Full internal network access not available via VPN...

Answered Question
Jan 25th, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

I've got an ASA5505 firewall with the security add-on for VPN support. Up until recently VPN has been working but we made some changes to the subnet masks on the network and now we have lost some VPN functionality--all the devices used to be on individual networks with masks set to 255.255.255.0 and each network had a connection to the firewall which required all internal traffic to route through the firewall. To fix this we changed the subnet masks to 255.255.0.0 and removed all but one connection to the firewall.

Here’s the setup: we have a DSL line that connects to a DSL modem which then connects to the external interface of the ASA. We then have an internal connection which connects to a Netgear switch. The Internal connection is configured as 192.168.65.1/255.255.0.0 and all the devices on the switch are on the 192.168.65.0 subnet. This switch has a trunk connection that runs to another Netgear switch. The second Netgear switch supports devices on the 192.168.66.0 network. Internal PCs on the first switch with a .65.x address can talk to devices on the second switch with no problem.

When a user VPNs in he receives a 192.168.69.0/255.255.0.0 address which is issued via an ASA address pool. Once connected the user can see and communicate with any device on the 65.x network but cannot talk to anything on the 66.x network. I have tried everything I can think of including setting up split tunneling but nothing works.

Does anyone have an idea of what the problem might be and how I can fix it?

Thanks in advance,

Greg

I have this problem too.
0 votes
Correct Answer by Kenny Coleman about 6 years 10 months ago

if you are using ASDM 6.2(3)

Configuration -> Firewall -> NAT Rules -> on the inside interface "Add NAT Exempt rule". Interface = inside, source = internal network (192.168.0.0/16), destination = VPN Subnet (192.168.69.0/24)

Correct Answer by aabhatia about 6 years 10 months ago

make sure that the traffic is included in nonat and crypto traffic access list also try configuring split tunnel if possible

below is the sample config for it

Step#1 - Create standard access list allowing the Lan network which you want to access.

access-list Split_Tunnel_List standard permit


Step#2 - specify the split tunnel in the group policy.

group-policy attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list Split_Tunnel_List

Step#3 - Define pool and Exclude the VPN traffic from Nat.

ip local pool - mask

nat(inside) 0 access-list

access-list nonat_access_list_name permit ip

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Kenny Coleman Mon, 01/25/2010 - 12:36

do you have your NAT exempt statement for the 192.168.66.0/24 subnet to your VPN subnet?

Correct Answer
aabhatia Mon, 01/25/2010 - 12:43

make sure that the traffic is included in nonat and crypto traffic access list also try configuring split tunnel if possible

below is the sample config for it

Step#1 - Create standard access list allowing the Lan network which you want to access.

access-list Split_Tunnel_List standard permit


Step#2 - specify the split tunnel in the group policy.

group-policy attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list Split_Tunnel_List

Step#3 - Define pool and Exclude the VPN traffic from Nat.

ip local pool - mask

nat(inside) 0 access-list

access-list nonat_access_list_name permit ip

glang1111 Mon, 01/25/2010 - 13:47

Thanks for the replies.

Kenny - No I haven't tried NAT exemption. I'm not too familiar with it but will give it a shot tomorrow.

Aarti - Yes, I have tried Split Tunneling with every combination of addresses I can think of from 192.168.0.0/16 to each individual subnet followed by /16 to 192.168.64.0/21 and nothing has made any difference.

One thing I did forget to mention is that the second switch is connected to a PIX firewall which the 66 subnet uses to send outgoing traffic. The way it works is that the PIX is 192.168.66.1, and the default gateway for all traffic leaving the 66 subnet, but the connected switches are being used to allow internal communications between the two subnets without having the traffic pass through the firewall. I hope I'm not confusing anyone but this is kind of how it looks.


  DSL Modem             DSL Modem
      |                                        |
ASA 5505 (65.1)         PIX (66.1)
      |                                        |
Netgear Switch <----> Netgear Switch


The ASA is the default gateway for the 65 subnet and the PIX is the default gateway for the 66 subnet but since they have a /16 mask the 65 and 66 subnets can communicate internally via the switches. This setup works great on the inside, it's just when we VPN that it doesn't. The funny thing is if I VPN in and then remote desktop to a machine on the 65 subnet I can then communicate with devices on the 66 subnet with no problem.

Correct Answer
Kenny Coleman Tue, 01/26/2010 - 06:17

if you are using ASDM 6.2(3)

Configuration -> Firewall -> NAT Rules -> on the inside interface "Add NAT Exempt rule". Interface = inside, source = internal network (192.168.0.0/16), destination = VPN Subnet (192.168.69.0/24)

glang1111 Tue, 01/26/2010 - 13:00

Thank a million!

I just implemented the NAT exempt rule and it fixed the problem.

Kenny Coleman Tue, 01/26/2010 - 13:12

glad that helped. be sure to rate the answer and mark the thread as answered.

FRANCISCO IBARRA Wed, 01/27/2010 - 14:12

I hope I can help. I have the following facilities:

                           DSL
                     /              \
      ASA 5510               Router
                 |                     |
                pc1                pc2 
Computers that have the ASA as gateway to connect remote computers via VPN customers can easily access, while those emerging on the other router can not access.
I made a static route on the router sending all the traffic that goes to remote computers out by the ASA, but has not worked.

Todos los equipos estan en el mismo segmento de red

Thank you

Actions

This Discussion