Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
291
Views
0
Helpful
2
Replies

VPN client route to different lan

Go to solution
erikgjacobsen
Level 1
Level 1

‎02-07-2016 04:26 AM

I have at network with at kind of special setup – 10.10.20.0/24 the gateway 10.10.20.1 is at router which route traffic for 172.16.137.0/24 to some hosted applications servers, all other traffic goes to our new ASA5506 10.10.20.2 which supply internet access and handles vpn connections – the problem is that when clients connects via VPN and tries to go to 172.16.137.40 (our hosted test server) there is no access – I can ping 172.16.137.40 from the ASA and from computers on 10.10.20.0/network – think I am missing some nat but can’t get my head around it

ASA Version 9.5(1)

!

names

ip local pool VPNPOOL 172.16.1.1-172.16.1.254 mask 255.255.255.0

ip local pool VPNTOOL2 172.16.2.1-172.16.2.254 mask 255.255.255.0

!

interface GigabitEthernet1/1

 nameif outside

 security-level 0

 ip address 1.2.3.4 255.255.255.252

!

interface GigabitEthernet1/2

 nameif inside

 security-level 100

 ip address 10.10.20.2 255.255.255.0

!

interface GigabitEthernet1/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet1/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet1/5

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet1/6

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet1/7

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet1/8

 nameif DMZ

 security-level 50

 ip address 10.20.20.1 255.255.255.0

!

interface Management1/1

 management-only

 no nameif

 no security-level

 no ip address

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network BasicIt

 host 86.52.128.14

object network KMD

 subnet 84.255.64.64 255.255.255.224

 

object network sql

 host 10.10.20.9

object network BitRemote

 host 10.10.20.7

object network HTTPSFjern

 host 10.10.20.6

object network SMTP

 host 10.10.20.6

object network HttpDMZ

 host 10.20.20.2

object network NETWORK_OBJ_172.16.1.0_24

 subnet 172.16.1.0 255.255.255.0

object network NETWORK_OBJ_172.16.2.0_24

 subnet 172.16.2.0 255.255.255.0

object network 10.10.20.0_lan

 subnet 10.10.20.0 255.255.255.0

object network test

 host 10.10.20.44

object network NETWORK_OBJ_10.10.20.0_24

 subnet 10.10.20.0 255.255.255.0

object network http_TSserver

 host 10.20.20.2

object network ServerExc

 host 10.10.20.6

object network VPN_Pool_tunnel

 subnet 172.16.1.0 255.255.255.0

object network remoteservers

 subnet 172.16.137.0 255.255.255.0

object network NETWORK_OBJ_10.20.20.0_24

 subnet 10.20.20.0 255.255.255.0

access-list outside_access_in extended permit tcp object BasicIt object ServerExc eq 3389

access-list outside_access_in extended permit tcp any object ServerExc eq smtp

access-list outside_access_in extended permit tcp any object HttpDMZ eq www

access-list outside_access_in extended permit tcp any object ServerExc eq https

access-list outside_access_in extended permit tcp any host 10.10.20.9 eq 444

access-list vpn_splitTunnelAcl standard permit 10.10.20.0 255.255.255.0

access-list vpn_splitTunnelAcl standard permit 172.16.137.0 255.255.255.0

access-list vpn_splitTunnelAcl standard permit 10.20.20.0 255.255.255.0

access-list VPNtest_splitTunnelAcl standard permit 10.10.20.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-752-153.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (DMZ,outside) source static NETWORK_OBJ_10.20.20.0_24 NETWORK_OBJ_10.20.20.0_24 destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup

nat (DMZ,outside) source static NETWORK_OBJ_10.20.20.0_24 NETWORK_OBJ_10.20.20.0_24 destination static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_10.10.20.0_24 NETWORK_OBJ_10.10.20.0_24 destination static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_10.10.20.0_24 NETWORK_OBJ_10.10.20.0_24 destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup

!

object network ffktsql

 nat (inside,outside) static interface service tcp 444 444

object network BitRemote

 nat (inside,outside) static interface service tcp 3389 3389

object network HTTPSFjern

 nat (inside,outside) static interface service tcp https https

object network SMTP

 nat (inside,outside) static interface service tcp smtp smtp

object network http_TSserver

 nat (DMZ,outside) static interface service tcp www www

!

nat (DMZ,outside) after-auto source dynamic any interface

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 1.2.3.4 1

route inside 172.16.137.0 255.255.255.0 10.10.20.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

aaa-server SHV-dc01 protocol radius

aaa-server SHV-dc01 (inside) host 10.10.20.7

 key *****

 radius-common-pw *****

user-identity default-domain LOCAL

http server enable 4444

http 0.0.0.0 0.0.0.0 inside

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jj27
Spotlight
Spotlight

‎02-07-2016 01:53 PM

Based on the configuration, it looks like your dynamic NAT rules are most likely translating the 172.16.137.0/24 network to the outside interface IP before it attempts to reach your VPN networks.

You could verify it with this command and post the output, if you wanted: packet-tracer input inside tcp 172.16.137.40 3271 172.16.1.1 80

This configuration should solve your problem:

object-group network VPN_Networks
network-object object NETWORK_OBJ_172.16.1.0_24
network-object object NETWORK_OBJ_172.16.2.0_24

nat (inside,outside) source static remoteservers remoteservers destination static VPN_Networks VPN_Networks

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jj27
Spotlight
Spotlight

‎02-07-2016 01:53 PM

Based on the configuration, it looks like your dynamic NAT rules are most likely translating the 172.16.137.0/24 network to the outside interface IP before it attempts to reach your VPN networks.

You could verify it with this command and post the output, if you wanted: packet-tracer input inside tcp 172.16.137.40 3271 172.16.1.1 80

This configuration should solve your problem:

object-group network VPN_Networks
network-object object NETWORK_OBJ_172.16.1.0_24
network-object object NETWORK_OBJ_172.16.2.0_24

nat (inside,outside) source static remoteservers remoteservers destination static VPN_Networks VPN_Networks

0 Helpful

Go to solution
erikgjacobsen
Level 1
Level 1
In response to jj27

‎02-07-2016 11:17 PM

Hi JJohnston

Thank you very much – the nat rule did the trick

Best regards Erik

0 Helpful
Customers Also Viewed These Support Documents