Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

How to enable routing to a subnet in ASA 5510

Dear,

 

We are using cisco ASA 5510 and we provide VPN access to external users through cisco anyconnect. When users get connected they can access to only one subnet. How can we enable route to another subnet in CLI or ASDM?

 

Thanks & Regards,

 

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Hi,

Hi,

 

Seems to me that you dont atleast have a NAT0 configuration for the traffic between this LAN subnet and the VPN Pool

 

This is your current NAT0 configuration ACL

access-list nonat extended permit ip 172.16.0.0 255.255.254.0 172.16.2.0 255.255.255.0 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 host 10.212.61.32 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.192 255.255.255.192 
access-list nonat extended permit ip 172.16.0.0 255.255.254.0 10.1.12.0 255.255.255.0 
access-list nonat extended permit ip 10.1.12.0 255.255.255.0 10.1.12.0 255.255.255.0 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 10.1.12.0 255.255.255.0 

 

You VPN Pool seems to be 172.16.240.0/24 so you would need to add the following ACL line

access-list nonat extended permit ip 10.1.12.0 255.255.255.0 172.16.240.0 255.255.255.0 

 

Hope this helps :)

 

- Jouni

 

4 REPLIES
Super Bronze

Hi, This might have nothing

Hi,

 

This might have nothing to do with actual routing but your VPN configurations.

 

At the moment you have not provided enough information for us to give you a specific answer. It would be best if you could describe what kind of network you have between the LAN subnets and the VPN device. Does for example all the LAN subnets have a route towards the VPN device for the VPN Pool used?

 

There are 2 main things to look at when you have a VPN Client connection and connections to some subnets are not working.

  • Are you using Full Tunnel or Split Tunnel? You can check this from the "group-policy" configuration used for the VPN connection. You can use the command "show run group-policy" to check this on the CLI or you can use the ASDM to find the Group Policy used and check what its Split Tunnel settings are. If you are using Split Tunnel VPN then you will have to configure all the internal subnets in the Split Tunnel ACL for the VPN Client to tunnel traffic to them. If you are using Full Tunnel VPN then you wont have to add subnets to any ACL
  • Have you configured NAT0 for all the internal subnet you want to access through the VPN Client connection? Even if the above mentioned Split Tunnel configuration includes all the required subnets (or you are using Full Tunnel) you might be missing a NAT0 configuration for some of the internal subnets which blocks connectivity. Make sure you have the correct NAT configurations.

 

Then there are some more uncommon settings that might cause problems. If you for example are using a VPN Filter ACL you need to allow the traffic in that ACL. Or if you are using the global setting "no sysopt connection permit-vpn" it will mean that you have to allow required traffic in the ACL of the interface to which the user connects with the VPN Client.

 

So as I said, we need more information to help you or perhaps the above points might help you find the problem in the configurations.

 

Hope this helps :)

 

- Jouni

 

Hi Jouni,Our LAN subnet : 172

Hi Jouni,

Our LAN subnet : 172.16.0.0/23 & 10.1.12.0/24

Pls find the attached config.

Let me know the changes to be made to reach the network 10.1.12.0/24 through cisco anyconnect.

Right now only 172.16.0.0/23 subnet is reachable from outside.

Thanks & Regards,

 

 

Super Bronze

Hi,

Hi,

 

Seems to me that you dont atleast have a NAT0 configuration for the traffic between this LAN subnet and the VPN Pool

 

This is your current NAT0 configuration ACL

access-list nonat extended permit ip 172.16.0.0 255.255.254.0 172.16.2.0 255.255.255.0 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 host 10.212.61.32 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.192 255.255.255.192 
access-list nonat extended permit ip 172.16.0.0 255.255.254.0 10.1.12.0 255.255.255.0 
access-list nonat extended permit ip 10.1.12.0 255.255.255.0 10.1.12.0 255.255.255.0 
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 10.1.12.0 255.255.255.0 

 

You VPN Pool seems to be 172.16.240.0/24 so you would need to add the following ACL line

access-list nonat extended permit ip 10.1.12.0 255.255.255.0 172.16.240.0 255.255.255.0 

 

Hope this helps :)

 

- Jouni

 

Thnx jouni, It works...

Thnx jouni, It works...

697
Views
0
Helpful
4
Replies
CreatePlease login to create content