Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN IP Pool routing

Hi - I have an ASA5520 with IPSEC and SSL VPN setup. All works fine if I am content with accessing the inside network, but I also want to access the network in the subnet called "store". The security level is set to 90 on this interface but I cannot reach any resources there from any VPN connection. I thought the VPN client was dumped into the inside security level of 100, so therefore security should flow downhill. I guess I was wrong and was wondering if anyone could set me on the right path. The config is listed below. THANKS!!!!!

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 65.x.x.8 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.31.1.8 255.255.255.0

!

interface GigabitEthernet0/2

nameif dmz

security-level 50

ip address 192.168.2.66 255.255.255.0

!

interface GigabitEthernet0/3

nameif store

security-level 90

ip address 10.2.195.28 255.255.255.0

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

dns server-group DefaultDNS

domain-name lab.net

object-group network Inside-all

description Private Lab Networks

network-object 172.2.0.0 255.255.0.0

network-object 172.31.1.0 255.255.255.0

access-list outside_access_in extended permit ip any host xxx.xxx.83.7 log debugging

access-list inside_access_in extended permit ip any any

access-list store_access_in extended permit ip any any

access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240

access-list outside_cryptomap extended permit ip any 192.168.100.0 255.255.255.240

access-list outside_cryptomap_1 extended permit ip any 192.168.100.0 255.255.255.240

access-list store-internal remark store internal network

access-list store-internal standard permit 10.0.0.0 255.0.0.0

ip local pool vpnpool 192.168.100.1-192.168.100.10 mask 255.255.255.0

global (outside) 1 interface

global (store) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.0.0.0 255.0.0.0

nat (management) 0 0.0.0.0 0.0.0.0

static (dmz,outside) 65.x.x.7 192.168.2.67 netmask 255.255.255.255

static (inside,store) 10.2.195.27 172.31.1.60 netmask 255.255.255.255

static (dmz,inside) 192.168.2.67 192.168.2.67 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group store_access_in in interface store

route outside 0.0.0.0 0.0.0.0 xxx.xxx.83.1 1

route inside 172.0.0.0 255.0.0.0 172.31.1.254 1

route store 10.0.0.0 255.0.0.0 10.2.195.1 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool vpnpool

tunnel-group vpntunnel type ipsec-ra

tunnel-group vpntunnel general-attributes

address-pool vpnpool

default-group-policy vpntunnel

tunnel-group vpntunnel ipsec-attributes

pre-shared-key *

!

webvpn

port 444

enable outside

enable store

svc image disk0:/sslclient-win-1.1.2.169.pkg 1

svc enable

: end

3 REPLIES
New Member

Re: VPN IP Pool routing

i think you would need another acl (VPN to store) and NAT 0 for store

access-list store_nat0_outbound ip any 192.168.100.0 255.255.255.240

nat (store) 0 access-list store_nat0_outbound

If i am not wrong those statements should help getting the VPN clients to the store interface.

New Member

Re: VPN IP Pool routing

I have the same problem of communication to LAN. Although, the nat0 setup is already there (details here attached):

access-list 101 extended permit ip 192.168.0.0 255.255.255.0 10.0.11.0 255.255.255.0

nat (inside) 0 access-list 101

SSL VPN details:

- LAN: 192.168.0.0/24

- SSL VPN pool: 10.0.11.0/24

- Tunnel Group: Test-WebVPNGroup

My environment:

- Cisco ASA 5520 v. 7.2(2)19,

- ASDM v. 5.2(2)

- SVC client: sslclient-win-1.1.4.179.pkg

- Desktop: Win XP

please assist

New Member

Re: VPN IP Pool routing

problem resolved by adding the reverse nat0 acl (ip pool -> lan):

access-list 101 extended permit ip 10.0.11.0

255.255.255.0 192.168.0.0 255.255.255.0

210
Views
0
Helpful
3
Replies
CreatePlease to create content