cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
733
Views
0
Helpful
2
Replies

Site to Site VPN Routing problem on 5510

gray25251
Level 1
Level 1

Hi

I'm really struggling to setup the routing through a site to site vpn to another site using subnet 212.xxx.xxx.0/24

10.1.1.2 is a gateway that has access to the site. If I add to any server on the 10.1.1.0/24 subnet route add 212.xxx.xxx.0 mask 255.255.255.0 10.1.1.2 it is able to connect to any system on the 212.xxx.xxx.0/24 subnet. However it doesn't work for computers connected via remote access vpn.

I need to have all the servers on 10.1.1.0/24 subnet have access to 212.xxx.xxx.0/24 subnet and also any computer connected via remote access vpn to the 5510.

Any suggestions would be much appreciated! I have pasted the router config below -

Cryptochecksum: 49793991 c37xxx68 7ebb062c 7523fc98

: Saved

: Written by graham at 02:20:18.131 UTC Mon Oct 29 2012

!

ASA Version 8.2(2)

!

hostname fw

domain-name xxxxx.com

enable password Pp6RUfxxxbecnUU encrypted

passwd ucU7iJY/nXxxxxZ/ encrypted

names

dns-guard

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 87.xxx.xxx.66 255.255.255.252

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 78.xxx.xxx.1 255.255.255.128

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa822-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name xxxx.com

same-security-traffic permit inter-interface

access-list basic extended permit icmp any any echo-reply

access-list basic extended permit icmp any any time-exceeded

access-list basic extended permit tcp any host 78.xxx.xxx.24 eq 8731

access-list basic extended permit tcp any host 78.xxx.xxx.24 eq www

access-list basic extended permit tcp any host 78.xxx.xxx.28 eq www

access-list basic extended permit tcp any host 78.xxx.xxx.32 eq www

access-list basic extended permit tcp any host 78.xxx.xxx.18 eq www inactive

access-list basic extended permit tcp any host 78.xxx.xxx.23 eq www

access-list basic extended permit tcp any host 78.xxx.xxx.2 eq https

access-list basic extended permit tcp any host 78.xxx.xxx.14 eq https

access-list basic extended permit tcp any host 78.xxx.xxx.24

access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0

access-list SPLITTUN standard permit 78.xxx.xxx.0 255.255.255.128

access-list SPLITTUN standard permit 10.1.1.0 255.255.255.0

access-list allow extended permit ip any any

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.203

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.204

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.205

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.206

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.207

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.208

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.209

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.210

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.211

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.212

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.213

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.214

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.215

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.216

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.217

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.218

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.190

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.191

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.192

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.193

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.194

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.195

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.196

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.197

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.198

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.199

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.200

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.201

access-list MATCHSITE1 extended permit ip host 78.xxx.xxx.26 host 212.xxx.xxx.202

access-list SITE1NAT extended permit ip any 212.xxx.xxx.0 255.255.255.0

access-list SMTP-NAT extended permit tcp host 78.xxx.xxx.20 any eq smtp

access-list MATCHKW extended permit ip 78.xxx.xxx.0 255.255.255.224 host 10.180.9.121

access-list MATCHKW extended permit ip 78.xxx.xxx.0 255.255.255.224 host 10.180.9.120

access-list MATCHKW extended permit ip 78.xxx.xxx.0 255.255.255.224 host 10.180.9.221

access-list Site2 extended permit ip 78.xxx.xxx.24 255.255.255.248 host 172.16.158.11

access-list Site2 extended permit ip 78.xxx.xxx.24 255.255.255.248 host 172.17.167.10

access-list Site2 extended permit ip 78.xxx.xxx.24 255.255.255.248 host 172.16.157.164

access-list Site2 extended permit ip 78.xxx.xxx.24 255.255.255.248 host 172.16.134.86

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

ip local pool LOCPOOL 10.255.255.1-10.255.255.254

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625-53.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (Inside) 0 access-list NONAT

nat (Inside) 1 access-list SMTP-NAT

nat (Inside) 1 10.1.1.0 255.255.255.0

nat (Inside) 1 10.2.2.0 255.255.255.0

access-group basic in interface Outside

access-group allow out interface Outside

access-group allow in interface Inside

access-group allow out interface Inside

route Outside 0.0.0.0 0.0.0.0 87.117.213.65 1

route Inside 10.1.1.0 255.255.255.0 78.xxx.xxx.2 1

route Inside 10.2.2.0 255.255.255.0 78.xxx.xxx.2 1

route Inside 10.33.67.0 255.255.255.0 78.xxx.xxx.26 1

route Inside 172.20.78.0 255.255.255.0 78.xxx.xxx.26 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Outside

no snmp-server location

no snmp-server contact

crypto ipsec transform-set VPN3DES esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set asa2transform esp-3des esp-sha-hmac

crypto ipsec transform-set kwset esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYNOMAP 10 set transform-set VPN3DES

crypto map VPNPEER 10 match address MATCHKW

crypto map VPNPEER 10 set peer 94.xxx.xxx.2

crypto map VPNPEER 10 set transform-set kwset

crypto map VPNPEER 10 set nat-t-disable

crypto map VPNPEER 30 match address MATCHSITE1

crypto map VPNPEER 30 set peer 212.xxx.xxx.233

crypto map VPNPEER 30 set transform-set ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map VPNPEER 40 match address Site2

crypto map VPNPEER 40 set peer 94.128.3.130

crypto map VPNPEER 40 set transform-set kwset

crypto map VPNPEER 50 match address MATCHKW

crypto map VPNPEER 50 set pfs

crypto map VPNPEER 50 set peer 94.xxx.xxx.2

crypto map VPNPEER 50 set transform-set kwset ESP-DES-MD5 ESP-3DES-SHA ESP-DES-SHA

crypto map VPNPEER 50 set nat-t-disable

crypto map VPNPEER 100 ipsec-isakmp dynamic DYNOMAP

crypto map VPNPEER interface Outside

crypto isakmp enable Outside

crypto isakmp policy 4

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 3600

crypto isakmp disconnect-notify

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Outside

ssh 0.0.0.0 0.0.0.0 Inside

ssh timeout 60

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-filter value SPLITTUN

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy CLIENTGROUP internal

group-policy CLIENTGROUP attributes

dns-server value 10.1.1.10 10.1.1.2

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLITTUN

default-domain value xxxxx.local

username admin password 9RG9xAxxOSnJRd.Q encrypted privilege 15

tunnel-group mis type remote-access

tunnel-group mis general-attributes

address-pool LOCPOOL

default-group-policy CLIENTGROUP

tunnel-group mis ipsec-attributes

pre-shared-key VjNby$&xxxx5

tunnel-group mis ppp-attributes

authentication ms-chap-v2

tunnel-group 212.xxx.xxx.233 type ipsec-l2l

tunnel-group 212.xxx.xxx.233 ipsec-attributes

pre-shared-key 1245xxxx!@

tunnel-group 94.xxx.xxx.2 type ipsec-l2l

tunnel-group 94.xxx.xxx.2 ipsec-attributes

pre-shared-key 1qazxsw23edc

tunnel-group 94.xxx.xxx.130 type ipsec-l2l

tunnel-group 94.xxx.xxx.130 ipsec-attributes

pre-shared-key YGDT8oxxxx@!Utr

!

class-map ftpdefault

match default-inspection-traffic

!

!

policy-map global_policy

!

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:49793991c37efe687ebb062c7523fc98

: end

2 Replies 2

JohnTylerPearce
Level 7
Level 7

Hey, it looks like you need to make a few configuration changes. Under the tunnel-group mis, it specifies a specific tunnel list, which includes the following networks.

access-list SPLITTUN standard permit 78.xxx.xxx.0 255.255.255.128

access-list SPLITTUN standard permit 10.1.1.0 255.255.255.0

I don't see the 212.xxx.xxx.0/24 subnet included in the SPLITUN list, you will also need to add that to the appropriate NONAT list.

elepon06
Level 1
Level 1

Try ...

same-security-traffic permit intra-interface


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco