Solved: Remote Access VPN - add new internal IP

Mohd Khairul Nizam · ‎04-08-2014

Hi

I have a existing Cisco VPN client configuration into ASA 5510 for remote access.

-------------------------------------

Group name : ISETANLOT10

Group password : xxxx

IP pool : lot10ippool, 172.27.17.240 - 172.27.17.245

enycrption : 3DES

authentication : SHA

------------------------------------

the connection was successful and i was able to ping to the internal server of 172.47.1.10.

Now there is request for the same VPN remote access to be able to ping access a new server inside LAN, 172.57.1.10 & 172.57.1.20

But with the same VPN access, i was unable to ping both new IP.

How can i add in the both IP to be able to ping using the same remote access VPN config?

I attached below existing config (edited version)

===

: Saved
:
ASA Version 8.0(4)
!
hostname asalot10
names
name 172.17.100.22 NAVNew
name 172.27.17.215 NECUser
name 172.47.1.10 NarayaServer description Naraya Server
name 62.80.122.172 NarayaTelco1
name 62.80.122.178 NarayaTelco2
name 172.57.1.10 IPVSSvr description IPVSSvr
name 122.152.181.147 Japan01
name 122.152.181.0 Japan02
name 175.139.156.174 Outside_Int
name 178.248.228.121 NarayaTelco3
name 172.67.1.0 VCGroup
name 172.57.1.20 IPVSSvr2
!
object-group service NECareService
description Remote NECareService
service-object tcp eq https
service-object tcp eq ssh
service-object icmp echo-reply
access-list inside_access_in extended deny ip any Japan02 255.255.255.0
access-list inside_access_in extended permit ip VCGroup 255.255.255.0 any
access-list inside_access_in extended deny tcp object-group PermitInternet any object-group torrent1
access-list inside_access_in extended permit ip object-group PermitInternet any log disable
access-list inside_access_in extended permit ip host NarayaServer any log disable
access-list inside_access_in extended permit ip host IPVSSvr any
access-list inside_access_in extended permit ip host NAVNew any log disable
access-list inside_access_in extended permit ip host 172.17.100.30 any
access-list outside_access_in extended permit object-group NECareService object-group NECare any
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 host NarayaServer
access-list outsidein extended permit tcp any host Outside_Int eq https
access-list outsidein extended permit object-group rdp any host Outside_Int log debugging
access-list outsidein extended permit tcp object-group DM_INLINE_NETWORK_2 host Outside_Int eq 8080
access-list outsidein extended permit ip object-group DM_INLINE_NETWORK_3 host IPVSSvr
access-list inside_mpc extended permit object-group TCPUDP any any eq www
access-list inside_mpc extended permit tcp any any eq www
access-list inside_nat0_outbound extended permit ip any 172.27.17.240 255.255.255.248
access-list inside_nat0_outbound extended permit ip host NarayaServer object-group Nry_Png
access-list inside_nat0_outbound extended permit ip host IPVSSvr2 172.27.17.240 255.255.255.248
access-list outside_cryptomap extended permit ip object-group Naraya_Png object-group Nry_Png

global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 8080 NarayaServer 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 NAVNew 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ssh IPVSSvr2 ssh netmask 255.255.255.255
access-group outsidein in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 175.139.156.173 1
route inside 172.17.100.20 255.255.255.255 172.27.17.100 1
route inside NAVNew 255.255.255.255 172.27.17.100 1
route inside 172.17.100.30 255.255.255.255 172.27.17.100 1
route inside NarayaServer 255.255.255.255 172.27.17.100 1
route inside 172.47.1.11 255.255.255.255 172.27.17.100 1
route inside VCGroup 255.255.255.0 172.27.17.100 1

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 218.x.x.105
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

group-policy ISETANLOT10 internal
group-policy ISETANLOT10 attributes
dns-server value 172.27.17.100
vpn-tunnel-protocol IPSec l2tp-ipsec
username nectier3 password dPFBFnrViJi/LGbT encrypted privilege 0
username nectier3 attributes
vpn-group-policy ISETANLOT10
username necare password BkPn6VQ0VwTy7MY7 encrypted privilege 0
username necare attributes
vpn-group-policy ISETANLOT10
username naraya password pcGKDau9jtKgFWSc encrypted
username naraya attributes
vpn-group-policy ISETANLOT10
service-type nas-prompt
tunnel-group ISETANLOT10 type remote-access
tunnel-group ISETANLOT10 general-attributes
address-pool lot10ippool
default-group-policy ISETANLOT10
tunnel-group ISETANLOT10 ipsec-attributes
pre-shared-key *
tunnel-group 218.x.x.105 type ipsec-l2l
tunnel-group 218.x.x.105 ipsec-attributes
pre-shared-key *
tunnel-group ivmstunnel type remote-access
tunnel-group ivmstunnel general-attributes
address-pool lot10ippool
tunnel-group ivmstunnel ipsec-attributes
pre-shared-key *
!

=====

Marvin Rhoads · ‎04-08-2014

The remote access VPN should allow the connection but I am guessing your ASA doesn't know how to route to the two new destinations.

You have a name and static route for the working server at 172.47.1.10:

name 172.47.1.10 NarayaServer description Naraya Server

route inside NarayaServer 255.255.255.255 172.27.17.100 1

..but no equivalent for the two new hosts. As a result, any traffic from the ASA destined for them will attempt to use the default route (via the outside interface).

If you add:

route inside 172.57.1.10 255.255.255.255 172.27.17.100

route inside 172.57.1.20 255.255.255.255 172.27.17.100

(assuming that's your correct gateway), it should work.

View solution in original post

Marvin Rhoads · ‎04-08-2014