10-29-2012 03:32 AM - edited 03-07-2019 09:44 AM
Hi
I'm really struggling to setup the routing through a site to site vpn to another site using subnet 212.xxx.xxx.0/24
10.1.1.2 is a gateway that has access to the site. If I add to any server on the 10.1.1.0/24 subnet route add 212.xxx.xxx.0 mask 255.255.255.0 10.1.1.2 it is able to connect to any system on the 212.xxx.xxx.0/24 subnet. However it doesn't work for computers connected via remote access vpn.
I need to have all the servers on 10.1.1.0/24 subnet have access to 212.xxx.xxx.0/24 subnet and also any computer connected via remote access vpn to the 5510.
Any suggestions would be much appreciated! I have pasted the router config below -
Cryptochecksum: 49793991 c37xxx68 7ebb062c 7523fc98
: Saved
: Written by graham at 02:20:18.131 UTC Mon Oct 29 2012
!
ASA Version 8.2(2)
!
hostname fw
domain-name xxxxx.com
enable password Pp6RUfxxxbecnUU encrypted
passwd ucU7iJY/nXxxxxZ/ encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 87.xxx.xxx.66 255.255.255.252
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 78.xxx.xxx.1 255.255.255.128
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xxxx.com
same-security-traffic permit inter-interface
access-list basic extended permit icmp any any echo-reply
access-list basic extended permit icmp any any time-exceeded
access-list basic extended permit tcp any host 78.xxx.xxx.24 eq 8731
access-list basic extended permit tcp any host 78.xxx.xxx.24 eq www
access-list basic extended permit tcp any host 78.xxx.xxx.28 eq www
access-list basic extended permit tcp any host 78.xxx.xxx.32 eq www
access-list basic extended permit tcp any host 78.xxx.xxx.18 eq www inactive
access-list basic extended permit tcp any host 78.xxx.xxx.23 eq www
access-list basic extended permit tcp any host 78.xxx.xxx.2 eq https
access-list basic extended permit tcp any host 78.xxx.xxx.14 eq https
access-list basic extended permit tcp any host 78.xxx.xxx.24
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0
access-list SPLITTUN standard permit 78.xxx.xxx.0 255.255.255.128
access-list SPLITTUN standard permit 10.1.1.0 255.255.255.0
access-list allow extended permit ip any any
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.203
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.204
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.205
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.206
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.207
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.208
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.209
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.210
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.211
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.212
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.213
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.214
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.215
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.216
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.217
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.218
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.190
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.191
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.192
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.193
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.194
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.195
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.196
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.197
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.198
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.199
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.200
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.201
access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.202
access-list SITE1NAT extended permit ip any 212.xxx.xxx.0 255.255.255.0
access-list SMTP-NAT extended permit tcp host 78.xxx.xxx.20 any eq smtp
access-list MATCHKW extended permit ip 78.xxx.xxx.0 255.255.255.224 host 10.180.9.121
access-list MATCHKW extended permit ip 78.xxx.xxx.0 255.255.255.224 host 10.180.9.120
access-list MATCHKW extended permit ip 78.xxx.xxx.0 255.255.255.224 host 10.180.9.221
access-list Site2 extended permit ip 78.xxx.xxx.24 255.255.255.248 host 172.16.158.11
access-list Site2 extended permit ip 78.xxx.xxx.24 255.255.255.248 host 172.17.167.10
access-list Site2 extended permit ip 78.xxx.xxx.24 255.255.255.248 host 172.16.157.164
access-list Site2 extended permit ip 78.xxx.xxx.24 255.255.255.248 host 172.16.134.86
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
ip local pool LOCPOOL 10.255.255.1-10.255.255.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list NONAT
nat (Inside) 1 access-list SMTP-NAT
nat (Inside) 1 10.1.1.0 255.255.255.0
nat (Inside) 1 10.2.2.0 255.255.255.0
access-group basic in interface Outside
access-group allow out interface Outside
access-group allow in interface Inside
access-group allow out interface Inside
route Outside 0.0.0.0 0.0.0.0 87.117.213.65 1
route Inside 10.1.1.0 255.255.255.0 78.xxx.xxx.2 1
route Inside 10.2.2.0 255.255.255.0 78.xxx.xxx.2 1
route Inside 10.33.67.0 255.255.255.0 78.xxx.xxx.26 1
route Inside 172.20.78.0 255.255.255.0 78.xxx.xxx.26 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set VPN3DES esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set asa2transform esp-3des esp-sha-hmac
crypto ipsec transform-set kwset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNOMAP 10 set transform-set VPN3DES
crypto map VPNPEER 10 match address MATCHKW
crypto map VPNPEER 10 set peer 94.xxx.xxx.2
crypto map VPNPEER 10 set transform-set kwset
crypto map VPNPEER 10 set nat-t-disable
crypto map VPNPEER 30 match address MATCHSITE1
crypto map VPNPEER 30 set peer 212.xxx.xxx.233
crypto map VPNPEER 30 set transform-set ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map VPNPEER 40 match address Site2
crypto map VPNPEER 40 set peer 94.128.3.130
crypto map VPNPEER 40 set transform-set kwset
crypto map VPNPEER 50 match address MATCHKW
crypto map VPNPEER 50 set pfs
crypto map VPNPEER 50 set peer 94.xxx.xxx.2
crypto map VPNPEER 50 set transform-set kwset ESP-DES-MD5 ESP-3DES-SHA ESP-DES-SHA
crypto map VPNPEER 50 set nat-t-disable
crypto map VPNPEER 100 ipsec-isakmp dynamic DYNOMAP
crypto map VPNPEER interface Outside
crypto isakmp enable Outside
crypto isakmp policy 4
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp disconnect-notify
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-filter value SPLITTUN
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy CLIENTGROUP internal
group-policy CLIENTGROUP attributes
dns-server value 10.1.1.10 10.1.1.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLITTUN
default-domain value xxxxx.local
username admin password 9RG9xAxxOSnJRd.Q encrypted privilege 15
tunnel-group mis type remote-access
tunnel-group mis general-attributes
address-pool LOCPOOL
default-group-policy CLIENTGROUP
tunnel-group mis ipsec-attributes
pre-shared-key VjNby$&xxxx5
tunnel-group mis ppp-attributes
authentication ms-chap-v2
tunnel-group 212.xxx.xxx.233 type ipsec-l2l
tunnel-group 212.xxx.xxx.233 ipsec-attributes
pre-shared-key 1245xxxx!@
tunnel-group 94.xxx.xxx.2 type ipsec-l2l
tunnel-group 94.xxx.xxx.2 ipsec-attributes
pre-shared-key 1qazxsw23edc
tunnel-group 94.xxx.xxx.130 type ipsec-l2l
tunnel-group 94.xxx.xxx.130 ipsec-attributes
pre-shared-key YGDT8oxxxx@!Utr
!
class-map ftpdefault
match default-inspection-traffic
!
!
policy-map global_policy
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:49793991c37efe687ebb062c7523fc98
: end
11-03-2012 05:16 AM
Hey, it looks like you need to make a few configuration changes. Under the tunnel-group mis, it specifies a specific tunnel list, which includes the following networks.
access-list SPLITTUN standard permit 78.xxx.xxx.0 255.255.255.128
access-list SPLITTUN standard permit 10.1.1.0 255.255.255.0
I don't see the 212.xxx.xxx.0/24 subnet included in the SPLITUN list, you will also need to add that to the appropriate NONAT list.
11-04-2012 06:43 AM
Try ...
same-security-traffic permit intra-interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide