Solved: Remote Access VPN on ASA on IOS 8.4 (2)

pavne_imran · ‎06-23-2012

Iam able to authenticate on VPN network with my username password & also able to get IP address from VPN pool

But Not able to access any thing on my inside network (i.e lan ) or remote desktop on server 172.17.100.10 ,172.17.100.20

ip local pool Q8-VPN-Pool 172.16.37.10-172.16.37.200 mask 255.255.255.0

access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.10 eq 3389 any

access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.20 eq 3389 any

access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.30 eq 22 any

group-policy NetworkTest-VPN internal
group-policy NetworkTest-VPN attributes
dns-server value 192.168.0.122 192.168.0.123
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NetworkTest_splitTunnelAcl
default-domain value Q8.com

tunnel-group NetworkTest-VPN type remote-access
tunnel-group NetworkTest-VPN general-attributes
address-pool (inside) Q8-VPN-Pool
address-pool Q8-VPN-Pool
authentication-server-group ACS
authentication-server-group (inside) ACS LOCAL
accounting-server-group ACS
default-group-policy NetworkTest-VPN

tunnel-group NetworkTest-VPN ipsec-attributes
pre-shared-key ******

Below nat didnt work So I created new Nat for 8.4

access-list inside_nat0_outbound extended permit ip any 172.16.37.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

New Nat for 8.4

object network RA-VPN-HOST
subnet 172.16.37.0 255.255.255.0
!
nat (inside,outside) source static any any destination static RA-VPN-HOST RA-VPN-HOST

Karsten Iwen · ‎06-24-2012

Split-Tunneling controlles the routing into the tunnel. And this is done without L4-information (knowing that there are cases where this is done, but I can't see that in your szenario). And as said before, filtering is done with the vpn-filter.

For the nat to work you have to use the right order of nat-statements (top-down). So this NAT-Exemption has to be above the general NAT for internet-access. You can control that with "show nat".

View solution in original post

Karsten Iwen · ‎06-23-2012

On the ASA the Split-Tunnel-ACL should be a standard-ACL only listing the networks you want to communicate with (when you specify "split-tunnel-policy tunnelspecified"). The filtering you want to achieve should go into the "vpn-filter" which also can be configured in the group-policy.

regards, Karsten

pavne_imran · ‎06-24-2012

Dear Karsten

If I work with standard I cant define ports

But for sake of argument I did your solution but it didnt worked

Do u feel my nat statemnet is correct

object network RA-VPN-HOST
subnet 172.16.37.0 255.255.255.0
!
nat (inside,outside) source static any any destination static RA-VPN-HOST RA-VPN-HOST

I will obliged if you can provide me soem other alternate solution

Karsten Iwen · ‎06-24-2012

Split-Tunneling controlles the routing into the tunnel. And this is done without L4-information (knowing that there are cases where this is done, but I can't see that in your szenario). And as said before, filtering is done with the vpn-filter.

For the nat to work you have to use the right order of nat-statements (top-down). So this NAT-Exemption has to be above the general NAT for internet-access. You can control that with "show nat".

Bashir Imran Pavne · ‎07-11-2012

The issuse Iam facing is Iam able to get IP address from VPN pool but not able to get Default gateway

In the VPN Status statistics Able to send packet But not able to recive packets

Iam able to authenticate on VPN network with my username password & also

But Not able to access any thing on my inside network (i.e lan ) or remote desktop on server 172.17.100.10 ,172.17.100.20

Below is the configuration

ip local pool Q8-VPN-Pool 172.16.37.10-172.16.37.200 mask 255.255.255.0

access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.10 eq 3389 any

access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.20 eq 3389 any

access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.30 eq 22 any

group-policy NetworkTest-VPN internal
group-policy NetworkTest-VPN attributes
dns-server value 192.168.0.122 192.168.0.123
vpn-filter value Network-Admin_splitTunnelAcl

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified
split-tunnel-network-list value NetworkTest_splitTunnelAcl
default-domain value Q8.com

tunnel-group NetworkTest-VPN type remote-access
tunnel-group NetworkTest-VPN general-attributes
address-pool (inside) Q8-VPN-Pool
address-pool Q8-VPN-Pool
authentication-server-group ACS
authentication-server-group (inside) ACS LOCAL
accounting-server-group ACS
default-group-policy NetworkTest-VPN

tunnel-group NetworkTest-VPN ipsec-attributes
pre-shared-key ******

object network RA-VPN-HOST
subnet 172.16.37.0 255.255.255.0
!
nat (inside,outside) source static any any destination static RA-VPN-HOST RA-VPN-HOST

I have static routes but I have read in one document to apply default route pointing toward ASA with tunnled

But the query is what about other tunnels which are working form outside to DMZ

If I apply default route all tunneled traffic will flow towards inside interface of ASA or Only split tunnel tarffic willflow towards inside interface

Karsten Iwen · ‎07-11-2012

Your Split-Tunneling and vpn-filter is still wrong. The way to configure it is the following:

For Split-Tunneling a standard ACL is typically used to specify which networks should be reached through the tunnel:

access-list SPLIT-ACL standard permit 172.17.100.0 255.255.255.0

!

group-policy NetworkTest-VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-ACL

A different ACL is used to filter the traffic that can be sent inside the tunnel. In that ACL the meaning of the fields is different to a normal ACL. The vpn-filter works with Remote and Local instead of Source and Destination.

Your VPN-Filter has to look like that:

access-list VPN-FILTER-TEST extended permit tcp object RA-VPN-HOST host 172.17.100.10 eq 3389

access-list VPN-FILTER-TEST extended permit tcp object RA-VPN-HOST host 172.17.100.20 eq 3389

access-list VPN-FILTER-TEST extended permit tcp object RA-VPN-HOST host 172.17.100.30 eq 22

!

group-policy NetworkTest-VPN attributes

vpn-filter value VPN-FILTER-TEST

Bashir Imran Pavne · ‎07-15-2012

Dear Karen

Thanks for the reply

So to make more simple I created an ACL as below to avoid routing issuse

access-list 20 standard permit any

I applied this ACL in my split tunnel

group-policy NetworkTest-VPN internal

group-policy NetworkTest-VPN attributes

dns-server value 192.168.0.122 192.168.0.123

vpn-tunnel-protocol IPSec

vpn-filter value Network-Admin_splitTunnelAcl

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 20

default-domain value Q8.com

Dear Karen

My query now is vpn filter which will provide access to vpn group users for the inside servers

VPN Pool is 172.16.37.x/24

SERVER Inside IP Address is 172.16.100.9 on 3389

Behind my ASA my juniper is install So all traffic come to ASA with IP Address as 172.16.14.1

Server which needs to be access from vpn in my inside network IP ADDRESS is 172.16.100.9 on 3389

So how to I create ACL for vpn filter

Please do reply

Karsten Iwen · ‎07-15-2012

if your internal network is hidden by one IP on the juniper firewall, then your vpn-filter will look like that:

access-list VPN-FILTER extended permit tcp 172.16.37.0 255.255.255.0 host 172.16.14.1 eq 3389

On the Juniper you have to configure the port-forwarding to the desired host.

Bashir Imran Pavne · ‎07-16-2012

Dear Karen

Thanks & much appreciated

My VPN is working fine & able to access the required server with specific ports

I created the below access-list & I called the below access list in my VPN -Filter value

access-list Network-Admin_splitTunnelAcl extended permit tcp any host 172.17.100.10 eq domain

My VPN & Everything is working fine

One more help for below query

For standard ACL we use to create as access-list ABC webtype permit url http://Q8.bombay.com

I want to known how to created WEBTYPE access-list in extended acl of mine as above

( i.e access-list Network-Admin_splitTunnelAcl extended )

Please do reply

Karsten Iwen · ‎07-16-2012

I'm not really sure what you mean, but the simplified rule for ACLs is:

- extended ACLs for Access-Control on L3/L4

- standard ACLs for controlling routing

- webtype ACLs for clientless VPNs

- ethertype ACLs for controlling L2-traffic in transparent firewall setups.

Bashir Imran Pavne · ‎07-17-2012

Dear Karen

https://Q8.bombay.com

q8.bombay.com is internal web site which resolves with IP Address 172.16.3.210

I have created below ACL & called this acl in my web filter as below

access-list Network-Admin_splitTunnelAcl extended permit tcp any host 172.16.3.210 eq https

access-list Network-Admin_splitTunnelAcl extended permit tcp any host 192.168.0.122 eq 53

access-list Network-Admin_splitTunnelAcl extended permit tcp any host 192.168.0.123 eq 53

access-list SPLIT-ACL standard permit 172.17.100.0 255.255.255.0

access-list SPLIT-ACL standard permit 172.16.0.0 255.255.0.0

group-policy NetworkTest-VPN internal

group-policy NetworkTest-VPN attributes

dns-server value 192.168.0.122 192.168.0.123

vpn-filter value Network-Admin_splitTunnelAcl

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-ACL
default-domain value Q8.com

QUERY

If i do telnet 172.16.3.210 443 ( Iam able to see in cmd port is open )

But i write the IP Address in the browser IE or FireFox 172.16.3.210 teh website does open

If I write the url https://Q8.bombay.com also it does open

Where can be the mistake What need to be added more in my ACL