Thanks,

I've followed the VPN wizard and setup a new dhcp scope for the VPN Clients. I've connected a test machine up via the VPN client, and it connects / gets an IP address on the 10.x.x.x network. When I do an Ipconfig though there is no default gateway configured, just an IP / SM from my VPN Scope. Is this normal for VPN client? Also when I ping devices in my inside network I get no reply. Do I need to do more config outwith the VPN Wizard?

Cheers

I also enabled split tunneling on the wizard, not sure if this makes a difference to anything. I take it there is more to do rather than just followi the VPN Wizard? Also the address space I used for VPN clients 10.15.x.x, do I need to have a L3 interface for this network outwith the ASA as at the moment this network doesn't exist, only as the DHCP scope on the ASA.

Ok, managed to get this working to an extent. So my VPN client can now access the local network, but only the one subnet on my Inside LAN. I want to be able to ping / reach other networks from outwith my LAN, e.g my datacenter where all our Exchange / Intranet are hosted. Is this easily achieved?

GRANT3779 wrote:
Ok, managed to get this working to an extent. So my VPN client can now access the local network, but only the one subnet on my Inside LAN. I want to be able to ping / reach other networks from outwith my LAN, e.g my datacenter where all our Exchange / Intranet are hosted. Is this easily achieved?

No problem here. U just have to make sure that:

-subnets, you want to reach from vpnclients, are included in split-tunnel ACL, if you're using one.

-hosts/servers on that subnets have a route towards vpnclients (subnet, you've assigned to them) through the ASA's inside interface.

Thanks for the reply.

When you say I need to include thos subnets in my split tunnel ACL, can this be done in the ASDM? Not to sure where to find this. If I am not using spilt tunneling, how would I achieve the same? Also, the subnet I have assigned to the VPN Clients is not a routable subnet on my network.

If for example a VPN client wants to access a remote subnet, e.g my datacentre across the WAN, is this actually sourced from the new VPN Client Subnet I have assigned to the VPN Clients? I'm guessing I need to add a static route at the datacentre to route the VPN Client subnet back towards my main LAN? I'm guessing this would beeen easier if I could use my DHCP server to feed addresses to clients...

If you're not using split-tunnel, it's fine, just don't use it.

For the routing part.

You've said, that your clients now may access internal LAN. If split tunneling is disabled, that means that the clients can access (have a route to) anything in your network, to wich ASA has route to, cause all the traffic from clients goes throug the ASA. Yes, traffic from cliets have a sourse IP of clietns themselves, not the ASA's inside interface. So, in order to make access from the VPNclients to the, say, datacenter, you should provide servers in the datacenter with correct routing info towards the client through the ASA. Plus, ASA itself should have a route towards datacenter part of your network. Nothing will change if you use DHCP. Just provide basic routing between all the endpoints.

Thanks Andrew, I'm hoping I can get this sussed out today. Will be a great breakthough If I can get it fully working.

So at the moment I can access part of the Internal network without configuring any routes towards my VPN Client Subnet. How is this currently achieved if I don't have a route?
At the moment, I hav no route to 10.255.0.0 /24 (my vpn client subnet) but my Internal subnet can access it ok.

All of my L3 routing is done on our Core which sits behind the ASA. I have another network, e.g 172.27.10 is also inside my network, but I'm unable to reach this from the VPN Client subnet.. Do I need to add further entries in the ASDM/Firewall/NAT Rules?

all I have there at the moment is my VPN CLient Subnet Source - Inside Subnet - Destination and vice versa. However I have multiple subnets behind the ASA Inside Interface I want to access. I'm sure I'm missing something simple here! Sorry for all the questions, just trying to get my head round how it works.

Basically at the moment I can only access one of my Internal Subnets, but I have a few different subnets inside my network and need to access these also. Once i get these done, I'll look at the WAN subnets.

Ok, on my VPN clients now when I do an IPCONFIG they are getting a default gateway of 10.255.0.1 which is the first address on my VPN subnet. I didn't set a DG though. Where does it pick this up from?

Also - I can ping my VPN client from other subnets, but not the other way around. E.G can't ping the other subnets from the VPN Client..

Must be something simple I'm sure..

At the moment, I hav no route to 10.255.0.0 /24 (my vpn client subnet) but my Internal subnet can access it ok.

Maybe they default route pointing to the ASA?

Again, just do the static routes towards 10.255.0.0/24 through the ASA. Or you can use dynamic routing (say ospf) for this and redistribute static routes on the ASA (cause routes towards each vpn client appear in the routing table of ASA as static one as soon as client connects- do the sh route when some client is connected to see it).

Yeah you're right, default route points to ASA,not to figure out why I can't ping from vpn client machine to other subnet, bu can ping the other way..getting there slowly :-)

Hi,

This is what I have so far...

I want to access 172.27.10.0 /24 also, but at the moment my VPN Clients can only access 172.27.4.0 /22.

Am I missing something obvious here?

nat (any,any) source static AB_IT_Network AB_IT_Network destination static NETWORK_OBJ_10.255.0.0 NETWORK_OBJ_10.255.0.0

nat (any,any) source static NETWORK_OBJ_172.27.4.0_22 NETWORK_OBJ_172.27.4.0_22 destination static NETWORK_OBJ_10.255.0.0 NETWORK_OBJ_10.255.0.0

!

object network NETWORK_OBJ_10.255.0.0

subnet 10.255.0.0 255.255.255.0

object network AB_IT_Network

subnet 172.27.10.0 255.255.255.0

object network NETWORK_OBJ_172.27.4.0_22

subnet 172.27.4.0 255.255.252.0

access-list KA-VPN_splitTunnelAcl standard permit 172.27.4.0 255.255.252.0

access-list KA-VPN_splitTunnelAcl standard permit 172.27.10.0 255.255.255.0

ip local pool VPNClientPool10.x.x.x 10.255.0.100-10.255.0.250 mask 255.255.255.0