Hi all, i'm not a good performer with cisco asa 5505 and 5510 but after a long time with google cisco forum and more it's time for me to ask the question to someone who can help me! i have 3 site, the first is in the center of the configuration site 2 is the site who guest the important host and site 3 is my site. i have acces to the config of site one ane my site. in a first time we implement a solution with vpnclient between site 1 and site 3 to acces site 2 it's working good but we want pass to site to site between site 1 and 3, they told ok but do it and after 1 month and lot of week end it's not working yet. this config working good on site 1 for my site 3 with vpnclient Config working as vpnclient on site 1: ASA Version 8.2(5) name <ip> Host_1_OnSite2 name <ip> Routeur_Host_1 ! interface Ethernet0/0 nameif outside security-level 0 ip address <MySite1Ipaddress> 255.255.255.248 ! interface Ethernet0/1 nameif inside security-level 100 ip address <InsideLanIpAddress> 255.255.255.0 ! access-list EasyVPN_splitTunnelAcl standard permit <InsideLanIprange> 255.255.255.0 access-list EasyVPN_splitTunnelAcl standard permit host Host_1_OnSite2 access-list EasyVPN_splitTunnelAcl standard permit host Routeur_Host_1 access-list inside_nat0_outbound extended permit ip any 10.1.9.0 255.255.255.128 access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit icmp any any ip local pool <MyGroup>_pool 10.1.9.50-10.1.9.100 mask 255.255.255.0 global (outside) 101 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 101 0.0.0.0 0.0.0.0 access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 <MySite1IpGateway> 1 route inside Host_1_OnSite2 255.255.255.255 Routeur_Host_1 1 crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside group-policy <MyGroup> internal group-policy <MyGroup> attributes vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value EasyVPN_splitTunnelAcl nem enable tunnel-group <MyGroup> type remote-access tunnel-group <MyGroup> general-attributes address-pool <MyGroup>_pool default-group-policy <MyGroup> tunnel-group <MyGroup> ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global Idon't know Site2 configuration but i think it's asa too in router mode. Config on site 3 with vpnclient vpnclient server <MySite1Ipaddress> vpnclient mode network-extension-mode vpnclient nem-st-autoconnect vpnclient vpngroup <MyGroup> password ******** vpnclient username <MyGroup> password ******** vpnclient enable no acl no particular redirection the basic configuration of asa with vpnclient i've test a lot of configuration with a lot of acl and other try but nothing working i have acces on asa 5510 only some times because is in prod so if you have idea i cannot try immediately but your help is appreciate. Thank's in advance David.
... View more