Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Remote Access VPN on ASA on IOS 8.4 (2)

Iam able to authenticate on VPN network with my username password & also able to get IP address from VPN pool

But Not able to access any thing on my inside network (i.e lan ) or remote desktop on server 172.17.100.10 ,172.17.100.20

ip local pool Q8-VPN-Pool 172.16.37.10-172.16.37.200 mask 255.255.255.0

access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.10 eq 3389 any

access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.20 eq 3389 any

access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.30 eq 22 any


group-policy NetworkTest-VPN internal
group-policy NetworkTest-VPN attributes
dns-server value 192.168.0.122 192.168.0.123
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NetworkTest_splitTunnelAcl
default-domain value Q8.com


tunnel-group NetworkTest-VPN type remote-access
tunnel-group NetworkTest-VPN general-attributes
address-pool (inside) Q8-VPN-Pool
address-pool Q8-VPN-Pool
authentication-server-group ACS
authentication-server-group (inside) ACS LOCAL
accounting-server-group ACS
default-group-policy NetworkTest-VPN

tunnel-group NetworkTest-VPN ipsec-attributes
pre-shared-key ******

Below nat didnt work So I created new Nat for 8.4

access-list inside_nat0_outbound extended permit ip any 172.16.37.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

New Nat for 8.4

object network RA-VPN-HOST
subnet 172.16.37.0 255.255.255.0
!
nat (inside,outside) source static any any destination static RA-VPN-HOST RA-VPN-HOST

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Remote Access VPN on ASA on IOS 8.4 (2)

Split-Tunneling controlles the routing into the tunnel. And this is done without L4-information (knowing that there are cases where this is done, but I can't see that in your szenario). And as said before, filtering is done with the vpn-filter.

For the nat to work you have to use the right order of nat-statements (top-down). So this NAT-Exemption has to be above the general NAT for internet-access. You can control that with "show nat".


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
10 REPLIES
VIP Purple

Remote Access VPN on ASA on IOS 8.4 (2)

On the ASA the Split-Tunnel-ACL should be a standard-ACL only listing the networks you want to communicate with (when you specify "split-tunnel-policy tunnelspecified"). The filtering you want to achieve should go into the "vpn-filter" which also can be configured in the group-policy.

regards, Karsten


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Remote Access VPN on ASA on IOS 8.4 (2)

Dear Karsten

If I work with standard I cant define ports

But for sake of argument I did your solution but it didnt worked

Do u feel my nat statemnet is correct

object network RA-VPN-HOST
subnet 172.16.37.0 255.255.255.0
!
nat (inside,outside) source static any any destination static RA-VPN-HOST RA-VPN-HOST

I will obliged if you can provide me soem other alternate solution

VIP Purple

Remote Access VPN on ASA on IOS 8.4 (2)

Split-Tunneling controlles the routing into the tunnel. And this is done without L4-information (knowing that there are cases where this is done, but I can't see that in your szenario). And as said before, filtering is done with the vpn-filter.

For the nat to work you have to use the right order of nat-statements (top-down). So this NAT-Exemption has to be above the general NAT for internet-access. You can control that with "show nat".


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: Remote Access VPN on ASA on IOS 8.4 (2)

The issuse Iam facing is Iam able to get IP address from VPN pool but not able to get  Default gateway

In the VPN Status statistics Able to send packet But not able to recive packets

Iam able to authenticate on VPN network with my username password & also

But Not able to access any thing on my inside network (i.e lan ) or remote desktop on server 172.17.100.10 ,172.17.100.20

Below is the configuration

ip local pool Q8-VPN-Pool 172.16.37.10-172.16.37.200 mask 255.255.255.0

access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.10 eq 3389 any

access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.20 eq 3389 any

access-list NetworkTest_splitTunnelAcl extended permit tcp host 172.17.100.30 eq 22 any


group-policy NetworkTest-VPN internal
group-policy NetworkTest-VPN attributes
dns-server value 192.168.0.122 192.168.0.123
vpn-filter value Network-Admin_splitTunnelAcl

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified
split-tunnel-network-list value NetworkTest_splitTunnelAcl
default-domain value Q8.com


tunnel-group NetworkTest-VPN type remote-access
tunnel-group NetworkTest-VPN general-attributes
address-pool (inside) Q8-VPN-Pool
address-pool Q8-VPN-Pool
authentication-server-group ACS
authentication-server-group (inside) ACS LOCAL
accounting-server-group ACS
default-group-policy NetworkTest-VPN

tunnel-group NetworkTest-VPN ipsec-attributes
pre-shared-key ******

object network RA-VPN-HOST
subnet 172.16.37.0 255.255.255.0
!
nat (inside,outside) source static any any destination static RA-VPN-HOST RA-VPN-HOST

I have static routes but  I have read in one document to apply default route pointing toward ASA with tunnled

But the query is what about other tunnels which are working form outside to DMZ

If I apply default route all tunneled traffic will flow towards inside interface of ASA or Only split tunnel tarffic willflow towards inside interface

VIP Purple

Re: Remote Access VPN on ASA on IOS 8.4 (2)

Your Split-Tunneling and vpn-filter is still wrong. The way to configure it is the following:

For Split-Tunneling a standard ACL is typically used to specify which networks should be reached through the tunnel:

access-list SPLIT-ACL standard permit 172.17.100.0 255.255.255.0

!

group-policy NetworkTest-VPN attributes

  split-tunnel-policy tunnelspecified

  split-tunnel-network-list value SPLIT-ACL

A different ACL is used to filter the traffic that can be sent inside the tunnel. In that ACL the meaning of the fields is different to a normal ACL. The vpn-filter works with Remote and Local instead of Source and Destination.

Your VPN-Filter has to look like that:

access-list VPN-FILTER-TEST extended permit tcp object RA-VPN-HOST host 172.17.100.10 eq 3389

access-list VPN-FILTER-TEST extended permit tcp object RA-VPN-HOST host 172.17.100.20 eq 3389

access-list VPN-FILTER-TEST extended permit tcp object RA-VPN-HOST host 172.17.100.30 eq 22

!

group-policy NetworkTest-VPN attributes

  vpn-filter value VPN-FILTER-TEST


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: Remote Access VPN on ASA on IOS 8.4 (2)

Dear Karen

Thanks for the reply

So to make more simple I created an ACL as below to avoid routing issuse

access-list 20 standard permit any

I applied this ACL in my  split tunnel

group-policy NetworkTest-VPN internal

group-policy NetworkTest-VPN attributes

dns-server value 192.168.0.122 192.168.0.123

vpn-tunnel-protocol IPSec

vpn-filter value Network-Admin_splitTunnelAcl

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 20

default-domain value Q8.com

Dear Karen

My query now is vpn filter which will provide access to vpn group users for the inside servers

VPN Pool is 172.16.37.x/24

SERVER Inside IP Address is 172.16.100.9 on 3389

Behind my ASA my juniper is install So all traffic come to ASA with IP Address as 172.16.14.1

Server which needs to be access from vpn in my inside network IP ADDRESS is 172.16.100.9 on 3389

So how to I create ACL for vpn filter

Please do reply

VIP Purple

Re: Remote Access VPN on ASA on IOS 8.4 (2)

if your internal network is hidden by one IP on the juniper firewall, then your vpn-filter will look like that:

access-list VPN-FILTER extended permit tcp 172.16.37.0 255.255.255.0 host 172.16.14.1 eq 3389

On the Juniper you have to configure the port-forwarding to the desired host.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: Remote Access VPN on ASA on IOS 8.4 (2)

Dear Karen

Thanks & much appreciated

My VPN is working fine & able to access the required server with specific ports

I created the below access-list & I called the below access list in my VPN -Filter value

access-list Network-Admin_splitTunnelAcl extended permit tcp any host 172.17.100.10 eq domain

My VPN & Everything is working fine

One more help for below query

For standard ACL we use to create as access-list ABC webtype permit url http://Q8.bombay.com

I want to known how to created WEBTYPE access-list in extended acl of mine as above

  ( i.e  access-list Network-Admin_splitTunnelAcl extended )

Please do reply

VIP Purple

Re: Remote Access VPN on ASA on IOS 8.4 (2)

I'm not really sure what you mean, but the simplified rule for ACLs is:

- extended ACLs for Access-Control on L3/L4

- standard ACLs for controlling routing

- webtype ACLs for clientless VPNs

- ethertype ACLs for controlling L2-traffic in transparent firewall setups.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: Remote Access VPN on ASA on IOS 8.4 (2)

Dear Karen

https://Q8.bombay.com

q8.bombay.com is internal web site which resolves with IP  Address 172.16.3.210

I have created below ACL & called this acl in my web filter as below

access-list Network-Admin_splitTunnelAcl extended permit tcp any host 172.16.3.210 eq https

access-list Network-Admin_splitTunnelAcl extended permit tcp any host 192.168.0.122 eq 53

access-list Network-Admin_splitTunnelAcl extended permit tcp any host 192.168.0.123 eq 53

access-list SPLIT-ACL standard permit 172.17.100.0 255.255.255.0

access-list SPLIT-ACL standard permit 172.16.0.0 255.255.0.0

group-policy NetworkTest-VPN internal

group-policy NetworkTest-VPN attributes

dns-server value 192.168.0.122 192.168.0.123

vpn-filter value Network-Admin_splitTunnelAcl

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-ACL
default-domain value Q8.com

QUERY

If i do telnet 172.16.3.210  443  ( Iam able to see in cmd port is open )

But i write the IP Address in the browser IE or FireFox 172.16.3.210  teh website does open

If I write the url https://Q8.bombay.com  also it does open

Where can be the mistake What need to be added more in my ACL

1598
Views
0
Helpful
10
Replies
CreatePlease to create content