Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPV Client accessing remote lan

Trying to figure out how to configure the VPN client side to access a remote lan.

Lan A - 172.16.17.0 - ASA5505 8.2(3)

Lan B - 200.200.0.0 - ASA5510

Cisco Client - V5

At present there exist a VPN tunnel between Lan A and Lan B. The client has a VPN tunnel to Lan A to run software package X on the Lan A server. The client also needs to run software package Y which needs access to a database on Lan B.  The computers on Lan A have no problem using package Y since a VPN tunnel exist between Lan A and Lan B. How can I get the Client to also access Lan B on the same tunnel created when the client connects to Lan A? I can't seem to get packets that are directed to Lan B to cross the Client tunnel to A which would then hopefully move onto the LanA/ LanB tunnel.

Thanks

Paul

2 REPLIES
Super Bronze

Re: VPV Client accessing remote lan

Hi,

First you need to determine can the VPN Client pool network be visible with its original address to the remote site LAN B (no overlaps in between pool and LAN B local networks)

If theres is no problem you will have to configure a NAT0 / NAT Exempt configuration to your outside interface on LAN A ASA to tell that traffic coming from VPN Pool network towards LAN B network will not be NATed

access-list NONAT-OUTSIDE permit ip

nat (outside) 0 access-list NONAT-OUTSIDE

So this should handle that the traffic from VPN Client user towards LAN B would be visible to LAN B with its original IP address.

You will also need to add the traffic between these networks to the configurations of the L2L VPN (between LAN A and LAN B) so the VPN Clients traffic gets forwarded to the L2L VPN between the actual LANs.

The configuration should look something like this:

crypto map match address

The above ACL has to have a line in it for the traffic between vpnpool network and lanb network

access-list L2L-VPN-ENCRYPTIONDOMAIN permit ip

All the above configurations would also need to be on the LAN B VPN device firewall for the connections to work. (Mirror images ofcourse looking from LAN B to LAN A)

Since you havent posted any configurations I don't know what other things might be missing.

- Jouni

New Member

Re: VPV Client accessing remote lan

I tried a couple of your ideas but still no luck.. So here is the Config that is pertinant. Thanks

name 172.16.17.0 A-LAN

name 172.23.0.0 B-Lan2
name 200.200.0.0 B-Lan1
name xx.xx.xx.xx B-EndPt

interface Vlan1
nameif inside
security-level 100
ip address 172.16.17.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
ospf cost 10

object-group network B-Lan-Grp
network-object B-Lan2 255.255.0.0
network-object B-Lan1 255.255.0.0


access-list inside_outbound_nat0_acl extended permit ip A-LAN 255.255.255.0 object-group B-Lan-Grp
access-list inside_outbound_nat0_acl extended permit ip interface inside object-group B-Lan-Grp

access-list outside_cryptomap_80 extended permit ip A-LAN 255.255.255.0 object-group B-Lan-Grp

access-list RemoteUser_splitTunnelAcl extended permit ip A-LAN 255.255.255.0 any

access-list outside_1_cryptomap extended permit ip interface inside object-group B-Lan-Grp
access-list outside_cryptomap_dyn_20 extended permit ip any A-LAN 255.255.255.0
access-list outside_cryptomap_dyn_95 extended permit ip any object-group B-Lan-Grp


ip local pool RemoteClient 172.16.17.175-172.16.17.180 mask 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 95 match address outside_cryptomap_dyn_95
crypto dynamic-map outside_dyn_map 95 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 99 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 99 set transform-set ESP-3DES-MD5

crypto map outside_map 1 match address outside_cryptomap_80
crypto map outside_map 1 set peer xx.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer B-EndPt
crypto map outside_map 80 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

group-policy VPNClient internal
group-policy VPNClient attributes
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
group-lock value VPNLlient
split-tunnel-network-list value RemoteUser_splitTunnelAcl

username vpnuser password xxxxxxxxx encrypted privilege 0
username vpnuser attributes
vpn-group-policy VPNClient
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****


tunnel-group VPNClient type remote-access
tunnel-group VPNClient general-attributes
address-pool RemoteClient
default-group-policy VPNClient
tunnel-group VPNClient ipsec-attributes
pre-shared-key *****

345
Views
0
Helpful
2
Replies
CreatePlease to create content