cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Webcast- Catalyst 9000
1116
Views
0
Helpful
2
Replies
Highlighted
Beginner

Set up new l2l vpn site to site on asa with exisitng RA vpn

Hi there,

I am having a few issues setting up the Cisco ASA at my work. Historically, the device has been configured by quite a few different engineers and different companies. Going through the current config I can see that its not set up in the ideal way and that also there seems to be ghost entries in the config whoch dont show in the ASDM console.

Basically what I need to do is the following:-

1.) create a new site to site VPN tunnel to a new site (site B say which is on 192.168.0.0/24). All traffic from the 10.0.0.0/16 network (the current LAN at site A) needs to be able to communicate on all TCP ports and addresses with site B (and visaversa).

2,) I will also need to set up another two site to site VPN tunnels in the future as well but i assume the procedure for doing 1.) will be the similar as for 2.)

Historically wise our Remote Access VPN has a range of ip's that are allocated to clients (10.0.0.142-149 and another group of addresses on 10.0.65.x)

Each VPN allocated client address has a NAT exempt rule (its a bit messy)

The cryptomap for the Remote Access vpn has the interesting traffic defined as Any to any which i am not sure is correct. I tried using the easyvpn wizard to set up the site to site config between 192.168.0.0/24 and 10.0.0.0/16 but it errored out and affected the remote access cryptomap to such an extent that the remote access stopped working. I dont know if this was a problem with the actual cryptomap or the asa crashed.

Basically I would like to get to the stage where i can create multiple site to site vpn tunnels using the easyvpn wizard plus the remote access and site to site vpn's will be terminating on the same interface.

here is my sanitized config and many thanks for any help! I know enough to find my way around a Cisco ASA but the crypto maps and VPN commanline configs are a little beyond me. I know what I want to do and I know how IKE and ACLs/NAT should be configured but I think as the current config has been worked on so much i can't work out whats going on and why its not working

asdm image disk0:/asdm521.bin
no asdm history enable
: Saved
:
ASA Version 7.2(1)
!
hostname CCFW
domain-name test.com
enable password T2FXIRdbTjPc3Dx5 encrypted
names
name 10.0.20.4 test2 description 2008 Exchange server
!
interface Ethernet0/0
nameif WANINT
security-level 0
ip address xxxxxxxx 255.255.255.252
!
interface Ethernet0/1
nameif LANINT
security-level 100
ip address 10.0.0.141 255.255.0.0
!
interface Ethernet0/2
nameif WANINT2
security-level 0
ip address xxxxxxxxx 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.20.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxxxx
object-group network VPNGroup2
description VPNGroup2
network-object 10.0.65.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list WANINT2_cryptomap extended permit ip any 10.0.0.64 255.255.255.192
access-list WANINT_cryptomap extended permit ip any 10.0.0.64 255.255.255.192
access-list LANINT_nat0_outbound extended permit ip any host 10.0.0.142
access-list LANINT_nat0_outbound extended permit ip any host 10.0.0.143
access-list LANINT_nat0_outbound extended permit ip any host 10.0.0.144
access-list LANINT_nat0_outbound extended permit ip any host 10.0.0.145
access-list LANINT_nat0_outbound extended permit ip any host 10.0.0.146
access-list LANINT_nat0_outbound extended permit ip any host 10.0.0.147
access-list LANINT_nat0_outbound extended permit ip any host 10.0.0.148
access-list LANINT_nat0_outbound extended permit ip any host 10.0.0.149
access-list LANINT_nat0_outbound extended permit ip any host 10.0.65.65
access-list LANINT_nat0_outbound extended permit ip any host 10.0.65.66
access-list LANINT_nat0_outbound extended permit ip any host 10.0.65.67
access-list LANINT_nat0_outbound extended permit ip any host 10.0.65.68
access-list LANINT_nat0_outbound extended permit ip any host 10.0.65.69
access-list LANINT_nat0_outbound extended permit ip any host 10.0.65.70
access-list LANINT_nat0_outbound extended permit ip any host 10.0.65.71
access-list LANINT_nat0_outbound extended permit ip any host 10.0.65.72
access-list LANINT_nat0_outbound extended permit ip any host 10.0.65.73
access-list LANINT_nat0_outbound extended permit ip any host 10.0.65.74
access-list LANINT_nat0_outbound extended permit ip any host 10.0.65.75
access-list LANINT_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list LANINT_access_in extended permit ip 10.0.0.0 255.255.0.0 any log disable
access-list LANINT_access_in extended permit ip 172.16.10.0 255.255.255.0 any log disable
access-list LANINT_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list WANINT2_access_in extended permit tcp any interface WANINT2 eq smtp
access-list WANINT2_access_in extended permit tcp any interface WANINT2 eq www inactive
access-list WANINT2_access_in extended permit tcp any interface WANINT2 eq https
access-list Tunnel2_splitTunnelAcl standard permit any
access-list WANINT2_cryptomap_1 extended permit ip any 10.0.65.64 255.255.255.192
pager lines 24
logging enable
logging list VPN_Stuff level debugging class vpdn
logging list VPN_Stuff level debugging class vpn
logging list VPN_Stuff level debugging class vpnc
logging asdm VPN_Stuff
logging class vpdn asdm debugging
logging class vpn asdm debugging
logging class vpnc asdm debugging
mtu WANINT 1500
mtu LANINT 1500
mtu WANINT2 1500
mtu management 1500
ip local pool VPNDHCP 10.0.0.142-10.0.0.149 mask 255.255.0.0
ip local pool VPNDHCP2 10.0.65.65-10.0.65.100 mask 255.255.0.0
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (WANINT) 101 interface
global (LANINT) 1 interface
global (WANINT2) 1 interface
nat (LANINT) 0 access-list LANINT_nat0_outbound
nat (LANINT) 1 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (LANINT,WANINT2) tcp interface www exch1 www netmask 255.255.255.255
static (LANINT,WANINT2) tcp interface https exch1 https netmask 255.255.255.255
static (LANINT,WANINT2) tcp interface smtp exch1 smtp netmask 255.255.255.255
access-group LANINT_access_in in interface LANINT
access-group WANINT2_access_in in interface WANINT2
route LANINT 172.16.10.0 255.255.255.0 10.0.20.2 1
route LANINT 192.168.1.0 255.255.255.0 10.0.0.253 1
route WANINT2 0.0.0.0 0.0.0.0 94.175.210.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server WindowsRadius protocol radius
reactivation-mode timed
aaa-server WindowsRadius (LANINT) host 10.0.0.103
key Nexus
radius-common-pw xxxxxxx
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 10.0.0.103
dns-server value 10.0.0.103
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value xxxxxxxx
address-pools value VPNDHCP VPNDHCP2
group-policy DfltGrpPolicy attributes
banner value Welcome to the xxxxxxx VPN. If you are not authorised to use this service please disconnect now.
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value xxxxxxxxxxxxxxxxxxxx
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
username user1 password A5XOy94YKDPXCo7U encrypted privilege 0
username Emergency password nMdIFZw9WxcXhRWnh3OnhQ== nt-encrypted privilege 0
username Emergency attributes
vpn-group-policy DefaultRAGroup
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.0.0 LANINT
snmp-server host LANINT 10.0.0.252 community public
snmp-server location xxxx
snmp-server contact xxxxxxx
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map WANINT_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map WANINT2_dyn_map 1 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map WANINT2_dyn_map 21 set transform-set ESP-3DES-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map WANINT2_dyn_map0 1 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map WANINT2_dyn_map1 1 set transform-set TRANS_ESP_3DES_SHA
crypto map WANINT_map 20 ipsec-isakmp dynamic WANINT_dyn_map
crypto map WANINT_map interface WANINT
crypto map WANINT2_map 65535 ipsec-isakmp dynamic WANINT2_dyn_map1
crypto map WANINT2_map interface WANINT2
crypto isakmp enable WANINT2
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group DefaultRAGroup general-attributes
address-pool VPNDHCP
address-pool VPNDHCP2
authentication-server-group WindowsRadius LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group xxxxx2 type ipsec-l2l
tunnel-group xxxxx2 ipsec-attributes
pre-shared-key *
telnet 10.0.0.24 255.255.255.255 LANINT
telnet 10.0.20.2 255.255.255.255 LANINT
telnet 10.0.0.140 255.255.255.255 LANINT
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d0c7d064867e143f82ce47ab259371b6
: end

Everyone's tags (7)
2 REPLIES 2
Cisco Employee

Re: Set up new l2l vpn site to site on asa with exisitng RA vpn

Assuming that you are terminating the VPN tunnel on WANINT2 interface since that is where you have your default route configured.

You also currently have crypto map configured on the WANINT2 interface which is correct.

All you need to configure is to use the same crypto map name and use a different sequence number for the L2L VPN (needs to be smaller number for higher sequence):

access-list crypto-10 extended permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.255.0

crypto map WANINT2_map 10 match address crypto-10

crypto map WANINT2_map 10 set peer

crypto map WANINT2_map 10 set transform-set

For the second and third L2L, you just configure the same with different sequence number:

crypto map WANINT2_map 20 match address crypto-20

crypto map WANINT2_map 20 set peer

crypto map WANINT2_map 20 set transform-set

crypto map WANINT2_map 30 match address crypto-30

crypto map WANINT2_map 30 set peer

crypto map WANINT2_map 30 set transform-set

You would also need to create the pre-shared key:

tunnel-group   type ipsec-l2l

tunnel-group ipsec-attributes

     pre-shared-key

Hope that helps.

Cisco Employee

Re: Set up new l2l vpn site to site on asa with exisitng RA vpn