ASA 5505 with Cisco VPN Client

milfrankrodriguez · ‎11-17-2009

Hi,

I have just set up my 1st ASA firewall. I have an L2L between my 2 sites setup without a problem. However when I try to use the vpn client, it connects fine but I cannot get access to the remote LAN

I have attached my config, can anyone tell me where i'm going wrong?

branfarm1 · ‎11-17-2009

Are the RemoteLAN addresses the networks listed in Access-list 101?

It looks like you have access-list 101 defined as a split-tunnel ACL for the VPNClt tunnel-group. With split tunneling you are telling the VPN client which networks to protect, or in other words, which networks to send down the tunnel. If you are trying to reach the remote LAN through the VPN client tunnel, you don't want to have split tunneling enabled.

You need access-list 101 as part of your L2L tunnel, so don't remove it.

milfrankrodriguez · ‎11-17-2009

Thanks for your quick reply

Yes the RemoteLAN addresses are in 101

I have disabled split tunneling now but still can't seem to access remote lan

branfarm1 · ‎11-17-2009

Since both VPN's are off of the outside interface, your traffic is entering the ASA on the outside then attempting to leave via the outside as well. Try using the "same-security-traffic permit intra-interface" CLI command, or check the "Enable traffic between two or more hosts connected to the same interface" box on the Interfaces page in ASDM.

branfarm1 · ‎11-17-2009

Also, you will need to add 192.168.254.1-192.168.254.50 to your NAT exemption list. Otherwise, as the traffic tries to leave via the outside interface it will be PAT'd to your outside address.

Once you change the NAT exemption, you'll need to update your ACL 101 to make traffic sourced from 192.168.254.0, bound for the Remote LAN, use the VPN.

milfrankrodriguez · ‎11-17-2009

applied "same-security-traffic permit intra-interface"

Still no luck

milfrankrodriguez · ‎11-17-2009

I have updated my nat exempt list

I'm not sure what you mean by this :"you'll need to update your ACL 101 to make traffic sourced from 192.168.254.0, bound for the Remote LAN, use the VPN"

How do I do that?

branfarm1 · ‎11-17-2009

If you look at your L2L vpn config, you're using ACL 101 to specify what is called "interesting traffic." This means that traffic that matches the ACL will either trigger the VPN to build (initially) or be sent to the VPN, instead of routing outside normally.

What you are attempting to do is have traffic coming from your VPNclt machines be able to reach the remote LAN via your L2L VPN. So you need to be able to have the PIX recognize that traffic from your VPNClt's destined for the RemoteLAN need to also be sent to the VPN.

Your ACL 101 should be something like this:

access-list 101 extended permit ip

So if your local address range is 192.168.111.0 and you are trying to reach 10.0.0.0/16 and 192.168.10.0/24 on the remote side, ACL 101 should be:

access-list 101 extended permit ip 192.168.111.0 255.255.255.0 10.0.0.0 255.255.0.0

access-list 101 extended permit ip 192.168.111.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 101 extended permit ip 192.168.254.0 255.255.255.0 10.0.0.0 255.255.0.0

access-list 101 extended permit ip 192.168.254.0 255.255.255.0 192.168.10.0 255.255.255.0

The other side of the L2L vpn will need a mirror of your ACL.

milfrankrodriguez · ‎11-17-2009

Oh I see, that is not what I am trying to do. The VPN client users will not be using the L2L vpn. They will be accessing probably from home

branfarm1 · ‎11-19-2009

Hi there -- just wanted to follow up and see if you were able to resolve your issue. Did you figure out the setup you wanted?

milfrankrodriguez · ‎11-20-2009

Hi,

No I haven't had a chance to look at it in the last couple of days. What I want is for staff to be able to access the main site (192.168.111.0/24) from home or when on vacation. I can get the VPN client to connect fine but for some reason when I try to access any resources on the remote LAN it doesn't work, no ping response from anything on the 192.168.111.0 network

kicharle · ‎11-20-2009

Hi

I see acl 101 used for both split tunnel as well as vpn-filter.

Please remove the vpn-filter and see, if you are able to connect to the remote LAN. I think that might be causing the issue.

With regards

Kings

milfrankrodriguez · ‎11-20-2009

I have tried this but still no luck.

When the client connects I can ping the remote clients from the ASA but not from the internal network at the main site. So it seems as if the traffic is getting to the ASA but is not making it back out again. Does that sound right to you?

kicharle · ‎11-20-2009

To which interfaces have you mapped vlan 1 and 2. If you have connected the client in "cleint mode" you can't ping them from the main internal network to the remote clients. You can only ping from remote client to internal network behind the ASA.

With regards

Kings

jesslpete · ‎11-20-2009

Thank you all, particularly branfarm1, for making this clear. I had the same question. I left split-tunnel enabled and otherwise followed your outline and a vpn client can now access networks at the other end of an l2l tunnel.

> same-security-traffic permit intra-interface

! Add the client pool (client_net) to the split tunnel access list (from inside to remote_net) and the nat0 list.

> access-list split_acl extended permit client_net 255.255.255.0 remote_net 255.255.255.0

> access-list inside_nat0 extended permit client_net 255.255.255.0 remote_net 255.255.255.0

Do the mirror at the other end of the tunnel.

The client can still access its local lan and Internet which may or may not be desirable.