ASA 5515x v. 9.1 Remote client VPN to Site to Site VPN

Christian Isla · ‎09-20-2013

Hi all,

I've seen example after example of having a Remote IPSec Client reach a Remote Site via a Single ASA. Unfortunately, these have all been with the former syntax using ver <8.

I'm Hoping some might be able to guide me as this ASA is new to me. I have working Site2Site (in RED ) and working Remote Client VPN (in GREEN). My problem is that I'm want my remote client to reach the remote site too ( in Blue ). I've attached a diagram. and I've included my configs for both ends (remote site router and local asa). I've been using ASDM 7.1 to help me through this, but it's only gotten me this far and I'm killing way to many cycles pulling my hair out.

Can someone please tell what's wrong here?

oh, and ever since I've set my security-level higher on my insideDATA I can still reach web pages but not PING anything on the Internet.??

===============================

ASA

WUMASA5515x# sh run

: Saved

:

ASA Version 9.1(2)

!

hostname WUMASA5515x

domain-name wumfrgsn.local

enable password AYL/mjKstXNLBeQX encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool RA_IP_POOL 192.168.50.33-192.168.50.46 mask 255.255.255.240

!

interface GigabitEthernet0/0

nameif InternetWan

security-level 0

ip address 24.102.6.36 255.255.255.224

!

interface GigabitEthernet0/1

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/1.11

vlan 11

nameif insideDATA

security-level 90

ip address 10.11.0.1 255.255.0.0

!

interface GigabitEthernet0/1.172

vlan 172

nameif GuestWIFI

security-level 0

ip address 172.16.0.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

nameif management

security-level 100

ip address 192.168.99.1 255.255.255.0

!

interface Management0/0

management-only

shutdown

nameif unused

security-level 100

no ip address

!

boot system disk0:/asa912-smp-k8.bin

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup InternetWan

dns domain-lookup insideDATA

dns server-group DefaultDNS

name-server 24.53.239.16

name-server 24.53.239.17

domain-name wumfrgsn.local

same-security-traffic permit inter-interface

object network 145_Wilson_st

subnet 10.19.0.0 255.255.0.0

object network 191Mainst

subnet 10.17.0.0 255.255.0.0

object network 195_Ferguson

subnet 10.23.0.0 255.255.0.0

object network NETWORK_OBJ_10.11.0.0_16

subnet 10.11.0.0 255.255.0.0

object network 151_QueenN

subnet 10.22.0.0 255.255.0.0

object network 155_QueenN

subnet 10.12.0.0 255.255.0.0

object network 350_Quigley

subnet 10.21.0.0 255.255.0.0

object network 93_DelenaN

subnet 10.20.0.0 255.255.0.0

object network NETWORK_OBJ_192.168.50.32_28

subnet 192.168.50.32 255.255.255.240

object-group network Remote_Networks

network-object object 195_Ferguson

network-object object 145_Wilson_st

network-object object 151_QueenN

network-object object 155_QueenN

network-object object 191Mainst

network-object object 350_Quigley

network-object object 93_DelenaN

object-group network DM_INLINE_NETWORK_1

network-object 10.11.0.0 255.255.0.0

network-object 172.16.0.0 255.255.255.0

network-object 192.168.99.0 255.255.255.0

network-object 24.102.6.32 255.255.255.224

group-object Remote_Networks

access-list InternetWan_cryptomap extended permit ip 10.11.0.0 255.255.0.0 object 195_Ferguson

access-list RA_VPN_splitTunnelAcl standard permit 10.11.0.0 255.255.0.0

access-list RA_VPN_splitTunnelAcl standard permit 172.16.0.0 255.255.255.0

access-list RA_VPN_splitTunnelAcl standard permit 192.168.99.0 255.255.255.0

access-list RA_VPN_splitTunnelAcl standard permit 24.102.6.32 255.255.255.224

access-list RA_VPN_splitTunnelAcl standard permit 10.19.0.0 255.255.0.0

access-list RA_VPN_splitTunnelAcl standard permit 10.22.0.0 255.255.0.0

access-list RA_VPN_splitTunnelAcl standard permit 10.12.0.0 255.255.0.0

access-list RA_VPN_splitTunnelAcl standard permit 10.17.0.0 255.255.0.0

access-list RA_VPN_splitTunnelAcl standard permit 10.23.0.0 255.255.0.0

access-list RA_VPN_splitTunnelAcl standard permit 10.21.0.0 255.255.0.0

access-list RA_VPN_splitTunnelAcl standard permit 10.20.0.0 255.255.0.0

access-list InternetWan_cryptomap_1 extended permit ip 10.11.0.0 255.255.0.0 object 145_Wilson_st

pager lines 24

logging asdm informational

mtu InternetWan 1500

mtu insideDATA 1500

mtu GuestWIFI 1500

mtu unused 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any InternetWan

icmp permit any insideDATA

asdm image disk0:/asdm-713.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (insideDATA,InternetWan) source static NETWORK_OBJ_10.11.0.0_16 NETWORK_OBJ_10.11.0.0_16 destination static Remote_Networks Remote_Networks no-proxy-arp route-lookup

nat (GuestWIFI,InternetWan) source dynamic any interface

nat (insideDATA,InternetWan) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.50.32_28 NETWORK_OBJ_192.168.50.32_28 no-proxy-arp route-lookup

nat (insideDATA,InternetWan) source static NETWORK_OBJ_10.11.0.0_16 NETWORK_OBJ_10.11.0.0_16 destination static 145_Wilson_st 145_Wilson_st no-proxy-arp route-lookup

nat (management,InternetWan) source dynamic any interface

!

nat (insideDATA,InternetWan) after-auto source dynamic any interface

route InternetWan 0.0.0.0 0.0.0.0 24.102.6.33 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authorization command LOCAL

aaa authorization exec authentication-server

http server enable

http 192.168.99.0 255.255.255.0 management

http 192.168.50.32 255.255.255.240 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map InternetWan_map 1 match address InternetWan_cryptomap

crypto map InternetWan_map 1 set pfs

crypto map InternetWan_map 1 set peer 72.12.152.245

crypto map InternetWan_map 1 set ikev1 transform-set ESP-3DES-MD5

crypto map InternetWan_map 2 match address InternetWan_cryptomap_1

crypto map InternetWan_map 2 set pfs

crypto map InternetWan_map 2 set peer 72.12.152.188

crypto map InternetWan_map 2 set ikev1 transform-set ESP-3DES-MD5

crypto map InternetWan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map InternetWan_map interface InternetWan

crypto ca trustpool policy

crypto ikev1 enable InternetWan

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.99.0 255.255.255.0 management

ssh 192.168.50.32 255.255.255.240 management

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group14-sha1

console timeout 0

management-access management

dhcpd address 10.11.0.20-10.11.0.40 insideDATA

dhcpd dns 24.53.239.16 interface insideDATA

dhcpd domain wum.local interface insideDATA

dhcpd update dns both interface insideDATA

dhcpd enable insideDATA

!

dhcpd address 172.16.0.100-172.16.0.150 GuestWIFI

dhcpd dns 24.53.239.16 24.53.239.17 interface GuestWIFI

dhcpd domain wum.guest.local interface GuestWIFI

dhcpd enable GuestWIFI

!

dhcpd address 192.168.99.240-192.168.99.250 management

dhcpd dns 24.53.239.16 24.53.239.17 interface management

dhcpd domain mgnt.wum.local interface management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 209.167.68.100 source InternetWan prefer

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy RA_VPN internal

group-policy RA_VPN attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RA_VPN_splitTunnelAcl

default-domain value wumfrgsn.local

group-policy GroupPolicy_72.12.152.188 internal

group-policy GroupPolicy_72.12.152.188 attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy_72.12.152.245 internal

group-policy GroupPolicy_72.12.152.245 attributes

vpn-tunnel-protocol ikev1

username vpntest password IyV0jGRyb7Bozb3j encrypted privilege 15

username vpntest attributes

vpn-group-policy RA_VPN

username usermon password KpWxOxmGlFVZC0Kf encrypted

username clearca password ji55PAt.mBgyB8Ep encrypted privilege 15

tunnel-group 72.12.152.245 type ipsec-l2l

tunnel-group 72.12.152.245 general-attributes

default-group-policy GroupPolicy_72.12.152.245

tunnel-group 72.12.152.245 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group RA_VPN type remote-access

tunnel-group RA_VPN general-attributes

address-pool RA_IP_POOL

default-group-policy RA_VPN

tunnel-group RA_VPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 72.12.152.188 type ipsec-l2l

tunnel-group 72.12.152.188 general-attributes

default-group-policy GroupPolicy_72.12.152.188

tunnel-group 72.12.152.188 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!=========

========================================================================

Remote Router.

! Last configuration change at 10:10:47 EDST Fri Sep 20 2013 by cisla

! NVRAM config last updated at 10:11:58 EDST Fri Sep 20 2013 by cisla

!

version 12.4

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname WUM145Wlsn-861

!

boot-start-marker

boot system flash c860-universalk9-mz.153-3.M.bin

boot-end-marker

!

logging message-counter syslog

logging buffered 1024000

!

aaa new-model

!

aaa session-id common

clock timezone EST -5

clock summer-time EDST recurring

!

crypto pki trustpoint TP-self-signed-3210677487

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3210677487

revocation-check none

rsakeypair TP-self-signed-3210677487

!

crypto pki certificate chain TP-self-signed-3210677487

certificate self-signed 01

30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33323130 36373734 3837301E 170D3133 30393130 31343332

35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32313036

37373438 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100D387 BFA5724D CB3A1419 BDD284C9 2CB5F7F3 85B8FF8D AC9A1E38 45757873

16B3FFE2 E9363FA5 8DB00C89 61ABB632 A91F49D0 40444E69 04A73966 2DEE492F

EE65C774 5BA7808B 9E82B108 7BFF299E 2880175F 93ABDD4C 0C5C3609 5D516CDA

550C2E36 F5F93D22 9896182B 58946DAA AC463317 E6E6D730 31E6E28A 14ECDA91

49E70203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603

551D1104 1E301C82 1A57554D 31393546 5247534E 2D383631 772E7775 6D2E6C6F

63616C30 1F060355 1D230418 30168014 BA424AD3 CCCD22F5 863C50C1 A63FFC1D

17B2E7F5 301D0603 551D0E04 160414BA 424AD3CC CD22F586 3C50C1A6 3FFC1D17

B2E7F530 0D06092A 864886F7 0D010104 05000381 81007877 CCA0B502 47D8F8BD

30829B54 E6719CF0 D12F00FB 433FE0FF 2C03E549 7D88673B AF444F62 76F3754D

D27E8E7B 1653D4B7 36D322CD DC4CB3A1 5C77FAC5 F52F6AE5 2D7FFDDE 55C5142E

2ABF2A0F B34B01BB C99547F1 DFCF6F7F 8CEC2806 60F89145 92124E4E 93C1E956

21435255 612622F0 FA74FE30 83C9D80A 8518FA4A 4118

quit

ip source-route

!

ip dhcp excluded-address 10.19.0.1 10.19.0.20

!

ip dhcp pool ccp-pool

import all

network 10.19.0.0 255.255.0.0

default-router 10.19.0.1

dns-server 24.215.0.249

lease 0 2

!

ip cef

ip domain name wum.local

ip name-server 24.53.239.16

ip name-server 24.53.239.17

!

username cisla privilege 15 secret 5 $1$gf9q$ndfAaob6J/M7jwQOOaA310

!

crypto isakmp policy 19

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key testing4231 address 24.102.6.36

crypto isakmp keepalive 360

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec df-bit clear

!

crypto map SDM_CMAP_1 19 ipsec-isakmp

description Tunnel to MAIN

set peer 24.102.6.36

set transform-set ESP-3DES-MD5

match address 119

!

archive

log config

hidekeys

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address dhcp

ip access-group 199 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.19.0.1 255.255.0.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip dns server

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

access-list 23 permit 10.19.0.0 0.0.255.255

access-list 23 permit 10.11.0.0 0.0.255.255

access-list 23 permit 192.168.50.32 0.0.0.15

access-list 100 remark PAT Route Map Rule

access-list 100 deny ip 10.19.0.0 0.0.255.255 10.11.0.0 0.0.255.255

access-list 100 deny ip 10.19.0.0 0.0.255.255 192.168.50.32 0.0.0.15

access-list 100 deny ip 10.19.0.0 0.0.255.255 192.168.99.0 0.0.0.255

access-list 100 permit ip 10.19.0.0 0.0.255.255 any

access-list 119 remark ## IPSEC allow to REMOTE

access-list 119 permit ip 10.19.0.0 0.0.255.255 10.11.0.0 0.0.255.255

access-list 119 permit ip 10.19.0.0 0.0.255.255 192.168.50.32 0.0.0.15

access-list 119 permit ip 10.19.0.0 0.0.255.255 192.168.99.0 0.0.0.255

access-list 199 remark WAN INTERFACE INPUT

access-list 199 permit tcp any any gt 1023 established

access-list 199 permit tcp any eq domain any

access-list 199 permit udp any eq domain any

access-list 199 permit esp any any

access-list 199 permit ahp any any

access-list 199 permit udp any any eq isakmp

access-list 199 permit udp any any eq non500-isakmp

access-list 199 permit tcp any any eq smtp

access-list 199 permit ip 24.102.6.32 0.0.0.31 any

access-list 199 permit ip 24.53.224.0 0.0.0.3 any

access-list 199 permit ip 24.53.239.0 0.0.0.127 any

access-list 199 permit ip host 209.167.68.100 any

access-list 199 permit udp any eq bootps any eq bootpc

access-list 199 permit icmp any any echo-reply

access-list 199 permit icmp any any time-exceeded

access-list 199 permit icmp any any unreachable

access-list 199 deny ip any any log

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 100

!

control-plane

!

line con 0

no modem enable

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

ntp server 209.167.68.100 prefer source FastEthernet4

end

===============================

Christian Isla · ‎09-24-2013

hello? Anyone.

Marvin Rhoads · ‎09-24-2013

It looks like your cryptomaps at the main site don't include your remote access address pool (192.168.50.32/28 or 0.0.0.15 inverse mask):

access-list InternetWan_cryptomap extended permit ip 10.11.0.0 255.255.0.0 object 195_Ferguson

access-list InternetWan_cryptomap_1 extended permit ip 10.11.0.0 255.255.0.0 object 145_Wilson_st

It appears to be included ok at the remote site config you provided:

access-list 119 remark ## IPSEC allow to REMOTE

access-list 119 permit ip 10.19.0.0 0.0.255.255 10.11.0.0 0.0.255.255

access-list 119 permit ip 10.19.0.0 0.0.255.255 192.168.50.32 0.0.0.15

access-list 119 permit ip 10.19.0.0 0.0.255.255 192.168.99.0 0.0.0.255

Remember site-site VPNs should always have mirrored cyptomaps. You can see the current security associations (SAs) by doing "show crypto ipsec sa". You should see remote/local pairs for each of the allowed networks.

Christian Isla · ‎09-30-2013

Hi, thanks for your response.

so I've tried to include what I beleive might be what you're talking about.

"access-list InternetWan_cryptomap extended permit ip 192.168.99.32 255.255.255.240 object 195_Ferguson ". However, this did not do the trick.

Does the RA_VPN need to be the same encryption as the site-to-site?

ci

darreng · ‎09-30-2013

I haven't read the config guide for the v8.x ASA features. I was playing about recently on a 7.2(2) ASA and needed to do something similar. Enabling same-security-traffic permit intra-interface was the resolution for me. I note you have permit inter-interface but your traffic is hair-pinning I.e entering and exiting the same interface.

Apologies if I mis-read your config.

Good luck sorting.

Regards

Darren

Sent from Cisco Technical Support iPad App