cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1562
Views
0
Helpful
8
Replies

ASA Configuration Help(VPN Users access of s2s)

ccarter81
Level 1
Level 1

I have a firewall with a site to site connection to another LAN. I can access the services from the main lan at the site, but I can't access them from the vpn. Need help trying to figure out why. PS the firewall I am using is on 8.2 which has the older Exemptions. I am wanting them to access the sa-lan 10.5.0.0/16.

ASA Version 8.2(1)

!

hostname cur-asa

domain-name dpt.dfb.net

enable password vvfPMqIRz/IF7MC9 encrypted

passwd vvfPMqIRz/IF7MC9 encrypted

names

name 192.168.200.0 curacao-lan

name 10.5.0.0 sa-lan

name 192.168.201.0 cur-vpn-group

dns-guard

!

interface Ethernet0/0

description onenet 190

nameif external-190

security-level 0

pppoe client vpdn group onenet190

pppoe client route distance 2

ip address pppoe setroute

!

interface Ethernet0/1

description ONENET 12mb

nameif external-12

<--- More --->

security-level 0

ip address *88.36.215 255.255.255.240

!

interface Ethernet0/2

description curacao lan

nameif internal

security-level 100

ip address 192.168.200.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone BOT -4

dns domain-lookup internal

<--- More --->

dns server-group DefaultDNS

name-server 192.168.200.254

domain-name dpt.dfb.net

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service dfb-allow tcp

port-object eq 9000

port-object eq domain

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

port-object eq pop3

port-object eq ssh

port-object eq telnet

port-object eq 8080

port-object eq 993

port-object eq 5223

port-object eq smtp

port-object eq 465

port-object eq daytime

port-object eq 52230

object-group service dfb-allow-udp udp

port-object eq 9000

<--- More --->

port-object eq 443

port-object eq ntp

object-group service temp-rdp tcp

port-object eq 3389

port-object eq 8612

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp eq www

service-object tcp eq https

service-object tcp eq smtp

service-object tcp eq 8080

object-group network dns-allow

network-object host 208.67.220.220

network-object host 208.67.222.222

network-object host 8.8.8.8

object-group network DM_INLINE_NETWORK_1

network-object curacao-lan 255.255.255.0

network-object cur-vpn-group 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object curacao-lan 255.255.255.0

network-object cur-vpn-group 255.255.255.0

object-group service hpvpn tcp-udp

description microsoft vpn healthpoint

port-object eq 1701

<--- More --->

port-object eq 1723

port-object eq 4500

port-object eq 500

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_3

network-object curacao-lan 255.255.255.0

network-object cur-vpn-group 255.255.255.0

access-list external-200_1_cryptomap extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0

access-list internal_nat0_outbound extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0

access-list internal_nat0_outbound extended permit ip curacao-lan 255.255.255.0 cur-vpn-group 255.255.255.0

access-list external-200_access_out extended permit ip any any

access-list external-190_access_out extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0

access-list external-190_access_out extended permit tcp any any object-group dfb-allow

access-list external-190_access_out extended permit udp any any object-group dfb-allow-udp

access-list external-190_access_out extended permit ip any any inactive

access-list internal_nat0_outbound_1 extended permit ip sa-lan 255.255.0.0 curacao-lan 255.255.255.0

access-list internal_nat0_outbound_1 extended permit ip cur-vpn-group 255.255.255.0 any

access-list internal_nat0_outbound_1 extended permit ip cur-vpn-group 255.255.255.0 sa-lan 255.255.0.0

access-list external-12_1_cryptomap extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0

access-list external-12_nat0_outbound_1 extended permit ip any cur-vpn-group 255.255.255.0

access-list external-12_nat0_outbound_1 extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0

access-list external-12_nat0_outbound extended permit ip cur-vpn-group 255.255.255.0 any

<--- More --->

access-list external-12_access_in extended permit object-group DM_INLINE_SERVICE_1 any host *.88.36.215

access-list external-12_access_in extended permit ip sa-lan 255.255.0.0 any

access-list external-12_access_in extended permit ip cur-vpn-group 255.255.255.0 any

access-list global_mpc extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0

access-list internal_access_in extended permit ip any any inactive

access-list internal_access_in extended permit ip host 192.168.200.106 any

access-list internal_access_in extended permit ip object-group DM_INLINE_NETWORK_3 sa-lan 255.255.0.0

access-list internal_access_in extended permit tcp any any object-group dfb-allow

access-list internal_access_in extended permit udp any any object-group dfb-allow-udp

access-list internal_access_in extended permit udp object-group DM_INLINE_NETWORK_1 object-group dns-allow eq domain

access-list internal_access_in extended permit tcp any any object-group temp-rdp

access-list internal_access_in extended permit icmp object-group DM_INLINE_NETWORK_2 any

access-list vpn_split standard permit curacao-lan 255.255.255.0

access-list vpn_split standard permit sa-lan 255.255.0.0

pager lines 24

logging enable

logging asdm informational

mtu external-190 1500

mtu external-12 1500

mtu internal 1500

mtu management 1500

ip local pool cpn-dhcp 192.168.201.1-192.168.201.20 mask 255.255.255.0

ip local pool cur-dhcp 192.168.200.90-192.168.200.99 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

<--- More --->

icmp permit any external-12

icmp permit any internal

no asdm history enable

arp timeout 14400

global (external-190) 1 interface

global (external-12) 1 interface

nat (external-190) 1 curacao-lan 255.255.255.0

nat (external-12) 0 access-list external-12_nat0_outbound_1

nat (external-12) 0 access-list external-12_nat0_outbound outside

nat (internal) 0 access-list internal_nat0_outbound

nat (internal) 0 access-list internal_nat0_outbound_1 outside

nat (internal) 1 0.0.0.0 0.0.0.0

static (internal,external-12) tcp interface smtp 192.168.200.253 smtp netmask 255.255.255.255

static (internal,external-12) tcp interface https 192.168.200.253 https netmask 255.255.255.255

access-group external-190_access_out out interface external-190

access-group external-12_access_in in interface external-12

access-group external-200_access_out out interface external-12

access-group internal_access_in in interface internal

route external-12 0.0.0.0 0.0.0.0 *.88.36.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

<--- More --->

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server cur-fps protocol radius

aaa-server cur-fps (internal) host 192.168.200.252

timeout 5

key Knot4U!

http server enable 442

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 external-190

http 0.0.0.0 0.0.0.0 internal

http 0.0.0.0 0.0.0.0 external-12

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

<--- More --->

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map external-12_map 1 match address external-12_1_cryptomap

crypto map external-12_map 1 set pfs group1

crypto map external-12_map 1 set peer 12.197.232.98

crypto map external-12_map 1 set transform-set ESP-3DES-SHA

crypto map external-12_map interface external-12

crypto isakmp enable external-12

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 0.0.0.0 0.0.0.0 internal

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh timeout 5

console timeout 15

vpdn group onenet190 request dialout pppoe

vpdn group onenet190 localname dfbbiocur@office_onenet.an

vpdn group onenet190 ppp authentication pap

<--- More --->

vpdn username dfbbiocur@office_onenet.an password ********* store-local

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address curacao-lan 255.255.255.0

threat-detection scanning-threat shun duration 3600

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

port 442

enable external-190

enable external-12

enable internal

dtls port 442

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc profiles dpt-new disk0:/dpt_basic.xml

svc enable

group-policy ssl-vpn internal

group-policy ssl-vpn attributes

banner value Your are now connected to DPT Laboratories, LTD. You acknowledge that you are an authorized employee of DFB Pharmaceuticals, Inc. and its affiliates. Use of this service in the performance of activities unrelated to the mission of DFB Pharmaceuticals, Inc. and its affiliates is strictly prohibited.

dns-server value 192.168.200.254

<--- More --->

vpn-simultaneous-logins 5

vpn-idle-timeout 30

vpn-session-timeout 480

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn_split

default-domain value cur.net

address-pools value cpn-dhcp

webvpn

  url-list none

  svc profiles value dpt-new

  svc ask enable

  keep-alive-ignore 96

group-policy DfltGrpPolicy attributes

dns-server value 192.168.200.254

vpn-simultaneous-logins 2

vpn-session-timeout 480

default-domain value cur.net

username dfb1 password eIJJjRiHeQeADi8. encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

authentication-server-group cur-fps

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool cpn-dhcp

authentication-server-group cur-fps

<--- More --->

accounting-server-group cur-fps

default-group-policy ssl-vpn

password-management

tunnel-group *.197.232.* type ipsec-l2l

tunnel-group *.197.232.* ipsec-attributes

pre-shared-key *

tunnel-group cur-vpn type remote-access

tunnel-group cur-vpn general-attributes

address-pool cpn-dhcp

authentication-server-group cur-fps

authorization-server-group cur-fps

password-management password-expire-in-days 4

!

class-map ftp-global

match default-inspection-traffic

class-map global-class

match access-list global_mpc

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

<--- More --->

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect tftp

class ftp-global

  inspect ftp

class global-class

  set connection random-sequence-number disable

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:77c07b2917faed0ed9de986216c9ad66

1 Accepted Solution

Accepted Solutions

Hi,

Was really tired last night so left answering to this day.

Ok, so if you dont have management access to the remote site VPN device or wont be able to easily request additions to the configurations then we would have to configure a Dynamic Policy PAT for the VPN Client users to be able to access the L2L VPN.

The idea behind that is that we could use Dynamic Policy PAT to translate all VPN Client users to an IP address 192.168.200.x and therefore their connections would match the existing L2L VPN configurations and go through the L2L VPN.

The problem at the moment for me is that there are several NAT0 configurations that seem quite strange to me and I am not sure if they are needed. In the current setup they might simply make it so that any Dynamic Policy PAT we would configure would fail since the NAT0 would override the new configuration.

To my understanding you should do the following changes on your firewall for the connections from VPN Clients to work to the L2L VPN

Remove internal NAT configurations

  • First ACL line doesnt make sense since "sa-lan" is not located behind your "internal" interface
  • Second and Third ACL line dont make sense since the "cur-vpn-group" is not located behind your "internal" interface

no nat (internal) 0 access-list internal_nat0_outbound_1 outside

no access-list internal_nat0_outbound_1 extended permit ip sa-lan 255.255.0.0 curacao-lan 255.255.255.0

no access-list internal_nat0_outbound_1 extended permit ip cur-vpn-group 255.255.255.0 any

no access-list internal_nat0_outbound_1 extended permit ip cur-vpn-group 255.255.255.0 sa-lan 255.255.0.0

Remove external NAT configurations

  • The first "nat" and "access-list" configurations should not be needed as you already have an existing NAT0 configuration on the "internal" interface that should work for the traffic between VPN users and the Internal LAN.
  • The second "nat" and "access-list" configurations should not be needed either. You will need a "nat" configuration on the external interface but at the moment it seems it will not be a NAT0 configuration

no nat (external-12) 0 access-list external-12_nat0_outbound outside

no nat (external-12) 0 access-list external-12_nat0_outbound_1

no access-list external-12_nat0_outbound extended permit ip cur-vpn-group 255.255.255.0 any

no access-list external-12_nat0_outbound_1 extended permit ip any cur-vpn-group 255.255.255.0

no access-list external-12_nat0_outbound_1 extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0

The above configurations that we remove SHOULD all be useless configuration with regards to your needs. The NAT0 configuration that we leave to your "internal" interface seems to me to be the only one you will need. I have to stress through that if you have any doubt if the above configurations are actually needed for something (for which I dont see the reason at the moment) then you should try these changes at some specific time when the changes could not inflict any bigger problems.

Now the Dynamic Policy PAT configuration that you would need for your VPN Client users to access the L2L VPN connections should be something like this

global (external-12) 200 192.168.200.254

access-list DYNAMIC-POLICY-PAT-L2LVPN remark Dynamic Policy PAT for VPN Client users

access-list DYNAMIC-POLICY-PAT-L2LVPN permit ip 192.168.201.0 255.255.255.0 10.5.0.0 255.255.0.0

nat (external-12) 200 access-list DYNAMIC-POLICY-PAT-L2LVPN

In the above configuration we tell the firewall that it should do Dynamic PAT for all traffic that is coming from the VPN Pool and going to the remote site behind the L2L VPN connection. We will be using the internal IP address 192.168.200.254 as the Dynamic PAT IP address. If this is already assigned to some internal device then you should change the Dynamic PAT IP address to something else that is free just so that there will not be any overlap.

Let me know if you do the changes and what the situation is

Hope this helps

- Jouni

View solution in original post

8 Replies 8

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

You would need to include the VPN Pool to the L2L VPN Crypto ACL unless you are going to use Dynamic PAT to translate all VPN users to an IP address beloging to the L2L VPN.

Current ACL is

access-list external-12_1_cryptomap extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0

You need to addd

access-list external-12_1_cryptomap extended permit ip 10.5.0.0 255.255.0.0 sa-lan 255.255.0.0

You will naturally also need to make the same addition on the other end of the L2L VPN though as mirror image. Unless you want to play around with NAT configurations which is naturally also possible.

- Jouni

Thanks JouniForss. I added the ACL. I can don't have an issue working with the NAT translations as that is what I was trying to do before. Do you know what else I would need to add?

Hi,

Sorry I must be blind and too tired

I suggested completely wrong addition to the ACL. I added the same remote network as the source when I was supposed to add the VPN Pool.

So please remove what I suggested

no access-list external-12_1_cryptomap extended permit ip 10.5.0.0 255.255.0.0 sa-lan 255.255.0.0

And add

access-list external-12_1_cryptomap extended permit ip 192.168.201.0 255.255.255.0 10.5.0.0 255.255.0.0

And then naturally do the same changes/additions to the remote site of the L2L VPN. (Mirror image of the ACL ofcourse) Or do you have management access to the remote site?

- Jouni

no direct access to remote site just s2s settings. so you are saying that the other side would have to allow access of this network to allow me in right. currently they probably have 192.168.200.0 able to access and not 201.

Hi,

Was really tired last night so left answering to this day.

Ok, so if you dont have management access to the remote site VPN device or wont be able to easily request additions to the configurations then we would have to configure a Dynamic Policy PAT for the VPN Client users to be able to access the L2L VPN.

The idea behind that is that we could use Dynamic Policy PAT to translate all VPN Client users to an IP address 192.168.200.x and therefore their connections would match the existing L2L VPN configurations and go through the L2L VPN.

The problem at the moment for me is that there are several NAT0 configurations that seem quite strange to me and I am not sure if they are needed. In the current setup they might simply make it so that any Dynamic Policy PAT we would configure would fail since the NAT0 would override the new configuration.

To my understanding you should do the following changes on your firewall for the connections from VPN Clients to work to the L2L VPN

Remove internal NAT configurations

  • First ACL line doesnt make sense since "sa-lan" is not located behind your "internal" interface
  • Second and Third ACL line dont make sense since the "cur-vpn-group" is not located behind your "internal" interface

no nat (internal) 0 access-list internal_nat0_outbound_1 outside

no access-list internal_nat0_outbound_1 extended permit ip sa-lan 255.255.0.0 curacao-lan 255.255.255.0

no access-list internal_nat0_outbound_1 extended permit ip cur-vpn-group 255.255.255.0 any

no access-list internal_nat0_outbound_1 extended permit ip cur-vpn-group 255.255.255.0 sa-lan 255.255.0.0

Remove external NAT configurations

  • The first "nat" and "access-list" configurations should not be needed as you already have an existing NAT0 configuration on the "internal" interface that should work for the traffic between VPN users and the Internal LAN.
  • The second "nat" and "access-list" configurations should not be needed either. You will need a "nat" configuration on the external interface but at the moment it seems it will not be a NAT0 configuration

no nat (external-12) 0 access-list external-12_nat0_outbound outside

no nat (external-12) 0 access-list external-12_nat0_outbound_1

no access-list external-12_nat0_outbound extended permit ip cur-vpn-group 255.255.255.0 any

no access-list external-12_nat0_outbound_1 extended permit ip any cur-vpn-group 255.255.255.0

no access-list external-12_nat0_outbound_1 extended permit ip curacao-lan 255.255.255.0 sa-lan 255.255.0.0

The above configurations that we remove SHOULD all be useless configuration with regards to your needs. The NAT0 configuration that we leave to your "internal" interface seems to me to be the only one you will need. I have to stress through that if you have any doubt if the above configurations are actually needed for something (for which I dont see the reason at the moment) then you should try these changes at some specific time when the changes could not inflict any bigger problems.

Now the Dynamic Policy PAT configuration that you would need for your VPN Client users to access the L2L VPN connections should be something like this

global (external-12) 200 192.168.200.254

access-list DYNAMIC-POLICY-PAT-L2LVPN remark Dynamic Policy PAT for VPN Client users

access-list DYNAMIC-POLICY-PAT-L2LVPN permit ip 192.168.201.0 255.255.255.0 10.5.0.0 255.255.0.0

nat (external-12) 200 access-list DYNAMIC-POLICY-PAT-L2LVPN

In the above configuration we tell the firewall that it should do Dynamic PAT for all traffic that is coming from the VPN Pool and going to the remote site behind the L2L VPN connection. We will be using the internal IP address 192.168.200.254 as the Dynamic PAT IP address. If this is already assigned to some internal device then you should change the Dynamic PAT IP address to something else that is free just so that there will not be any overlap.

Let me know if you do the changes and what the situation is

Hope this helps

- Jouni

Jouni,

Thanks for the information. It worked. Also thank you for helping me understand what was being done. I really appreciate your help.

Hi,

Glad to hear it worked

I noticed just now that I had forgotten to add the network mask for the source network on the "access-list" configuration in the earlier reply.

I edited the earlier reply so it has the correct "access-list" configuration.

- Jouni

Jouni,

Yeah I saw that but I already knew what to do there. Thanks again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: