Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2018
Views
0
Helpful
4
Replies

Using ASA 5510 with L2L and L2TP VPNs

Go to solution
bubaconk85
Level 1
Level 1

‎08-10-2011 12:07 PM

I would like to allow my remote users to access all resources bhind the ASA and my remote branches. 

Here is my setup.  ASA5510 as hub at datacenter.

                              Internal network 172.21.x.x Directly connected

                              DMZ 172.22.1.x.x Directly Connected

                              Branch1 10.47.x.x L2L VPN

                              Branch2 10.47.y.x L2L VPN

                              Remote users 172.21.y.x L2TP Windows Client

I can access my internal resources connected to the ASA but not the DMZ or branch offices. Do I need routing and reverse route injection?Untitled.jpg

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Lee Valentin
Level 1
Level 1
In response to bubaconk85

‎08-10-2011 09:15 PM

You also need to configure hairpinning.  http://goo.gl/vLqAR

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mohamed Sobair
Level 7
Level 7

‎08-10-2011 12:42 PM

You need to have (Spilit-tunneling) in the group policy for your remot branches and DMZ Networks as well.

and you need to exclude your remote users VPN from the NAT on the ASA.

If you post relevant config , it would be better.

Regards,

Mohamed

0 Helpful

Go to solution
bubaconk85
Level 1
Level 1
In response to Mohamed Sobair

‎08-10-2011 05:15 PM

Here is the sanitized partial config.  I tried the split tunnel as you may see, but it did not work.  I will try it again, but if I NO NAT the remote users IP pool then the branch office will not have a route for the REMOTE_USER_NET and it is going to fail.  Can I NAT the REMOTE_USER_NET behind the DMZ interface or something?

Names

name 10.xx.0.0 Branch-Net

Name 172.xx.0.0 INSIDE_NET

Name 172.xy.0.0 DMZ_NET

Name 172.XX.1.0 REMOTE_USER_NET

Name 10.xx.15.0 Branch_One

Name 10.xx.10.0 Branch_Two

!

interface Ethernet0/0

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address INSIDE_NET 255.255.255.0

ospf cost 10

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address DMZ_NET 255.255.255.0

ospf cost 10

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address MGMNT_NET 255.255.255.0

ospf cost 10

management-only

!

boot system disk0:/asa724-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name somenet.com

object-group service Web tcp

port-object eq www

port-object eq https

object-group service WWW tcp-udp

port-object eq www

object-group service RDP tcp

description RDP

port-object eq 3389

object-group service VPN-TCP tcp

group-object RDP

group-object Web

port-object eq ftp

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_5 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_2 tcp

port-object eq 8000

port-object eq ftp

object-group network DM_INLINE_NETWORK_1

network-object host WWW_Production

network-object host WWW_Backup

object-group network DM_INLINE_NETWORK_2

network-object host WWW_Production

network-object host WWW_Backup

object-group service DM_INLINE_TCP_6 tcp

port-object eq www

port-object eq https

port-object eq 3389

object-group network DM_INLINE_NETWORK_5

network-object host WWW_Production

network-object host WWW_Backup

object-group network DM_INLINE_NETWORK_6

network-object host SQL1

network-object host SQL_Backup

network-object host VSRVR

object-group service DM_INLINE_TCP_4 tcp

port-object eq 1433

port-object eq 3389

port-object eq www

port-object eq sqlnet

object-group service DM_INLINE_TCP_3 tcp

port-object eq 1433

port-object eq www

port-object eq sqlnet

access-list outside_1_cryptomap extended permit ip INSIDE_NET 255.255.255.0 Branch_One 255.255.255.0

access-list outside_access_in extended permit tcp any host ExternalIP eq www

access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_5

access-list outside_access_in extended permit tcp any host ExternalIP object-group DM_INLINE_TCP_6

access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_2

access-list inside_nat0_outbound extended permit ip INSIDE_NET 255.255.255.0 Branch_Net 255.255.0.0

access-list inside_nat0_outbound extended permit ip INSIDE_NET 255.255.255.0 India-IDC 255.255.255.240

access-list inside_nat0_outbound extended permit ip INSIDE_NET 255.255.255.0 Client_Net 255.255.255.0

access-list inside_nat0_outbound extended permit ip INSIDE_NET 255.255.255.0 DMZ_NET 255.255.255.0

access-list inside_nat0_outbound extended permit ip INSIDE_NET 255.255.255.0 Mumbi-Net 255.255.254.0

access-list inside_nat0_outbound extended permit ip INSIDE_NET 255.255.255.0 REMOTE_USER_NET 255.255.255.0

access-list DMZ_nat0_outbound extended permit ip DMZ_NET 255.255.255.0 172.21.0.0 255.255.255.0

access-list DMZ_nat0_outbound_1 extended permit ip DMZ_NET 255.255.255.0 10.xx.0.0 255.255.0.0

access-list DMZ_nat0_outbound_1 extended permit ip DMZ_NET 255.255.255.0 India-IDC 255.255.255.240

access-list DMZ_nat0_outbound_1 extended permit ip DMZ_NET 255.255.255.0 172.21.0.0 255.255.255.0

access-list DMZ_nat0_outbound_1 extended permit ip DMZ_NET 255.255.255.0 Mumbi-Net 255.255.254.0

access-list DMZ_nat0_outbound_1 extended permit ip DMZ_NET 255.255.255.0 REMOTE_USER_NET 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl standard permit Branch_Two 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl_1 standard permit INSIDE_NET 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl_1 standard permit DMZ_NET 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl_2 standard permit INSIDE_NET 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl_2 standard permit 10.xx.10.0 255.255.255.0

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

0 Helpful

Go to solution
Lee Valentin
Level 1
Level 1
In response to bubaconk85

‎08-10-2011 09:15 PM

You also need to configure hairpinning.  http://goo.gl/vLqAR

0 Helpful

Go to solution
bubaconk85
Level 1
Level 1
In response to Lee Valentin

‎08-17-2011 04:54 PM

Ultimatly this was the solution, but I have to either add a route manually to my Windows L2TP route table or I must use the Default Route on the remote network which does not allow me to access the Internet at the same time as split tunneling should.  If I find the solution I will reply with that fix.

0 Helpful
Customers Also Viewed These Support Documents