Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Allow VPN users to access a different VLAN

I have an ASA 5505.  I have configured Remote Access VPN so that users can connect to VPN and access my main VLAN (Inside).  I would like to secure it so that when a user VPN's in, they are only allowed access to the HVAC vlan (Vlan 2) as seen in my configuration.  Please note there is also a LAN-2-LAN VPN which has been configured as well.

What am I missing?

!
interface Ethernet0/0
switchport access vlan 4
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.240.0.1 255.255.0.0
!
interface Vlan2
no forward interface Vlan1
nameif HVAC
security-level 100
ip address 172.16.128.1 255.255.255.0
!
interface Vlan4
nameif outside
security-level 0
ip address 12.x.x.x 255.255.255.0
!
ftp mode passive
access-list CDEO extended permit ip 10.240.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list NoNAT extended permit ip 10.240.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list NoNAT extended permit ip 10.240.0.0 255.255.0.0 172.16.129.0 255.255
.255.0
access-list NoNAT extended permit ip 10.102.229.0 255.255.255.0 172.16.129.0 255
.255.255.0
access-list NoNAT extended permit ip 172.16.129.0 255.255.255.0 10.102.229.0 255
.255.255.0
access-list NoNAT extended permit ip 172.16.128.0 255.255.255.0 172.16.129.0 255
.255.255.0
access-list NoNAT extended permit ip 172.16.129.0 255.255.255.0 172.16.128.0 255
.255.255.0
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any source-quench
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any time-exceeded
access-list outbound extended permit ip any any
access-list vpn standard permit 10.240.0.0 255.255.0.0
access-list vpn standard permit 10.102.229.0 255.255.255.0
access-list vpn standard permit 172.16.128.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu HVAC 1500
ip local pool shhfvpnpool 172.16.129.1-172.16.129.5 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outbound out interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 12.x.x.x 1
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Main esp-des esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set reverse-route
crypto map CDEOVPN 35 match address CDEO
crypto map CDEOVPN 35 set peer 64.x.x.x
crypto map CDEOVPN 35 set transform-set Main
crypto map CDEOVPN 100 ipsec-isakmp dynamic dynmap
crypto map CDEOVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400

console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy shhf internal
group-policy shhf attributes
vpn-idle-timeout 30
vpn-session-timeout 1440
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn

tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group shhf type remote-access
tunnel-group shhf general-attributes
address-pool shhfvpnpool
default-group-policy shhf
tunnel-group shhf ipsec-attributes
pre-shared-key *****
tunnel-group vpnclient type remote-access
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1cbd55e987f9b41cd2ebcb320fa2e3b2
: end

1 ACCEPTED SOLUTION

Accepted Solutions

Allow VPN users to access a different VLAN

This route to be applied on the switch, if your eth0/7 port on ASA is connected to a later3 switch.

"ip route 172.16.129.0 255.255.255.0 172.16.128.1"

So, do not worry about this route, if you cannot applied on the ASA.

So you say that, a PC is directly connected to eth0/7 on the ASA.

what is the IP address, mask and gateway address on the PC connected on eth0/7?

The packet-trace looks good to me.

17 REPLIES

Allow VPN users to access a different VLAN

Create a new acl.

access-list acl-nonat-HVAC extended permit ip 172.16.128.0 255.255.255.0 172.16.129.0 255.255.255.248


access-group acl-nonat-HVAC in interface HVAC


Remove this entry from ACL, if you do not want to allow VPN client to access intside.

access-list NoNAT extended permit ip 10.240.0.0 255.255.0.0 172.16.129.0 255.255.255.0

let me know the result.

Thanks

Rizwan Rafeek

Community Member

Allow VPN users to access a different VLAN

I created the new ACL and tied it to the interface, but was still unable to ping from 172.168.129.1 to 172.168.128.1, or vice versa.

I didn't remove "access-list NoNAT extended permit ip 10.240.0.0 255.255.0.0 172.16.129.0 255.255.255.0" yet because I'm using that as a test just to make sure some vpn traffic is actually passing.

Allow VPN users to access a different VLAN

Please add this command

nat  (HVAC) 0 access-list acl-nonat-HVAC

sorry you do not need this ACL be applied on this interface, so remove this command below.

access-group acl-nonat-HVAC in interface HVAC

Community Member

Allow VPN users to access a different VLAN

I have removed the access-group command and added the nat command but still unable to ping either direction.

Thanks!

Jason

Community Member

Allow VPN users to access a different VLAN

Here is my current config


!
interface Ethernet0/0
switchport access vlan 4
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.240.0.1 255.255.0.0
!
interface Vlan2
no forward interface Vlan1
nameif HVAC
security-level 100
ip address 172.16.128.1 255.255.255.0
!
interface Vlan4
nameif outside
security-level 0
ip address 12.x.x.x 255.255.255.0
!
ftp mode passive
access-list CDEO extended permit ip 10.240.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list NoNAT extended permit ip 10.240.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list NoNAT extended permit ip 10.240.0.0 255.255.0.0 172.16.129.0 255.255.255.0
access-list NoNAT extended permit ip 10.102.229.0 255.255.255.0 172.16.129.0 255.255.255.0
access-list NoNAT extended permit ip 172.16.129.0 255.255.255.0 10.102.229.0 255.255.255.0
access-list NoNAT extended permit ip 172.16.128.0 255.255.255.0 172.16.129.0 255.255.255.0
access-list NoNAT extended permit ip 172.16.129.0 255.255.255.0 172.16.128.0 255.255.255.0
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any source-quench
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any time-exceeded
access-list outbound extended permit ip any any
access-list vpn standard permit 10.240.0.0 255.255.0.0
access-list vpn standard permit 10.102.229.0 255.255.255.0
access-list vpn standard permit 172.16.128.0 255.255.255.0
access-list acl-nonat-HVAC extended permit ip 172.16.128.0 255.255.255.0 172.16.129.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu HVAC 1500
ip local pool shhfvpnpool 172.16.129.1-172.16.129.5 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (HVAC) 0 access-list acl-nonat-HVAC
access-group outbound out interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 12.x.x.x 1

dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Main esp-des esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set reverse-route
crypto map CDEOVPN 35 match address CDEO
crypto map CDEOVPN 35 set peer 64.x.x.x
crypto map CDEOVPN 35 set transform-set Main
crypto map CDEOVPN 100 ipsec-isakmp dynamic dynmap
crypto map CDEOVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400

console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy shhf internal
group-policy shhf attributes
vpn-idle-timeout 30
vpn-session-timeout 1440
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn

tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group shhf type remote-access
tunnel-group shhf general-attributes
address-pool shhfvpnpool
default-group-policy shhf
tunnel-group shhf ipsec-attributes
pre-shared-key *****
tunnel-group vpnclient type remote-access
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global

Allow VPN users to access a different VLAN

add this under the existing class.

class inspection_default

inspect icmp

Try to ping a host inside the HVAC network segment or ping a connected switch inside HVAC network segment instead of ping to phycial interface of the firewall.

Community Member

Allow VPN users to access a different VLAN

Inspect icmp has been added.  I'm not able to ping a workstation in the HVAC vlan when VPN'd in.

Allow VPN users to access a different VLAN

Please be sure to disconnected from current vpn session on vpn-client and reconnect again for testing.

Are you able to ping inside interface at least on vlan1, when vpn in ?

Please post the output from below command.

packet-tracer input HVAC icmp 172.16.129.1 8 0 172.16.128.1

Allow VPN users to access a different VLAN

In order return traffic to come back to firewall, there has to be a static route and it must exist on switch as follows.

ip route 172.16.129.0 255.255.255.0 172.16.128.1

Community Member

Allow VPN users to access a different VLAN

The workstation in the HVAC vlan is plugged directly into eth0/7 on the ASA.  The ASA doesn't recognize

ip route 172.16.129.0 255.255.255.0 172.16.128.1

Thanks so much for your help!

Jason

Community Member

Allow VPN users to access a different VLAN

The workstation is configured as follows:

IP: 172.16.128.5

Subnet: 255.255.255.0

GW: Blank (This computer has 2 nics)

Should I be able to enter 172.16.128.1 as the Gateway?

Allow VPN users to access a different VLAN

Yes the gateway must be pointing to 172.16.128.1.

Try with the gateway applied on the PC to make sure, the ASA is funtional as intented.

When ASA is funtional as intented, then you may add a static route permanent on the PC to push VPN bound traffic to NIC connected to ASA.

add this route on the PC, if you choice remove its gateway address.

route add -p 172.16.129.0 MASK 255.255.255.0 172.16.128.5

Community Member

Allow VPN users to access a different VLAN

Now that I think about it, the second nic in that machine (the one not connected to the ASA) definitely doesn't need a gateway because it is connected to a HVAC controller.

Will it work to put 172.16.128.1 as the Gateway on the nic connected to the ASA, or am I definitely going to need a switch to perform layer 3 routing?

Community Member

Re: Allow VPN users to access a different VLAN

Ok, I added the Gateway on the workstation as 172.16.128.1 and I'm NOW able to ping it from my vpn connection!  Thanks so much for your help!

Allow VPN users to access a different VLAN

at last, please be sure to rate the helpful post.

thanks

Rizwan Rafeek

Allow VPN users to access a different VLAN

This route to be applied on the switch, if your eth0/7 port on ASA is connected to a later3 switch.

"ip route 172.16.129.0 255.255.255.0 172.16.128.1"

So, do not worry about this route, if you cannot applied on the ASA.

So you say that, a PC is directly connected to eth0/7 on the ASA.

what is the IP address, mask and gateway address on the PC connected on eth0/7?

The packet-trace looks good to me.

Community Member

Allow VPN users to access a different VLAN

I disconnected and reconnected to VPN with each change that I made.  Yes, I'm able to ping the inside interface on VLAN1 while VPN'd in.  Here is the output:

SHHF-ASA# packet-tracer input HVAC icmp 172.16.129.1 8 0 172.16.128.1

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.128.1    255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 448177, packet dispatched to next module

Result:
input-interface: HVAC
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

1504
Views
5
Helpful
17
Replies
CreatePlease to create content