ASA 5515x v. 9.1 Remote client VPN to Site to Site VPN

Christian Isla — Tue, 12 Mar 2019 02:41:30 GMT

Hi all,

I've seen example after example of having a Remote IPSec Client reach a Remote Site via a Single ASA. Unfortunately, these have all been with the former syntax using ver <8.

I'm Hoping some might be able to guide me as this ASA is new to me. I have working Site2Site (in RED ) and working Remote Client VPN (in GREEN). My problem is that I'm want my remote client to reach the remote site too ( in Blue ). I've attached a diagram. and I've included my configs for both ends (remote site router and local asa). I've been using ASDM 7.1 to help me through this, but it's only gotten me this far and I'm killing way to many cycles pulling my hair out.

Can someone please tell what's wrong here?

oh, and ever since I've set my security-level higher on my insideDATA I can still reach web pages but not PING anything on the Internet.??

===============================

ASA

WUMASA5515x# sh run

: Saved

ASA Version 9.1(2)

hostname WUMASA5515x

domain-name wumfrgsn.local

enable password AYL/mjKstXNLBeQX encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool RA_IP_POOL 192.168.50.33-192.168.50.46 mask 255.255.255.240

interface GigabitEthernet0/0

nameif InternetWan

security-level 0

ip address 24.102.6.36 255.255.255.224

interface GigabitEthernet0/1

no nameif

security-level 0

no ip address

interface GigabitEthernet0/1.11

vlan 11

nameif insideDATA

security-level 90

ip address 10.11.0.1 255.255.0.0

interface GigabitEthernet0/1.172

vlan 172

nameif GuestWIFI

security-level 0

ip address 172.16.0.1 255.255.255.0

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/5

nameif management

security-level 100

ip address 192.168.99.1 255.255.255.0

interface Management0/0

management-only

shutdown

nameif unused

security-level 100

no ip address

boot system disk0:/asa912-smp-k8.bin

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup InternetWan

dns domain-lookup insideDATA

dns server-group DefaultDNS

name-server 24.53.239.16

name-server 24.53.239.17

domain-name wumfrgsn.local

same-security-traffic permit inter-interface

object network 145_Wilson_st

subnet 10.19.0.0 255.255.0.0

object network 191Mainst

subnet 10.17.0.0 255.255.0.0

object network 195_Ferguson

subnet 10.23.0.0 255.255.0.0

object network NETWORK_OBJ_10.11.0.0_16

subnet 10.11.0.0 255.255.0.0

object network 151_QueenN

subnet 10.22.0.0 255.255.0.0

object network 155_QueenN

subnet 10.12.0.0 255.255.0.0

object network 350_Quigley

subnet 10.21.0.0 255.255.0.0

object network 93_DelenaN

subnet 10.20.0.0 255.255.0.0

object network NETWORK_OBJ_192.168.50.32_28

subnet 192.168.50.32 255.255.255.240

object-group network Remote_Networks

network-object object 195_Ferguson

network-object object 145_Wilson_st

network-object object 151_QueenN

network-object object 155_QueenN

network-object object 191Mainst

network-object object 350_Quigley

network-object object 93_DelenaN

object-group network DM_INLINE_NETWORK_1

network-object 10.11.0.0 255.255.0.0

network-object 172.16.0.0 255.255.255.0

network-object 192.168.99.0 255.255.255.0

network-object 24.102.6.32 255.255.255.224

group-object Remote_Networks

access-list InternetWan_cryptomap extended permit ip 10.11.0.0 255.255.0.0 object 195_Ferguson

access-list RA_VPN_splitTunnelAcl standard permit 10.11.0.0 255.255.0.0

access-list RA_VPN_splitTunnelAcl standard permit 172.16.0.0 255.255.255.0

access-list RA_VPN_splitTunnelAcl standard permit 192.168.99.0 255.255.255.0

access-list RA_VPN_splitTunnelAcl standard permit 24.102.6.32 255.255.255.224

access-list RA_VPN_splitTunnelAcl standard permit 10.19.0.0 255.255.0.0

access-list RA_VPN_splitTunnelAcl standard permit 10.22.0.0 255.255.0.0

access-list RA_VPN_splitTunnelAcl standard permit 10.12.0.0 255.255.0.0

access-list RA_VPN_splitTunnelAcl standard permit 10.17.0.0 255.255.0.0

access-list RA_VPN_splitTunnelAcl standard permit 10.23.0.0 255.255.0.0

access-list RA_VPN_splitTunnelAcl standard permit 10.21.0.0 255.255.0.0

access-list RA_VPN_splitTunnelAcl standard permit 10.20.0.0 255.255.0.0

access-list InternetWan_cryptomap_1 extended permit ip 10.11.0.0 255.255.0.0 object 145_Wilson_st

pager lines 24

logging asdm informational

mtu InternetWan 1500

mtu insideDATA 1500

mtu GuestWIFI 1500

mtu unused 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any InternetWan

icmp permit any insideDATA

asdm image disk0:/asdm-713.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (insideDATA,InternetWan) source static NETWORK_OBJ_10.11.0.0_16 NETWORK_OBJ_10.11.0.0_16 destination static Remote_Networks Remote_Networks no-proxy-arp route-lookup

nat (GuestWIFI,InternetWan) source dynamic any interface

nat (insideDATA,InternetWan) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.50.32_28 NETWORK_OBJ_192.168.50.32_28 no-proxy-arp route-lookup

nat (insideDATA,InternetWan) source static NETWORK_OBJ_10.11.0.0_16 NETWORK_OBJ_10.11.0.0_16 destination static 145_Wilson_st 145_Wilson_st no-proxy-arp route-lookup

nat (management,InternetWan) source dynamic any interface

nat (insideDATA,InternetWan) after-auto source dynamic any interface

route InternetWan 0.0.0.0 0.0.0.0 24.102.6.33 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authorization command LOCAL

aaa authorization exec authentication-server

http server enable

http 192.168.99.0 255.255.255.0 management

http 192.168.50.32 255.255.255.240 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map InternetWan_map 1 match address InternetWan_cryptomap

crypto map InternetWan_map 1 set pfs

crypto map InternetWan_map 1 set peer 72.12.152.245

crypto map InternetWan_map 1 set ikev1 transform-set ESP-3DES-MD5

crypto map InternetWan_map 2 match address InternetWan_cryptomap_1

crypto map InternetWan_map 2 set pfs

crypto map InternetWan_map 2 set peer 72.12.152.188

crypto map InternetWan_map 2 set ikev1 transform-set ESP-3DES-MD5

crypto map InternetWan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map InternetWan_map interface InternetWan

crypto ca trustpool policy

crypto ikev1 enable InternetWan

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.99.0 255.255.255.0 management

ssh 192.168.50.32 255.255.255.240 management

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group14-sha1

console timeout 0

management-access management

dhcpd address 10.11.0.20-10.11.0.40 insideDATA

dhcpd dns 24.53.239.16 interface insideDATA

dhcpd domain wum.local interface insideDATA

dhcpd update dns both interface insideDATA

dhcpd enable insideDATA

dhcpd address 172.16.0.100-172.16.0.150 GuestWIFI

dhcpd dns 24.53.239.16 24.53.239.17 interface GuestWIFI

dhcpd domain wum.guest.local interface GuestWIFI

dhcpd enable GuestWIFI

dhcpd address 192.168.99.240-192.168.99.250 management

dhcpd dns 24.53.239.16 24.53.239.17 interface management

dhcpd domain mgnt.wum.local interface management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 209.167.68.100 source InternetWan prefer

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy RA_VPN internal

group-policy RA_VPN attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RA_VPN_splitTunnelAcl

default-domain value wumfrgsn.local

group-policy GroupPolicy_72.12.152.188 internal

group-policy GroupPolicy_72.12.152.188 attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy_72.12.152.245 internal

group-policy GroupPolicy_72.12.152.245 attributes

vpn-tunnel-protocol ikev1

username vpntest password IyV0jGRyb7Bozb3j encrypted privilege 15

username vpntest attributes

vpn-group-policy RA_VPN

username usermon password KpWxOxmGlFVZC0Kf encrypted

username clearca password ji55PAt.mBgyB8Ep encrypted privilege 15

tunnel-group 72.12.152.245 type ipsec-l2l

tunnel-group 72.12.152.245 general-attributes

default-group-policy GroupPolicy_72.12.152.245

tunnel-group 72.12.152.245 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group RA_VPN type remote-access

tunnel-group RA_VPN general-attributes

address-pool RA_IP_POOL

default-group-policy RA_VPN

tunnel-group RA_VPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 72.12.152.188 type ipsec-l2l

tunnel-group 72.12.152.188 general-attributes

default-group-policy GroupPolicy_72.12.152.188

tunnel-group 72.12.152.188 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!=========

========================================================================

Remote Router.

! Last configuration change at 10:10:47 EDST Fri Sep 20 2013 by cisla

! NVRAM config last updated at 10:11:58 EDST Fri Sep 20 2013 by cisla

version 12.4

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

hostname WUM145Wlsn-861

boot-start-marker

boot system flash c860-universalk9-mz.153-3.M.bin

boot-end-marker

logging message-counter syslog

logging buffered 1024000

aaa new-model

aaa session-id common

clock timezone EST -5

clock summer-time EDST recurring

crypto pki trustpoint TP-self-signed-3210677487

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3210677487

revocation-check none

rsakeypair TP-self-signed-3210677487

crypto pki certificate chain TP-self-signed-3210677487

certificate self-signed 01

30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33323130 36373734 3837301E 170D3133 30393130 31343332

35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32313036

37373438 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100D387 BFA5724D CB3A1419 BDD284C9 2CB5F7F3 85B8FF8D AC9A1E38 45757873

16B3FFE2 E9363FA5 8DB00C89 61ABB632 A91F49D0 40444E69 04A73966 2DEE492F

EE65C774 5BA7808B 9E82B108 7BFF299E 2880175F 93ABDD4C 0C5C3609 5D516CDA

550C2E36 F5F93D22 9896182B 58946DAA AC463317 E6E6D730 31E6E28A 14ECDA91

49E70203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603

551D1104 1E301C82 1A57554D 31393546 5247534E 2D383631 772E7775 6D2E6C6F

63616C30 1F060355 1D230418 30168014 BA424AD3 CCCD22F5 863C50C1 A63FFC1D

17B2E7F5 301D0603 551D0E04 160414BA 424AD3CC CD22F586 3C50C1A6 3FFC1D17

B2E7F530 0D06092A 864886F7 0D010104 05000381 81007877 CCA0B502 47D8F8BD

30829B54 E6719CF0 D12F00FB 433FE0FF 2C03E549 7D88673B AF444F62 76F3754D

D27E8E7B 1653D4B7 36D322CD DC4CB3A1 5C77FAC5 F52F6AE5 2D7FFDDE 55C5142E

2ABF2A0F B34B01BB C99547F1 DFCF6F7F 8CEC2806 60F89145 92124E4E 93C1E956

21435255 612622F0 FA74FE30 83C9D80A 8518FA4A 4118

quit

ip source-route

ip dhcp excluded-address 10.19.0.1 10.19.0.20

ip dhcp pool ccp-pool

import all

network 10.19.0.0 255.255.0.0

default-router 10.19.0.1

dns-server 24.215.0.249

lease 0 2

ip cef

ip domain name wum.local

ip name-server 24.53.239.16

ip name-server 24.53.239.17

username cisla privilege 15 secret 5 $1$gf9q$ndfAaob6J/M7jwQOOaA310

crypto isakmp policy 19

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key testing4231 address 24.102.6.36

crypto isakmp keepalive 360

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec df-bit clear

crypto map SDM_CMAP_1 19 ipsec-isakmp

description Tunnel to MAIN

set peer 24.102.6.36

set transform-set ESP-3DES-MD5

match address 119

topic ASA 5515x v. 9.1 Remote client VPN to Site to Site VPN in Network Security

ASA 5515x v. 9.1 Remote client VPN to Site to Site VPN

ASA 5515x v. 9.1 Remote client VPN to Site to Site VPN

Re: ASA 5515x v. 9.1 Remote client VPN to Site to Site VPN

ASA 5515x v. 9.1 Remote client VPN to Site to Site VPN

Re: ASA 5515x v. 9.1 Remote client VPN to Site to Site VPN