08-22-2013 02:25 AM - edited 02-21-2020 07:06 PM
Dear All,
I have configured remote access vpn without using split tunnel.Everything is working fine.I can access all the inside network which is allowed in acl.
I am facing strange issue now. I have created a pool for remote access vpn with a range 192.168.5.8/29.I can access my internal subnets 10.10.0.0/16.
I have below acess-list for acl-in.
access-list acl-in extended permit ip object-group vpnclients 192.168.5.8 255.255.255.248
object-group network vpnclients
network-object host 10.110.100.26
network-object host 10.106.100.15
network-object host 10.10.10.6
network-object host 10.10.20.82
network-object host 10.110.100.48
network-object host 10.10.20.53
network-object host 10.10.20.54
network-object host 10.60.100.1
network-object host 10.10.10.75
network-object host 10.10.20.100
network-object host 10.10.130.136
network-object host 10.106.100.16
network-object host 10.106.100.9
network-object host 10.170.100.1
network-object host 10.170.100.2
network-object host 10.170.100.21
network-object host 10.101.100.20
network-object host 10.170.100.25
So whichever IPs i have called in vpnclient group is able to access via RA vpn.Issue is when i try to access internal network of 192.168.198.0/24, i am able to access it without adding in vpnclient group. Even for 192.168.197.0/24,192.168.197.0/24 the same. But for 10.10.0.0/16 we can access only after adding in vpnclient group. Any one has face this issue before. Is this because of same network i mean 192.168.0.0 something like that.There is no other staement in acl-in for 192.168.0.0
Regards
-Danesh Ahammad
08-22-2013 04:43 AM
Hi,
If i read correctly you made the RA vpn "without" split tunnel, correct? if that is the case, all of the traffic will traverse the vpn connection (tunnel all) , the access-list "acl-in" is of no use to it.
try converting it to use split tunnel, i am sure that way you can not access resources that are not mentioned in the list.
~Harry
08-22-2013 05:07 AM
So you mean to say that ACL comes into picture only when split tunnel is enabled rite? Even there is acces-list in inside interface its not going to affect the vpn clients rite?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: