Solved: Re: Using ASA-5510 to route VLAN WLAN connection - Page 2

scottrhodes13a · ‎05-29-2012

Hi Everyone..

I am a complete newbie to Cisco equipment. So far I've been able to figure out how to do most of what I needed by using the ASDM but I have run into something that is a little more complicated that just opening a port.

We currently have a connection to our remote site. This site has a T1 internet connection. Our connection is a site to site VPN with an ASA-5510 on this end and a ASA-5505 on the other.

We are upgrading this connection to a 75mbit hybrid microwave/fiber link. The provider is going to hand it off to us as an untagged VLAN. We made the decision to route all of the remote site's internet access through this location as to avoid having to split off part of the bandwidth of this link to dedicate to internet access.

We also have an Enterasys B3 Layer 3 switch and on the test bench I believe I have successfully configured this switch to enable the VLANs to communicate with each other and allow the remote site internet access.

The main office uses ip schema 10.0/16 and the remote office uses 10.3/16

However, after giving this more thought, I believe that the ASA-5510 would be better suited to this task.

We have unused Ethernet ports on the device, so how would I configure the ASA to do this?

I am sure I would have to configure the unused port, along with VLAN config and some routing configuration, but I am completely ignorant on how to do this.

Thank You for any help,

Michael

Mitchell Dyer · ‎06-18-2012

Please post the running configs with the public addresses and credentials redacted.

Sent from Cisco Technical Support Android App

scottrhodes13a · ‎06-18-2012

Hi Mitchell..

Thanks for your reply... Configs pasted below:

-----------------------

Main Location ASA5510 Configuration File

All references to Mabton public IPs have been changed to 5.5.5.5
All references to MountVernon public IPs have been changed to 7.7.7.7

: Saved
:
ASA Version 8.4(2)
!
hostname Riverbend
domain-name Northwesthort.com
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
multicast-routing
names
dns-guard
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/1
nameif Outside2
security-level 0
ip address 7.7.7.7 255.255.255.240
!
interface Ethernet0/2
nameif Inside
security-level 100
ip address 10.0.1.1 255.255.0.0
!
interface Ethernet0/3
nameif Mabton
security-level 100
ip address 172.30.0.1 255.255.255.252
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
domain-name Northwesthort.com
same-security-traffic permit inter-interface
object network obj-7.7.7.7
host 7.7.7.7
object network obj-7.7.7.7
host 7.7.7.7
object network obj-10.0.0.0
subnet 10.0.0.0 255.255.0.0
object network obj-10.3.0.0
subnet 10.3.0.0 255.255.0.0
object network obj-172.20.0.0
subnet 172.20.0.0 255.255.255.128
object network obj-10.0.30.254
host 10.0.30.254
object network obj-10.0.30.253
host 10.0.30.253
object network obj-10.0.30.252
host 10.0.30.252
object network obj-10.0.200.21
host 10.0.200.21
object network obj-10.0.30.250
host 10.0.30.250
object network obj-10.0.30.249
host 10.0.30.249
object network obj-10.0.30.248
host 10.0.30.248
object network obj-10.0.30.247
host 10.0.30.247
object network obj-10.0.30.246
host 10.0.30.246
object network obj-10.0.201.3
host 10.0.201.3
object network obj-10.0.30.242
host 10.0.30.242
object network obj-10.0.30.242-01
host 10.0.30.242
object network obj-10.0.30.241
host 10.0.30.241
object network obj-10.0.30.240
host 10.0.30.240
object network obj-10.0.200.23
host 10.0.200.23
object network obj-10.0.201.2
host 10.0.201.2
object network obj-10.0.201.2-01
host 10.0.201.2
object network obj-10.0.201.2-02
host 10.0.201.2
object network obj-10.0.201.2-03
host 10.0.201.36
object network obj-10.0.201.21
host 10.0.201.21
object network obj-10.0.201.2-04
host 10.0.201.2
object network obj-10.0.201.2-05
host 10.0.201.2
object network obj-10.0.201.2-06
host 10.0.201.2
object network obj-10.0.201.5
host 10.0.201.5
object network obj-10.0.30.245
host 10.0.30.245
object network obj-10.0.30.238
host 10.0.30.238
object network obj-10.0.200.24
host 10.0.200.24
object network obj-10.0.201.7
host 10.0.201.7
object network obj-10.0.201.18
host 10.0.201.18
object network obj-10.0.30.244
host 10.0.30.244
object network obj-10.0.201.6
host 10.0.201.6
object network obj-10.0.200.26
host 10.0.200.26
object network obj-10.0.201.6-01
host 10.0.201.6
object network obj-10.0.200.28
host 10.0.200.28
object network obj-10.0.30.237
host 10.0.30.237
object network obj-10.0.201.34-04
host 10.0.201.34
object network obj-10.0.201.34
host 10.0.201.34
object network obj-10.0.201.35
host 10.0.201.35
object network obj-10.0.201.34-01
host 10.0.201.34
object network obj-10.0.201.34-02
host 10.0.201.34
object network obj-10.0.201.34-03
host 10.0.201.34
object network obj-10.0.201.20
host 10.0.201.20
object network obj-10.0.201.6-02
host 10.0.201.6
object network obj-10.0.30.236
host 10.0.30.236
object network obj-10.0.30.240-01
host 10.0.30.240
object network obj-10.0.201.2-07
host 10.0.201.2
object network obj-10.0.201.21-01
host 10.0.201.21
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj-10.0.30.235
host 10.0.30.235
object network obj-10.0.201.201
host 10.0.201.201
object network obj-10.0.201.201-01
host 10.0.201.201
object network obj-10.0.30.234
host 10.0.30.234
object network Obj-10.0.32.39
host 10.0.32.39
description ADFS server
object network Obj-10.0.201.36
object network obj-10.0.201.36-2
host 10.0.201.36
object network obj-10.0.201.2-08
host 10.0.201.2
object network obj-10.0.201.2-10
host 10.0.201.2
object network obj-10.0.30.251
host 10.0.30.251
object-group service TSPorts tcp
description Allowed ports for TS traffic
port-object range 3389 3415
port-object range 3416 3420
port-object range 3421 3425
object-group network TSIPS
description IPs allowed Terminal Service Traffic
network-object 10.0.30.224 255.255.255.224
network-object 10.0.200.0 255.255.255.0
network-object 10.0.201.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0
access-list Inside_nat0_outbound extended permit ip any 172.20.0.0 255.255.255.128
access-list Outside_cryptomap_20_1 extended permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0
access-list management_nat0_outbound extended permit ip any 172.20.0.0 255.255.255.128
access-list Outside2_access_out extended permit icmp any any
access-list Outside2_access_out extended permit ip any any
access-list Outside2_access_in extended permit icmp any any
access-list Outside2_access_in extended permit tcp any host 10.0.201.2 eq www
access-list Outside2_access_in extended permit tcp any host 10.0.201.2 eq ftp
access-list Outside2_access_in extended permit tcp 161.165.202.24 255.255.255.248 host 10.0.30.240 eq 4080
access-list Outside2_access_in extended permit tcp host 168.244.164.230 host 10.0.30.240 eq 4080
access-list Outside2_access_in extended permit tcp host 168.244.164.33 host 10.0.30.240 eq 4080
access-list Outside2_access_in extended permit udp any host 10.0.30.241 eq 47825
access-list Outside2_access_in extended permit tcp any host 10.0.201.21 eq www
access-list Outside2_access_in extended deny tcp any host 10.0.201.36 eq smtp
access-list Outside2_access_in extended permit tcp host 63.111.64.75 host 10.0.30.240 eq 4080
access-list Outside2_access_in extended permit udp any host 10.0.201.2 eq 443
access-list Outside2_access_in extended permit tcp any host 10.0.201.2 eq https
access-list Outside2_access_in extended permit tcp any host 10.0.201.6 eq 993
access-list Outside2_access_in extended permit tcp 5.5.5.5 255.255.255.0 host 10.0.30.240 eq 4080
access-list Outside2_access_in extended permit tcp any host 10.0.201.34 eq www
access-list Outside2_access_in extended permit tcp any host 10.0.201.34 eq https
access-list Outside2_access_in extended permit udp any host 10.0.201.34 eq 443
access-list Outside2_access_in extended permit tcp any host 10.0.201.6 eq https
access-list Outside2_access_in extended permit tcp any object-group TSIPS eq 3389
access-list Outside2_access_in extended permit tcp any host 10.0.201.201 eq smtp
access-list Outside2_access_in extended permit tcp any host 10.0.201.36 eq www
access-list Outside2_access_in extended permit tcp any host 10.0.201.36 eq https
access-list Outside2_access_in extended permit tcp any host 10.0.201.2 eq 8083
access-list Outside2_access_in extended permit tcp any host 10.0.201.2 eq 8080
access-list Outside2_access_in extended permit tcp any host 10.0.201.2 eq 8081
access-list Split_Tunnel_List standard permit 10.0.0.0 255.255.0.0
pager lines 24
logging enable
logging buffer-size 8192
logging trap errors
logging history emergencies
logging asdm errors
logging host Inside 10.0.201.4
logging ftp-server 10.0.201.2 /Syslog rb-util3\locsyslog *****
logging class auth history alerts trap errors asdm critical
mtu Outside2 1500
mtu Inside 1500
mtu Mabton 1500
mtu management 1500
ip local pool vpnpool 172.20.0.0-172.20.0.127 mask 255.255.255.128
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (Inside,any) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.3.0.0 obj-10.3.0.0 no-proxy-arp
nat (Inside,any) source static any any destination static obj-172.20.0.0 obj-172.20.0.0
nat (management,Outside2) source static any any destination static obj-172.20.0.0 obj-172.20.0.0
!
object network obj-7.7.7.7
nat (any,Inside) static 10.0.201.21 dns
object network obj-7.7.7.7
nat (any,Inside) static 10.0.201.2 dns
object network obj-10.0.30.254
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3395
object network obj-10.0.30.253
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3396
object network obj-10.0.30.250
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3400
object network obj-10.0.30.249
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3401
object network obj-10.0.30.248
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3402
object network obj-10.0.30.247
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3403
object network obj-10.0.201.3
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3391
object network obj-10.0.30.242
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3407
object network obj-10.0.30.242-01
nat (Inside,Outside2) static 7.7.7.7 service udp 47825 47825
object network obj-10.0.30.241
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3408
object network obj-10.0.30.240
nat (Inside,Outside2) static 7.7.7.7 service tcp 4080 4080
object network obj-10.0.200.23
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3394
object network obj-10.0.201.2
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3393
object network obj-10.0.201.2-02
nat (Inside,Outside2) static 7.7.7.7 service tcp www www
object network obj-10.0.201.2-03
nat (Inside,Outside2) static 7.7.7.7 service tcp smtp smtp
object network obj-10.0.201.21
nat (Inside,Outside2) static 7.7.7.7 service tcp www www
object network obj-10.0.201.2-04
nat (Inside,Outside2) static 7.7.7.7 service tcp 8083 8083
object network obj-10.0.201.2-05
nat (Inside,Outside2) static 7.7.7.7 service tcp https https
object network obj-10.0.201.2-06
nat (Inside,Outside2) static 7.7.7.7 service udp 443 443
object network obj-10.0.201.5
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3418
object network obj-10.0.30.245
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3410
object network obj-10.0.30.238
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3411
object network obj-10.0.201.7
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3390
object network obj-10.0.201.18
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3392
object network obj-10.0.30.244
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3405
object network obj-10.0.201.6
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3413
object network obj-10.0.201.6-01
nat (Inside,Outside2) static 7.7.7.7 service tcp 993 993
object network obj-10.0.30.237
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3416
object network obj-10.0.201.34-04
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3417
object network obj-10.0.201.35
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3419
object network obj-10.0.201.34-01
nat (Inside,Outside2) static 7.7.7.7 service tcp www www
object network obj-10.0.201.34-02
nat (Inside,Outside2) static 7.7.7.7 service tcp https https
object network obj-10.0.201.34-03
nat (Inside,Outside2) static 7.7.7.7 service udp 443 443
object network obj-10.0.201.20
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3420
object network obj-10.0.201.6-02
nat (Inside,Outside2) static 7.7.7.7 service tcp https https
object network obj-10.0.30.236
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3421
object network obj-10.0.30.240-01
nat (Inside,Outside2) dynamic 7.7.7.7
object network obj-10.0.201.2-07
nat (Inside,Outside2) dynamic 7.7.7.7 dns
object network obj-10.0.201.21-01
nat (Inside,Outside2) dynamic 7.7.7.7 dns
object network obj_any
nat (Inside,Outside2) dynamic 7.7.7.7
object network obj_any-01
nat (Inside,Outside2) dynamic obj-0.0.0.0
object network obj_any-02
nat (Mabton,Outside2) dynamic obj-0.0.0.0
object network obj_any-03
nat (management,Outside2) dynamic 7.7.7.7
object network obj_any-04
nat (management,Outside2) dynamic obj-0.0.0.0
object network obj-10.0.201.201-01
nat (Inside,Outside2) dynamic 7.7.7.7
object network obj-10.0.30.234
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3423
object network obj-10.0.201.36-2
nat (Inside,Outside2) static 7.7.7.7 service tcp https https
object network obj-10.0.201.2-08
nat (Inside,Outside2) static 7.7.7.7 service tcp 8080 8080
object network obj-10.0.201.2-10
nat (Inside,Outside2) static 7.7.7.7 service tcp 8081 8081
object network obj-10.0.30.251
nat (Inside,Outside2) static 7.7.7.7 service tcp 3389 3399
access-group Outside2_access_in in interface Outside2
access-group Outside2_access_out out interface Outside2
route Outside2 0.0.0.0 0.0.0.0 7.7.7.7 2
route Mabton 10.3.0.0 255.255.0.0 172.30.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server nwhort protocol radius
aaa-server nwhort (Inside) host 10.0.200.10
key *****
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.0.0 Inside
http 172.30.0.0 255.255.255.252 Mabton
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp Inside
auth-prompt prompt Hello
auth-prompt accept Done Good
auth-prompt reject Sorry Pal
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 set ikev1 transform-set ESP-DES-MD5
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside2_dyn_map 20 set ikev1 transform-set ESP-DES-MD5
crypto dynamic-map Outside2_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside2_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 20 match address Outside_cryptomap_20_1
crypto map Outside_map 20 set pfs
crypto map Outside_map 20 set peer 5.5.5.5
crypto map Outside_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto map Outside_map 20 set security-association lifetime seconds 28800
crypto map Outside_map 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside2
crypto map Outside2_map 65535 set security-association lifetime seconds 28800
crypto map Outside2_map 65535 set security-association lifetime kilobytes 4608000
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 10.0.0.0 255.255.0.0 Inside
telnet 10.3.0.0 255.255.0.0 Inside
telnet 172.30.0.0 255.255.255.252 Mabton
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 30
ssh timeout 5
console timeout 0
management-access Mabton
dhcpd ping_timeout 750
!
dhcpd address 7.7.7.7-7.7.7.7 Outside2
dhcpd option 3 ip 7.7.7.7 interface Outside2
dhcpd enable Outside2
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.0.201.7 source Inside prefer
tftp-server Inside 10.0.30.254 ASAConfig
webvpn
group-policy DfltGrpPolicy attributes
group-policy vpnclient internal
group-policy vpnclient attributes
wins-server value 10.0.201.7
dns-server value 10.0.200.25
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value nwhort.local
group-policy vpnclient2 internal
group-policy vpnclient2 attributes
wins-server value 10.0.201.7
dns-server value 10.0.201.7
default-domain value nwhort.local
username scottr password RPA.iVy/Gb2zvItH encrypted
username scottr attributes
vpn-group-policy vpnclient
tunnel-group 5.5.5.5 type ipsec-l2l
tunnel-group 5.5.5.5 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool vpnpool
default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
ikev1 pre-shared-key *****
ikev1 user-authentication none
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns migrated_dns_map_1
inspect ip-options
inspect esmtp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c44d3dbd88396d10282c7ff09c790111
: end
asdm image disk0:/asdm-645.bin
asdm location 172.20.0.0 255.255.255.128 Outside2
no asdm history enable

---------------------------------

Remote Location ASA5505 Configuration File

All references to Mabton public IPs have been changed to 5.5.5.5
All references to MountVernon public IPs have been changed to 7.7.7.7

: Saved
:
ASA Version 8.0(4)
!
hostname Mabton
domain-name northwesthort.com
enable password xxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
no forward interface Vlan2
nameif MountVernon
security-level 100
ip address 172.30.0.2 255.255.255.252
!
interface Vlan2
shutdown
nameif outside
security-level 0
ip address 5.5.5.5 255.255.255.248
!
interface Vlan12
nameif inside
security-level 100
ip address 10.3.1.2 255.255.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name northwesthort.com
same-security-traffic permit inter-interface
access-list outside_access_out extended permit tcp 10.3.0.0 255.255.0.0 any eq www inactive
access-list outside_access_out extended permit tcp 10.3.0.0 255.255.0.0 any eq ftp inactive
access-list outside_access_out extended permit icmp any any inactive
access-list outside_access_out extended permit ip any any inactive
access-list outside_access_in extended permit icmp any any inactive
access-list outside_access_in extended permit tcp any host 5.5.5.5 range 3390 3392 inactive
access-list outside_access_in extended permit tcp any host 5.5.5.5 eq 3390 inactive
access-list outside_1_cryptomap extended permit ip 10.3.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.3.0.0 255.255.0.0 10.0.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu MountVernon 1500
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 10 5.5.5.5
nat (MountVernon) 10 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp 5.5.5.5 47809 10.3.31.253 47809 netmask 255.255.255.255
static (inside,outside) udp 5.5.5.5 47809 10.3.31.253 47809 netmask 255.255.255.255
static (inside,outside) tcp 5.5.5.5 3391 10.3.31.251 3389 netmask 255.255.255.255
static (inside,outside) tcp 5.5.5.5 3392 10.3.31.250 3389 netmask 255.255.255.255
static (inside,outside) tcp 5.5.5.5 3390 10.3.201.18 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route MountVernon 0.0.0.0 0.0.0.0 172.30.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
http server enable
http 10.3.0.0 255.255.255.255 inside
http 10.0.0.0 255.0.0.0 inside
http 192.168.1.0 255.255.255.0 MountVernon
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outsid_map 1 set pfs
crypto map outsid_map 1 set security-association lifetime seconds 28800
crypto map outsid_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 7.7.7.7
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.255.0 MountVernon
telnet 10.3.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.3.201.18 /asa.cfg
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
customization value DfltCustomization
tunnel-group 7.7.7.7 type ipsec-l2l
tunnel-group 7.7.7.7 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b2834b4f750df909e5e0450971eba2bf
: end
asdm image disk0:/asdm-647.bin
no asdm history enable

----------------

scottrhodes13a · ‎06-18-2012

Update:

From inside the 5505, I can ping random 10.0.0.0/16 addresses inside the Mount Vernon network. Except for 10.0.1.1 which is the 5510 gateway IP. Which is to be expected I suppose.

But I can't ping 10.0.0.0/16 addresses from the 10.3.0.0/16 network.

Unfortunately I can't try it the other way around since I can't seem to be able to connect to my main office desktop using RDP over my cell connection.

Which leads me to believe the routing issue is on the Mabton side.

Michael

Mitchell Dyer · ‎06-18-2012

Michael,

I think the issue is related to the VPN configuration still being present. I think the NAT statements are unnecessarily NATing the traffic.

Backup the configs and remove the tunnel-group statements on both ends, along with the nat exemption statements. I would test to make sure you have inter-site connectivity before worrying about the internet access via the main site, you will need to add a NAT statement to get that working (see below).

object net obj-10.3.0.0

nat (mabton,outside2) dynamic interface

scottrhodes13a · ‎06-18-2012

Hi Mitchell..

You rock!

After removing the VPN entries on both ends I was able to ping machines from either network.

I added the NAT statement above and now the remote location has internet access.

I am curious though.. I disabled the VPN connections on their respective interfaces using ASDM. Shouldn't that have worked without having to delete the VPN entries?

Now I just need to add the NAT rules that were on the 5505 to the 5510 and I am all set. If I have trouble with that I will revisit this thread so don't unsubscribe just yet.

Thanks so much!

Michael

Mitchell Dyer · ‎06-18-2012

Great!

I can't comment on the ASDM as I don't use it unless I absolutely have to.

scottrhodes13a · ‎06-18-2012

Hi Mitchell...

No worries.. It's just something I was curious about.

Ok, I do have one more question though. The 5505 is running an old ASA version - 8.0.

The newest version is 8.4.4ED. Should I install this version or should I just leave well enough alone?

Do I have to install each interim version between what I have now and this one or can I just go straight to the newest version?

Will upgrading the software break my configuration?

Thanks,

Michael

Mitchell Dyer · ‎06-18-2012

Good question. I would update the 5505 to match the 5510.

I would backup the image and the config just to be safe but,

the update should convert the config for you and there is no need to upgrade to interim releases.

Sent from Cisco Technical Support Android App

scottrhodes13a · ‎06-20-2012

Hi Mitchell..

One more question if you don't mind.

I am at the remote location and everything seems to be working very well.

One exception.

I have a dns entry to allow inside machines to access our forward facing web site by using the internal IP.

That has always worked just fine. Unfortunately it is not working from the remote site any longer. It still works from the main site though.

If I nslookup our website address, it resolves correctly to the internal IP at both locations.

But if you ping the address from the remote site only, it resolves to our outside address and there is no reply. Of course trying to access it from a browser does not work either.

I suspect that is because all of the internet traffic is getting routed to the Outside interface on the 5510 at the remote location.

Is there a way for me to fix this?

Thanks,

Michael