DHCP server.
The problem now is that there is no throughput. I.e. I cannot ping anything on the LAN. The only IP i can ping is the internal IP of the ASA.
A point to note is that I want to fade out the old connection profile once I have the new one working sweetly. At the moment, both are handing out IPs from the same subnet, would that confuse the firewall in any way? Or is it just a case of ACLs need to be configured to allow the traffic from the VPN clients to the rest of the network?
Mario
Solved! Go to Solution.
11-20-2009 10:46 AM
Yes under that specific VPN profile, you just name the external DHCP server by IP address like:-
tunnel-group <
dhcp-server 10.125.0.253
You also should enable DHCP relay - just incase
HTH>
11-17-2009 05:34 AM
Check to see what IP address subnets are configured to be "protected"
HTH>
11-17-2009 05:52 AM
Hi ANdrew,
the old connection profile uses a local DHCP pool of 192.168.10.100 - 192.168.10.200. this profile is working absolutely fine.
Now, because the LAN on the inside interface is using the same subnet 192.168.10.0/24 I have to configure a second profile so that DHCP leases for remote access clients come from our internal DHCP server, also giving out addresses on the same subnet causing problems until I eliminate the old connection profile.
I have been reading a couple of guides that Heather posted in my post yesterday and they take me through setting up crypto maps and nat 0 policies which seems a bit beyond me.
Out internal LAN is 192.168.10.0/24
DMZ is 192.168.20.0/24
What do you mean by checking to see what IP subnets are protected?
Mario
11-17-2009 06:00 AM
Mario,
The fact that a device other than the PIX/ASA is allocating DHCP addresses is the issue. When the PIX/ASA issues the addresses - it then knows what needs to be encrypted etc.
When you have another device doing that job - you need to tell the PIX/ASA what needs to be encrypted and what does not.
Read the below config example - pay attention to "Split Tunneling"
HTH>
11-17-2009 06:09 AM
thanks Andrew,
I do not think you posted the sample config.
Thanks for your help so far!!
11-17-2009 06:13 AM
11-17-2009 06:44 AM
Thanks Andrew,
I will try that. Will this work in conjunction with the existing local DHCP pool configured on the old connection profile?
The problem I have is that I cannot disable the old profile until I am sure the new one is working.
Thanks again!
11-17-2009 07:13 AM
yes - you can have multiple profiles that will work seemlessly side by side.
11-17-2009 07:57 AM
Hi Andrew,
given the security concerns in enabling split-tunneling. Are there ways to achieve the same thing without comprimising security?
Mario
11-17-2009 08:01 AM
Mario,
I posted "Read the below config example - pay attention to "Split Tunneling""
That does not read - you must configure split tunneling.
I said to use it as an example to what you need to check.
11-17-2009 08:19 AM
Hi Andrew, sorry about that.
I dont quite understand how the config code on that page relates to my original query but I am going to read a couple of the referal documents listed on that page about restricting access to local LAN only and the PIX/ASA 7.x as a Remote VPN Server using ASDM Configuration Example for IPSec.
I'll let you know how it goes!!
Mario
11-20-2009 04:55 AM
Hi Andrew,
thanks for your help so far.
I have followed the wizard to create a new remote access VPN which uses an internal DHCP pool and authenticates to our internal DCs like a tret.
Traffic flow is also working absolutely fine.
Now,
In order for me to use our internal DHCP server to hand out addresses instead of using a local pool on the ASA, do I simply specify our internal DHCP server in the connection profile?
Or is there underlying stuff I need to do?
Mario
11-20-2009 10:46 AM
Yes under that specific VPN profile, you just name the external DHCP server by IP address like:-
tunnel-group <
dhcp-server 10.125.0.253
You also should enable DHCP relay - just incase
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide