adding multiple subnet access to vpn

itdaddy · February 2011

hey guys I am asking this again maybe in a better way.

Okay we have a remote access vpn setup at work using an ASA 5505
and IPSEC/UDP using a pcf file. works great but only direct access to 1 subnet 1.x..

I want to access all subnets
1.x
2.x
3.x
4.x
41.x
I do not like to double rdp. I want to rdp right into the device.
We have to type the FQDM to RDP into the network. It uses AD as an authentication server..

so how do I add the other subnets in the vpn setup so anyone using the Actvie Directory to create the tunnel can rdp direct into the server vs
double remoting into 1.x server then from that server rdp into the 2.x etc..servers/subnets...

can you explain or direct me to the correct documentation? thanks so much

shednik · February 2011

Not sure I completely understand what you are trying to accomplish but here is one way to do that. The first way without split tunneling will only let the client access those networks and nothing else. IE it will tunnel all networks, adding split tunneling will only use the tunnel for those networks.

access-list TE-Test-ACL standard permit 10.0.0.0 255.0.0.0
access-list TE-Test-ACL standard permit 192.168.0.0 255.255.0.0
group-policy GroupPolicy-Test internal
group-policy GroupPolicy-Test attributes
        vpn-filter value TE-Test-ACL

If you are doing split tunneling

Add this:

group-policy GroupPolicy-Test internal
group-policy GroupPolicy-Test attributes
split-tunnel-network-list value TE-Test-ACL

Hope this helps

joe

cisco_trooper · February 2011

In addition to the vpn filter example provided by joe, you need to make sure your nat exemption rules are correct. Have you examined the logs while you attempt to rdp into one of the devices you are having trouble accessing? Post a dummy config and I'll fix it up for you.

itdaddy · February 2011

sure you guys are getting it. What I have to do is currently I remote Desktop protocol into only 1 subnet 1.x (192.168.1.x) only. Then I remote into a server and the rdp from that server into the choice I gave you of other subnets using the FQDM (servername.domain.priv) and bam I am remoting into another subnet not defined by VPN router rules. The issue with this is bad latency. If I can direct remote from vpn router to the subnet I can have a more pure access lessoning latency..Double remoting sucks and can really put a load on the vpn you can really tell the difference with direct connect and double remoting. That is why I want the vpn to route to other subnets that are defined not just one subet. All the subnets are routed on our network WAN. Willl get a dummy config soon. Thanks so much fo your expert advice. See you tomorrow.

shednik · February 2011

cisco_trooper wrote: »

In addition to the vpn filter example provided by joe, you need to make sure your nat exemption rules are correct. Have you examined the logs while you attempt to rdp into one of the devices you are having trouble accessing? Post a dummy config and I'll fix it up for you.

Ah....I've been on 8.3 too long I forgot to add that if he's still on 8.2

cisco_trooper · February 2011

Yeah, I haven't made the jump to 8.3 yet, and I like to maintain control of my own NAT definitions. How do you like it?

burbankmarc · February 2011

I have 8.3 in one facility, it's a small facility though so it isn't too crazy a config.

I tried upgrading my 5520's in another facility to 8.4 (from 8.2) but it said it required 1024mb of ram

Other than that I haven't had much of a problem with 8.3 and up.

*EDIT*

Also, downgrading from 8.4 back to 8.2 was simple, because it auto saved the old config. So they cover your ass pretty well.

adding multiple subnet access to vpn

Comments