Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
512
Views
5
Helpful
4
Replies

getting VPN client to other internal networks

Go to solution
tato386
Level 6
Level 6

‎09-02-2008 06:13 PM - edited ‎03-11-2019 06:38 AM

I am currently using an ASA5520 and the ASDM app to configure VPN clients in split-tunnel mode. As of now remote clients can access the internal network of the ASA, their own local LAN and the Internet. I have static routes on the ASA so that it can get to other internal networks. I have also added these internal networks to the split-tunnel list thinking that this would allow my clients to get to those networks but it isn't working. I can see the remote networks added to the clients route table but pings and traces die at the ASA and go no further. What I'm I missing here?

Thanks,

Diego

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to tato386

‎09-03-2008 06:31 PM

not it is not because ASDM and ASA have no idea what inernal networks u have u might have tens of internal networks through routers connected to inside or DMZ so i see it is better to do it manuly to have control which network can the vpn client communicate with and which not

hope this helpful

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-02-2008 06:28 PM

did u make the Nat exmption (NAT 0) for this network

for example if u have internal network

like 10.1.1.0/24

and u have route to it in ur ASA as u mentioned

and the vpn pool for example 192.168.1.0/24

u need these lines :

access-list 100 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

then

nat (inside) 0 access-list 100

good luck

if helpful rate

Go to solution
tato386
Level 6
Level 6
In response to Marwan ALshawi

‎09-03-2008 07:45 AM

Yes, you are right. I assumed that the ASDM would add all the NAT0 commands but it only added the first line for the internal LAN. I can add the rest manually but it would be nice if the ASDM did it. Do you think this is a bug or simply a shortcoming of ASDM?

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to tato386

‎09-03-2008 06:31 PM

not it is not because ASDM and ASA have no idea what inernal networks u have u might have tens of internal networks through routers connected to inside or DMZ so i see it is better to do it manuly to have control which network can the vpn client communicate with and which not

hope this helpful

0 Helpful

Go to solution
tato386
Level 6
Level 6
In response to Marwan ALshawi

‎09-04-2008 04:52 AM

I see your point but ASDM added the first network in the split-tunnel list to the Nat0 ACL why didn't it add the other networks that I added to the split-tunnel? In any case I guess ASDM did a good job getting me going and your info helped me close the deal. Thank you very much.

Rgds,

Diego

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card