Routing VPN clients to private network behind an ASA

ewellsie07 · ‎08-12-2010

One of our clients currently has an ASA 5510 on site, and they are using IPSEC VPN for their mobile users to connect.

The VPN Subnet is 172.16.1.0/24.

Internal network is 192.0.0.0/24. VPN Access works fine to the 192 subnet.

Private network behind the firewall is 162.xx.xx.0/16

Recently, we added an internal router for one of their departments to have secure access to the private network. There is another managed router on-site to connect to this private network that we have no access to change. We are connecting to the private network through the client's internal router and NAT-ing their internal network to the private network subnet. That is also working fine.

The issue is that I also need to route the VPN subnet to the private network. I have attempted to add the private network subnet to the split tunnel list and I can get as far as pinging the managed router interface at 162.xx.xx.1 but it goes no further than that.

I tried adding the 172 subnet to the NAT statements but that didn't get me anywhere.

What am I missing? See my 5-minute VISIO diagram for a better picture.

Thanks.

Asim Malik · ‎08-12-2010

This might be a routing problem on your private network.

You can apply this capture on ASA to confirm

access-list cap permit ip 172.16.1.0 255.255.255.0 162.0.0.0 255.255.0.0

access-list cap permit ip 162.0.0.0 255.255.0.0 172.16.1.0 255.255.255.0

cap test access-list cap interface inside

Run this comamnd to check the hits while you ping 162.x.x.x network from your VPN client.

sh cap test

If you see echo requests being sent and no replies then your server or router in the private network dont know how to reach the VPN pool addresses

ewellsie07 · ‎08-12-2010

The capture works when I ping 162.xx.xx.1 but anything else in that network, the capture doesn't show anything.

Asim Malik · ‎08-12-2010

What ip address you are pinging, make sure it matches 162.0.0.0 255.255.0.0 as we defined in the capture acl

ewellsie07 · ‎08-12-2010

I am pinging an address that's 162.xx.xx.8 in the /16 network that works from the internal LAN.

Asim Malik · ‎08-12-2010

Please try the capture with the host ip for your server or make it general by using "any" for destinition as below

access-list cap permit ip 172.16.1.0 255.255.255.0 any

access-list cap permit ip any 172.16.1.0 255.255.255.0

We should be able to see some hits as we are able to ping the router interface. Make sure you applied it to the correct interface. In the command below we have assumed your interface facing private side is "inside" you might be using some other interface so check this too.

cap test access-list cap interface inside

ewellsie07 · ‎08-12-2010

I figured it out. It was easier than I thought. My split tunnel list was using a network object with a subnet of 162.xx.xx.0/28 which was a previous configuration before I knew the private network was a /16.

Once I edited the split tunnel list to /16 it worked.

So basically all I had to do was add 162.xx.xx.0/16 to the split tunnel, add a static route in the ASA for 162.xx.xx.0/16 to point to 192.0.0.252, and then add the 172.16.1.0 network to the NAT statement on the internal router.

Thanks for the help.

Asim Malik · ‎08-12-2010

No problem. I am glad the issue is fixed.