Re: Allowing VPN Client Traffic Through VPN Tunnels

jbrunsting · ‎05-16-2008

I have three ASA 5505s in three different locations. Each location has its own subnet (10.0.0.x, 10.0.1.x, and 10.0.2.x). I have VPN tunnels from each location to both of the others, making a sort of triangle. Now, I also have one of those ASAs (10.0.2.254) handling VPN clients from the outside as well which have their own IP pool of 10.0.3.x. The tunnels work fine, the clients can connect and access all resources on the 10.0.2.x network. However the problem is that they cannot access anything on the 10.0.0.x or 10.0.1.x networks which they should have equal access to. I've tried some things with the access lists, but nothing seems to work. Where do I have to put these permissions in? I just can't seem to figure out on which interface in which direction I need to put the ACL. Thanks.

acomiskey · ‎05-16-2008

This should do the trick...

10.0.2.0 ASA -

same-security-traffic permit intra-interface

access-list extended permit ip 10.0.3.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list extended permit ip 10.0.3.0 255.255.255.0 10.0.1.0 255.255.255.0

10.0.0.0 ASA -

access-list extended permit ip 10.0.0.0 255.255.255.0 10.0.3.0 255.255.255.0

nat (inside) 0 access-list

10.0.1.0 ASA -

access-list extended permit ip 10.0.1.0 255.255.255.0 10.0.3.0 255.255.255.0

nat (inside) 0 access-list

jbrunsting · ‎05-19-2008

I guess I need a little bit of clarification. I'm pretty sure that I need to create new names for the and entries, etc. But I already have a "nat (inside) 0" line, and my default route is "nat (inside) 1"... I tried adding the line as "nat (inside) 0" and it over-wrote my current nat. I tried adding it to "nat (inside) 1" and it just created another nat line right next to me default route. So where should this actually be?

Here's what's currently there:

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

Which refer to:

access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

acomiskey · ‎05-20-2008

You don't need to add an other "nat" statement. Just replace with what you already have....Also, replace and with what you have specified in your "crypto ....match address" statement. Post the rest of your config if you need to.

10.0.2.0 ASA -

same-security-traffic permit intra-interface

access-list extended permit ip 10.0.3.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list extended permit ip 10.0.3.0 255.255.255.0 10.0.1.0 255.255.255.0

10.0.0.0 ASA -

access-list extended permit ip 10.0.0.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.3.0 255.255.255.0

10.0.1.0 ASA -

access-list extended permit ip 10.0.1.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.3.0 255.255.255.0

jbrunsting · ‎05-23-2008

Okay, I've tried setting it up and must still be missing something. Could you take a look at these? I do know I might have a line or two in there that needs to get cleaned out, but everyone should be connecting to VPN on the 10.0.2.0 ASA and then getting to the rest of the network from there.

jbrunsting · ‎05-30-2008

Can anyone tell me what I'm doing wrong with the access-lists' crypto lines?

acomiskey · ‎05-30-2008

10.0.1.0 ASA-

no access-list inside_nat0_outbound extended permit ip 10.0.3.0 255.255.255.0 10.0.0.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip 10.0.3.0 255.255.255.0 10.0.2.0 255.255.255.0

no access-list vpn_crypto extended permit ip 10.0.1.0 255.255.255.0 10.0.3.0 255.255.255.0

no access-list vpn_nat extended permit ip 10.0.1.0 255.255.255.0 10.0.3.0 255.255.255.0

10.0.0.0 ASA-

access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list outside_cryptomap_2 extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

no access-list outside_cryptomap_2 extended permit ip 10.0.0.0 255.255.255.0 10.0.3.0 255.255.255.0

All of your crypto acl's need to be mirrored on the other end of the tunnel

10.0.0.0 is...

Crypto A -

0 to 1

Cryto B -

0 to 2

0 to 3

10.0.1.0 is...

Crypto A -

1 to 0

Cryto B -

1 to 2

1 to 3

10.0.2.0 is...

Crypto A -

2 to 0

3 to 0

Cryto B -

2 to 1

3 to 1