11-11-2013 01:53 PM - edited 03-11-2019 08:03 PM
I have a firewall with a site to site connection to another LAN. I can access the services from the main lan at the site, but I can't access them from the vpn. Need help trying to figure out why. PS the firewall I am using is on 8.2 which has the older Exemptions. I am wanting them to access the sa-lan 10.5.0.0/16.
ASA Version 8.2(1)
!
hostname cur-asa
domain-name dpt.dfb.net
enable password vvfPMqIRz/IF7MC9 encrypted
passwd vvfPMqIRz/IF7MC9 encrypted
names
name 192.168.200.0 curacao-lan
name 10.5.0.0 sa-lan
name 192.168.201.0 cur-vpn-group
dns-guard
!
interface Ethernet0/0
description onenet 190
nameif external-190
security-level 0
pppoe client vpdn group onenet190
pppoe client route distance 2
ip address pppoe setroute
!
interface Ethernet0/1
description ONENET 12mb
nameif external-12
<--- More --->
security-level 0
ip address *88.36.215 255.255.255.240
!
interface Ethernet0/2
description curacao lan
nameif internal
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone BOT -4
dns domain-lookup internal
<--- More --->
dns server-group DefaultDNS
name-server 192.168.200.254
domain-name dpt.dfb.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service dfb-allow tcp
port-object eq 9000
port-object eq domain
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq pop3
port-object eq ssh
port-object eq telnet
port-object eq 8080
port-object eq 993
port-object eq 5223
port-object eq smtp
port-object eq 465
port-object eq daytime
port-object eq 52230
object-group service dfb-allow-udp udp
port-object eq 9000
<--- More --->
port-object eq 443
port-object eq ntp
object-group service temp-rdp tcp
port-object eq 3389
port-object eq 8612
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp eq www
service-object tcp eq https
service-object tcp eq smtp
service-object tcp eq 8080
object-group network dns-allow
network-object host 208.67.220.220
network-object host 208.67.222.222
network-object host 8.8.8.8
object-group network DM_INLINE_NETWORK_1
network-object curacao-lan 255.255.255.0
network-object cur-vpn-group 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object curacao-lan 255.255.255.0
network-object cur-vpn-group 255.255.255.0
object-group service hpvpn tcp-udp
description microsoft vpn healthpoint
port-object eq 1701
<--- More --->
port-object eq 1723
port-object eq 4500
port-object eq 500
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object curacao-lan 255.255.255.0
network-object cur-vpn-group 255.255.255.0
access-list external-200_1_cryptomap extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0
access-list internal_nat0_outbound extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0
access-list internal_nat0_outbound extended permit ip curacao-lan 255.255.255.0 cur-vpn-group 255.255.255.0
access-list external-200_access_out extended permit ip any any
access-list external-190_access_out extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0
access-list external-190_access_out extended permit tcp any any object-group dfb-allow
access-list external-190_access_out extended permit udp any any object-group dfb-allow-udp
access-list external-190_access_out extended permit ip any any inactive
access-list internal_nat0_outbound_1 extended permit ip sa-lan 255.255.0.0 curacao-lan 255.255.255.0
access-list internal_nat0_outbound_1 extended permit ip cur-vpn-group 255.255.255.0 any
access-list internal_nat0_outbound_1 extended permit ip cur-vpn-group 255.255.255.0 sa-lan 255.255.0.0
access-list external-12_1_cryptomap extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0
access-list external-12_nat0_outbound_1 extended permit ip any cur-vpn-group 255.255.255.0
access-list external-12_nat0_outbound_1 extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0
access-list external-12_nat0_outbound extended permit ip cur-vpn-group 255.255.255.0 any
<--- More --->
access-list external-12_access_in extended permit object-group DM_INLINE_SERVICE_1 any host *.88.36.215
access-list external-12_access_in extended permit ip sa-lan 255.255.0.0 any
access-list external-12_access_in extended permit ip cur-vpn-group 255.255.255.0 any
access-list global_mpc extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0
access-list internal_access_in extended permit ip any any inactive
access-list internal_access_in extended permit ip host 192.168.200.106 any
access-list internal_access_in extended permit ip object-group DM_INLINE_NETWORK_3 sa-lan 255.255.0.0
access-list internal_access_in extended permit tcp any any object-group dfb-allow
access-list internal_access_in extended permit udp any any object-group dfb-allow-udp
access-list internal_access_in extended permit udp object-group DM_INLINE_NETWORK_1 object-group dns-allow eq domain
access-list internal_access_in extended permit tcp any any object-group temp-rdp
access-list internal_access_in extended permit icmp object-group DM_INLINE_NETWORK_2 any
access-list vpn_split standard permit curacao-lan 255.255.255.0
access-list vpn_split standard permit sa-lan 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu external-190 1500
mtu external-12 1500
mtu internal 1500
mtu management 1500
ip local pool cpn-dhcp 192.168.201.1-192.168.201.20 mask 255.255.255.0
ip local pool cur-dhcp 192.168.200.90-192.168.200.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
<--- More --->
icmp permit any external-12
icmp permit any internal
no asdm history enable
arp timeout 14400
global (external-190) 1 interface
global (external-12) 1 interface
nat (external-190) 1 curacao-lan 255.255.255.0
nat (external-12) 0 access-list external-12_nat0_outbound_1
nat (external-12) 0 access-list external-12_nat0_outbound outside
nat (internal) 0 access-list internal_nat0_outbound
nat (internal) 0 access-list internal_nat0_outbound_1 outside
nat (internal) 1 0.0.0.0 0.0.0.0
static (internal,external-12) tcp interface smtp 192.168.200.253 smtp netmask 255.255.255.255
static (internal,external-12) tcp interface https 192.168.200.253 https netmask 255.255.255.255
access-group external-190_access_out out interface external-190
access-group external-12_access_in in interface external-12
access-group external-200_access_out out interface external-12
access-group internal_access_in in interface internal
route external-12 0.0.0.0 0.0.0.0 *.88.36.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
<--- More --->
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server cur-fps protocol radius
aaa-server cur-fps (internal) host 192.168.200.252
timeout 5
key Knot4U!
http server enable 442
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 external-190
http 0.0.0.0 0.0.0.0 internal
http 0.0.0.0 0.0.0.0 external-12
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
<--- More --->
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map external-12_map 1 match address external-12_1_cryptomap
crypto map external-12_map 1 set pfs group1
crypto map external-12_map 1 set peer 12.197.232.98
crypto map external-12_map 1 set transform-set ESP-3DES-SHA
crypto map external-12_map interface external-12
crypto isakmp enable external-12
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 internal
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 15
vpdn group onenet190 request dialout pppoe
vpdn group onenet190 localname dfbbiocur@office_onenet.an
vpdn group onenet190 ppp authentication pap
<--- More --->
vpdn username dfbbiocur@office_onenet.an password ********* store-local
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address curacao-lan 255.255.255.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
port 442
enable external-190
enable external-12
enable internal
dtls port 442
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc profiles dpt-new disk0:/dpt_basic.xml
svc enable
group-policy ssl-vpn internal
group-policy ssl-vpn attributes
banner value Your are now connected to DPT Laboratories, LTD. You acknowledge that you are an authorized employee of DFB Pharmaceuticals, Inc. and its affiliates. Use of this service in the performance of activities unrelated to the mission of DFB Pharmaceuticals, Inc. and its affiliates is strictly prohibited.
dns-server value 192.168.200.254
<--- More --->
vpn-simultaneous-logins 5
vpn-idle-timeout 30
vpn-session-timeout 480
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_split
default-domain value cur.net
address-pools value cpn-dhcp
webvpn
url-list none
svc profiles value dpt-new
svc ask enable
keep-alive-ignore 96
group-policy DfltGrpPolicy attributes
dns-server value 192.168.200.254
vpn-simultaneous-logins 2
vpn-session-timeout 480
default-domain value cur.net
username dfb1 password eIJJjRiHeQeADi8. encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
authentication-server-group cur-fps
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool cpn-dhcp
authentication-server-group cur-fps
<--- More --->
accounting-server-group cur-fps
default-group-policy ssl-vpn
password-management
tunnel-group *.197.232.* type ipsec-l2l
tunnel-group *.197.232.* ipsec-attributes
pre-shared-key *
tunnel-group cur-vpn type remote-access
tunnel-group cur-vpn general-attributes
address-pool cpn-dhcp
authentication-server-group cur-fps
authorization-server-group cur-fps
password-management password-expire-in-days 4
!
class-map ftp-global
match default-inspection-traffic
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
<--- More --->
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect tftp
class ftp-global
inspect ftp
class global-class
set connection random-sequence-number disable
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:77c07b2917faed0ed9de986216c9ad66
Solved! Go to Solution.
11-12-2013 06:25 AM
Hi,
Was really tired last night so left answering to this day.
Ok, so if you dont have management access to the remote site VPN device or wont be able to easily request additions to the configurations then we would have to configure a Dynamic Policy PAT for the VPN Client users to be able to access the L2L VPN.
The idea behind that is that we could use Dynamic Policy PAT to translate all VPN Client users to an IP address 192.168.200.x and therefore their connections would match the existing L2L VPN configurations and go through the L2L VPN.
The problem at the moment for me is that there are several NAT0 configurations that seem quite strange to me and I am not sure if they are needed. In the current setup they might simply make it so that any Dynamic Policy PAT we would configure would fail since the NAT0 would override the new configuration.
To my understanding you should do the following changes on your firewall for the connections from VPN Clients to work to the L2L VPN
Remove internal NAT configurations
no nat (internal) 0 access-list internal_nat0_outbound_1 outside
no access-list internal_nat0_outbound_1 extended permit ip sa-lan 255.255.0.0 curacao-lan 255.255.255.0
no access-list internal_nat0_outbound_1 extended permit ip cur-vpn-group 255.255.255.0 any
no access-list internal_nat0_outbound_1 extended permit ip cur-vpn-group 255.255.255.0 sa-lan 255.255.0.0
Remove external NAT configurations
no nat (external-12) 0 access-list external-12_nat0_outbound outside
no nat (external-12) 0 access-list external-12_nat0_outbound_1
no access-list external-12_nat0_outbound extended permit ip cur-vpn-group 255.255.255.0 any
no access-list external-12_nat0_outbound_1 extended permit ip any cur-vpn-group 255.255.255.0
no access-list external-12_nat0_outbound_1 extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0
The above configurations that we remove SHOULD all be useless configuration with regards to your needs. The NAT0 configuration that we leave to your "internal" interface seems to me to be the only one you will need. I have to stress through that if you have any doubt if the above configurations are actually needed for something (for which I dont see the reason at the moment) then you should try these changes at some specific time when the changes could not inflict any bigger problems.
Now the Dynamic Policy PAT configuration that you would need for your VPN Client users to access the L2L VPN connections should be something like this
global (external-12) 200 192.168.200.254
access-list DYNAMIC-POLICY-PAT-L2LVPN remark Dynamic Policy PAT for VPN Client users
access-list DYNAMIC-POLICY-PAT-L2LVPN permit ip 192.168.201.0 255.255.255.0 10.5.0.0 255.255.0.0
nat (external-12) 200 access-list DYNAMIC-POLICY-PAT-L2LVPN
In the above configuration we tell the firewall that it should do Dynamic PAT for all traffic that is coming from the VPN Pool and going to the remote site behind the L2L VPN connection. We will be using the internal IP address 192.168.200.254 as the Dynamic PAT IP address. If this is already assigned to some internal device then you should change the Dynamic PAT IP address to something else that is free just so that there will not be any overlap.
Let me know if you do the changes and what the situation is
Hope this helps
- Jouni
11-11-2013 02:21 PM
Hi,
You would need to include the VPN Pool to the L2L VPN Crypto ACL unless you are going to use Dynamic PAT to translate all VPN users to an IP address beloging to the L2L VPN.
Current ACL is
access-list external-12_1_cryptomap extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0
You need to addd
access-list external-12_1_cryptomap extended permit ip 10.5.0.0 255.255.0.0 sa-lan 255.255.0.0
You will naturally also need to make the same addition on the other end of the L2L VPN though as mirror image. Unless you want to play around with NAT configurations which is naturally also possible.
- Jouni
11-11-2013 02:34 PM
Thanks JouniForss. I added the ACL. I can don't have an issue working with the NAT translations as that is what I was trying to do before. Do you know what else I would need to add?
11-11-2013 02:46 PM
Hi,
Sorry I must be blind and too tired
I suggested completely wrong addition to the ACL. I added the same remote network as the source when I was supposed to add the VPN Pool.
So please remove what I suggested
no access-list external-12_1_cryptomap extended permit ip 10.5.0.0 255.255.0.0 sa-lan 255.255.0.0
And add
access-list external-12_1_cryptomap extended permit ip 192.168.201.0 255.255.255.0 10.5.0.0 255.255.0.0
And then naturally do the same changes/additions to the remote site of the L2L VPN. (Mirror image of the ACL ofcourse) Or do you have management access to the remote site?
- Jouni
11-11-2013 02:54 PM
no direct access to remote site just s2s settings. so you are saying that the other side would have to allow access of this network to allow me in right. currently they probably have 192.168.200.0 able to access and not 201.
11-12-2013 06:25 AM
Hi,
Was really tired last night so left answering to this day.
Ok, so if you dont have management access to the remote site VPN device or wont be able to easily request additions to the configurations then we would have to configure a Dynamic Policy PAT for the VPN Client users to be able to access the L2L VPN.
The idea behind that is that we could use Dynamic Policy PAT to translate all VPN Client users to an IP address 192.168.200.x and therefore their connections would match the existing L2L VPN configurations and go through the L2L VPN.
The problem at the moment for me is that there are several NAT0 configurations that seem quite strange to me and I am not sure if they are needed. In the current setup they might simply make it so that any Dynamic Policy PAT we would configure would fail since the NAT0 would override the new configuration.
To my understanding you should do the following changes on your firewall for the connections from VPN Clients to work to the L2L VPN
Remove internal NAT configurations
no nat (internal) 0 access-list internal_nat0_outbound_1 outside
no access-list internal_nat0_outbound_1 extended permit ip sa-lan 255.255.0.0 curacao-lan 255.255.255.0
no access-list internal_nat0_outbound_1 extended permit ip cur-vpn-group 255.255.255.0 any
no access-list internal_nat0_outbound_1 extended permit ip cur-vpn-group 255.255.255.0 sa-lan 255.255.0.0
Remove external NAT configurations
no nat (external-12) 0 access-list external-12_nat0_outbound outside
no nat (external-12) 0 access-list external-12_nat0_outbound_1
no access-list external-12_nat0_outbound extended permit ip cur-vpn-group 255.255.255.0 any
no access-list external-12_nat0_outbound_1 extended permit ip any cur-vpn-group 255.255.255.0
no access-list external-12_nat0_outbound_1 extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0
The above configurations that we remove SHOULD all be useless configuration with regards to your needs. The NAT0 configuration that we leave to your "internal" interface seems to me to be the only one you will need. I have to stress through that if you have any doubt if the above configurations are actually needed for something (for which I dont see the reason at the moment) then you should try these changes at some specific time when the changes could not inflict any bigger problems.
Now the Dynamic Policy PAT configuration that you would need for your VPN Client users to access the L2L VPN connections should be something like this
global (external-12) 200 192.168.200.254
access-list DYNAMIC-POLICY-PAT-L2LVPN remark Dynamic Policy PAT for VPN Client users
access-list DYNAMIC-POLICY-PAT-L2LVPN permit ip 192.168.201.0 255.255.255.0 10.5.0.0 255.255.0.0
nat (external-12) 200 access-list DYNAMIC-POLICY-PAT-L2LVPN
In the above configuration we tell the firewall that it should do Dynamic PAT for all traffic that is coming from the VPN Pool and going to the remote site behind the L2L VPN connection. We will be using the internal IP address 192.168.200.254 as the Dynamic PAT IP address. If this is already assigned to some internal device then you should change the Dynamic PAT IP address to something else that is free just so that there will not be any overlap.
Let me know if you do the changes and what the situation is
Hope this helps
- Jouni
11-13-2013 07:03 AM
Jouni,
Thanks for the information. It worked. Also thank you for helping me understand what was being done. I really appreciate your help.
11-13-2013 07:40 AM
Hi,
Glad to hear it worked
I noticed just now that I had forgotten to add the network mask for the source network on the "access-list" configuration in the earlier reply.
I edited the earlier reply so it has the correct "access-list" configuration.
- Jouni
11-13-2013 08:51 AM
Jouni,
Yeah I saw that but I already knew what to do there. Thanks again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: