Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505: VPN Access to Different Subnets

Hi All-

I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN).  Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN).  Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24).  Is this even possible?  Below is the configurations on our ASA,

Thanks in advance:

ASA Version 8.2(5)

!

names

name 10.0.1.0 Net-10

name 20.0.1.0 Net-20

name 192.168.254.0 phones

name 192.168.254.250 PBX

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 13

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.98 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address X.X.139.79 255.255.255.224

!

interface Vlan3

no nameif

security-level 50

ip address 192.168.5.1 255.255.255.0

!

interface Vlan13

nameif phones

security-level 100

ip address 192.168.254.200 255.255.255.0

!

ftp mode passive

object-group service RDP tcp

port-object eq 3389

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object tcp eq ssh

access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0

access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0

access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224

access-list inside_access_in extended permit ip any any

access-list Split_Tunnel_List standard permit Net-10 255.255.255.224

access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any

pager lines 24

logging enable

logging timestamp

logging monitor errors

logging history errors

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu phones 1500

ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 10 interface

global (outside) 1 interface

global (phones) 20 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 10 access-list vpn_nat_inside outside

nat (phones) 0 access-list phones_nat0_outbound

nat (phones) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.139.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=pas-asa.null

keypair pasvpnkey

crl configure

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

vpn-sessiondb max-session-limit 10

telnet timeout 5

ssh 192.168.1.100 255.255.255.255 inside

ssh 192.168.1.0 255.255.255.0 inside

ssh Mac 255.255.255.255 outside

ssh timeout 60

console timeout 0

dhcpd auto_config inside

!

dhcpd address 192.168.1.222-192.168.1.223 inside

dhcpd dns 64.238.96.12 66.180.96.12 interface inside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect-essentials

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

svc enable

tunnel-group-list enable

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

wins-server none

dns-server value 64.238.96.12 66.180.96.12

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout none

vpn-session-timeout none

ipv6-vpn-filter none

vpn-tunnel-protocol svc

group-lock value PAS-SSL-VPN

default-domain none

vlan none

nac-settings none

webvpn

  svc mtu 1200

  svc keepalive 60

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression none

group-policy DfltGrpPolicy attributes

dns-server value 64.238.96.12 66.180.96.12

vpn-tunnel-protocol IPSec svc webvpn

tunnel-group DefaultRAGroup general-attributes

address-pool SSLClientPool-10

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group PAS-SSL-VPN type remote-access

tunnel-group PAS-SSL-VPN general-attributes

address-pool SSLClientPool-10

default-group-policy SSLClientPolicy

tunnel-group PAS-SSL-VPN webvpn-attributes

group-alias PAS_VPN enable

group-url https://X.X.139.79/PAS_VPN enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpnclient

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

no call-home reporting anonymous

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA 5505: VPN Access to Different Subnets

Hi,

Loosing connectivity to the LAN doesnt really make any sense removing that command UNLESS your LAN is using some other device as their gateway to the Internet. In that case configuring Dynamic PAT or Dynamic Policy PAT (like you have) would make sense as the LAN hosts would see your VPN users connecting from the same directly connected network and would therefore know to forward traffic to this ASA rather than their default gateway.

So is this just for VPN use and NOT the gateway out of the LAN network?

If this is just the VPN device I would suggest adding this

global (phones) 10 interface

It would do the same translation for the "phones" as it does to "inside" (naturally with different PAT IP)

- Jouni

6 REPLIES
Super Bronze

ASA 5505: VPN Access to Different Subnets

Hi,

Are you saying that connections to "phones" doesnt work at the moment?

You seem to have NAT0 configurations for both interfaces even though you use a different network mask in the VPN Pool configuration compared to the NAT0 ACL statements.

I am also wondering if the following NAT configurations are needed currently?

global (phones) 20 interface

The above configuration doesnt seem to have a corresponding "nat" command with ID 20 so it should not be needed

global (inside) 10 interface

nat (outside) 10 access-list vpn_nat_inside outside

The above seems to be a Dynamic Policy PAT configurations which should PAT traffic coming from VPN Clients to the 2 LAN networks. I am not sure if this is needed either as you also have NAT0 configurations that are telling the ASA that no NAT should be performed for traffic between VPN Pool and the 2 LAN networks.

You also seem to be using Full Tunnel VPN in the above configurations so there should be no problem in the traffic going on the VPN connection and being forwarded to the ASA which might mean that either there is some problem with the above configurations perhaps or even the actual devices on the LAN.

- Jouni

New Member

ASA 5505: VPN Access to Different Subnets

Hi Jouni-

Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0).  The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.

Per you recommendation, I removed the following configs from my ASA:

global (phones) 20 interface

... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.

global (inside) 10 interface

nat (outside) 10 access-list vpn_nat_inside outside

.... removing these two configurations caused the inside LAN to be unreachable.  The phone LAN was not reachable, either.  So, I put the '10' configurations back.

The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:

"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"

What do you think?

Thanks!

Super Bronze

ASA 5505: VPN Access to Different Subnets

Hi,

Loosing connectivity to the LAN doesnt really make any sense removing that command UNLESS your LAN is using some other device as their gateway to the Internet. In that case configuring Dynamic PAT or Dynamic Policy PAT (like you have) would make sense as the LAN hosts would see your VPN users connecting from the same directly connected network and would therefore know to forward traffic to this ASA rather than their default gateway.

So is this just for VPN use and NOT the gateway out of the LAN network?

If this is just the VPN device I would suggest adding this

global (phones) 10 interface

It would do the same translation for the "phones" as it does to "inside" (naturally with different PAT IP)

- Jouni

Super Bronze

ASA 5505: VPN Access to Different Subnets

Also,

You should probably add these

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

- Jouni

New Member

ASA 5505: VPN Access to Different Subnets

Jouni,

As usual, you come through again!  Great explanation, too!

Thank You!

Super Bronze

ASA 5505: VPN Access to Different Subnets

Hi,

Great to hear that it works

- Jouni

179
Views
0
Helpful
6
Replies