Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
878
Views
0
Helpful
10
Replies

Access to Remote Network through Remote Access VPN

Go to solution
ematelyan
Level 1
Level 1

‎05-13-2013 08:26 AM - edited ‎02-21-2020 06:53 PM

Hello,

I'm having an issue with users that are accessing VPN from their homes.  We currently have 3 offices setup, setup as shown below.  When I VPN into the Philadelphia office, I'm unable to access resources on the Connecticut or North Carolina offices. 

The VPN subnet is 192.168.10.0.  Inside the PA office, I have no trouble getting to NC or CT.  Do I need to add a static route from Pennsylvania to CT and NC?  If so, could you give me a hand with the correct syntax?

North Carolina office <-----------IPSecVPN----------> Pennsylvania Office <------------IPSecVPN-------------> Connecticut Office

192.168.5.0                                                            192.168.1.0                                                        192.168.2.0                  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to ematelyan

‎05-13-2013 12:45 PM

Hi,

Yes, basically the ASA hosting the VPN Client service in this case has pretty much the same configuration related to both sites except for ofcourse the obvious

  • Networks/Subnets
  • Different ACL for each L2L VPN

Though naturally the problem from my part is the WRVS4400N configuration.

Basically you are doing the same things on that device as the other remote site.

You add the VPN Pool as another remote network to the L2L VPN configurations. You also confirm that there is NAT0 operation for that network also. I am not sure I can help there as I dont know the device.

Can you please mark the question as answered and rate other helpfull answers

Naturally ask more and I will try to help if I can

- Jouni

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-13-2013 08:40 AM

Hi,

So I assume you are connecting with VPN Client to the Pennsulvania Office and would wish to connect through that VPN Client connection to the other 2 remote sites also?

I presume you are using Cisco PIX or ASAs at software level 8.2 or below

What you need to do is

  • Make sure you have the "same-security-traffic permit intra-interface" configured on the Pennsulvania Office ASA
  • You will have to add the VPN Pool network as the local subnet to the L2L VPN ACL for both connections
  • You will have to create a new NAT0 ACL that which will have 2 lines with the VPN Pool as source subnet for both rules and the 2 remote networks as the destination subnets
  • You will have to attach that NAT0 ACL to the "outside" interface of the Pennsylvania Office ASA
  • You will have to add a line to the current NAT0 ACL on each remote office which has the local subnet as source and the VPN pool subnet as the destination
  • You will finally have to make sure that the VPN Client connections is either configured as Full Tunnel that tunnels all destination networks on the VPN Client connection OR if using Split Tunnel you will have to add the 2 remote site subnets to the Split Tunnel ACL

For a more specific answer I would need to see the firewall configurations.

If they are configured using Routers then I wont be able to help so much I imagine (unless the central site is ASA and remote offices Routers)

Hope this helps

If this already answered your question then please mark the reply as the correct answer. And/or rate helpfull replys.

Ask more if needed

- Jouni

0 Helpful

Go to solution
ematelyan
Level 1
Level 1
In response to Jouni Forss

‎05-13-2013 09:25 AM

Hello again Jouni,

The Pennsylvania office and the Connecticut office have an ASA 5505 v8.2

The North Carolina office has a WRVS4400N  (although you probably know that now )

Below is the config in PA

Result of the command: "show run"

: Saved
:
ASA Version 8.2(5)
!
hostname WayneASA

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 70.91.18.205 255.255.255.252
!
interface Vlan5
shutdown
no nameif
security-level 50
ip address 192.168.10.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
name-server 75.75.76.76
domain-name 3gtms.com
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list IPSec_Access extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.224
access-list inside_nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list TunnelSplit1 standard permit 192.168.10.0 255.255.255.224
access-list TunnelSplit1 standard permit 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list RemoteTunnel_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list RemoteTunnel_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0

pager lines 24
logging enable
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 192.168.10.1-192.168.10.30 mask 255.255.255.224
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0
nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside
access-group out_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.91.18.206 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set VPNTransformSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map IPSec_map 1 match address IPSec_Access
crypto map IPSec_map 1 set peer 50.199.234.229
crypto map IPSec_map 1 set transform-set VPNTransformSet
crypto map IPSec_map 2 match address outside_2_cryptomap
crypto map IPSec_map 2 set pfs group1
crypto map IPSec_map 2 set peer 98.101.139.210
crypto map IPSec_map 2 set transform-set VPNTransformSet
crypto map IPSec_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map IPSec_map interface outside
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 50.199.234.229
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure

crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.199 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RemoteTunnel internal
group-policy RemoteTunnel attributes
dns-server value 75.75.75.75 75.75.76.76
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteTunnel_splitTunnelAcl_1
default-domain value 3gtms.com
username eric password 0vcSd5J/TLsFy7nU encrypted privilege 15
username lestofts password URsSXKLozQMSeCBk encrypted privilege 5
username lestofts attributes
service-type remote-access
username algobel password lBWy5eNbHMCDPzuL encrypted
username algobel attributes
service-type remote-access
tunnel-group RemoteTunnel type remote-access
tunnel-group RemoteTunnel general-attributes
address-pool VPNPool
default-group-policy RemoteTunnel
tunnel-group RemoteTunnel ipsec-attributes
pre-shared-key *****
tunnel-group 50.199.234.229 type ipsec-l2l
tunnel-group 50.199.234.229 ipsec-attributes
pre-shared-key *****
tunnel-group 98.101.139.210 type ipsec-l2l
tunnel-group 98.101.139.210 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect icmp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect dns
  inspect pptp
  inspect sip 
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:a86adc4b23977672679b6fb72d0bc187
: end

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to ematelyan

‎05-13-2013 09:35 AM

I am a bit blind

I am on answering "mode" and didnt even notice that I was answering to two discussion by the same poster

I guess we could take a look at this situation so that we first try to configure the setup so that the VPN Client users can access the other remote site with the ASA.

If that is working ok then concentrate on the other site with the different device.

I will check this out in a bit. Now I need a coffee break.

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-13-2013 10:54 AM

Ok, so here goes

WayneASA

First thing we could do is add some configuration to this sites VPN Client Split Tunnel ACL

access-list RemoteTunnel_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0

This will essentially mean that when you next time log in with the VPN Client connection, the client software will know to forward traffic destined to network 192.168.2.0/24 to the VPN connection.

So next we need to make sure that the ASA knows how to forward this traffic to the L2L VPN from this local site to the remote site.

access-list IPSec_Access extended permit ip 192.168.10.0 255.255.255.224 192.168.2.0 255.255.255.0

This tells the ASA that it should forward traffic from VPN Pool to the remote LAN into the L2L VPN connection between the sites.

Even after these configurations we will still need to configure NAT0 for this traffic between the VPN Pool and the Remote LAN otherwise the traffic will never be forwarded to the L2L VPN connection.

access-list OUTSIDE-NAT0 remark NAT0 for VPN Pool to Remote Sites

access-list OUTSIDE-NAT0 permit ip 192.168.10.0 255.255.255.224 192.168.2.0 255.255.255.0

nat (outside) 0 access-list OUTSIDE-NAT0

The above configuration along with the other above configuration basically tells the ASA to (not in the above order)

  • Tunnel traffic destined to network 192.168.2.0/24 from the VPN Client to the ASA
  • Apply NONAT / NAT0 for the traffic destined to the network 192.168.2.0/24
  • Forward the VPN client connections to the L2L VPN connection

In addition to this, we will need a very important configuration command on the ASA.

same-security-traffic permit intra-interface

This will allow the VPN Client traffic coming through the "outside" interface of the ASA to leave through the "outside" inteface of the ASA. Without this traffic wont flow even though all other configurations would be correct.

SheltonASA

Now we need to take care of the remote site ASA. It wont require so many configuration compared to the site that is acting as the hub for the remote users.

We will need to tell this ASA likewise that the traffic from its LAN network towards to the VPN Pool should be forwarded to the L2L VPN connection

access-list IPSec_Access extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.224

Then we will need to add the NONAT / NAT0 configuration for the above traffic also. We simply add this to the existing NAT0 ACL configuration.

access-list inside_nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.224

This should be pretty much it concerning the connectivity between the 2 sites with ASAs.

Have a try at these configurations and let me know if they work. After could look a little on the situation with the L2L VPN connection towards the site with the different device.

Remember to mark the reply as the correct answer if it was and/or rate helpfull answers

- Jouni

0 Helpful

Go to solution
ematelyan
Level 1
Level 1
In response to Jouni Forss

‎05-13-2013 11:34 AM

Hey Jouni,

I believe your advice did work, as I'm able to ping 192.168.2.1 (CT ASA) through the Remote access VPN, but I can't ping anything past that.

I ran into this issue earlier after talking to you about the other post (regarding the IPSEC VPN between the ASA and WRSV4400N).  Sorry to bring up another topic, but this seems to relate.

I basically have a full mesh VPN between these three sites now, after your help this morning.  However, it seems that the connection to the CT office is not going past the ASA.

What I mean is, I can ping 192.168.2.1 from the PA office, NC office or VPN,  But I can't ping anything further than that (for example 192.168.2.2, the connected switch)  I've also noticed that everything else stopped working (my remote desktop connection to one of the servers in the office, I can't open the ASDM at https://192.168.2.1/admin, etc)

These things were working beforehand, so I must've changed something as we were working on the IPSec VPN this morning.  The CT office shows that there are 2 connected ipsec tunnels, so it seems as though they're connected, but something is not letting me get past that point.

North Carolina office 192.168.5.0

Pennsylvania Office  192.168.1.0

Connecticut Office 192.168.2.0

Below is the config from the CT office.

Result of the command: "show run"

: Saved
:
ASA Version 8.2(5)
!
hostname SheltonASA

name 192.168.1.0 Wayne-Network
name 50.199.234.229 Shelton-Firewall
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address Shelton-Firewall 255.255.255.252
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
name-server 75.75.76.76
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list inside_nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.11.0 255.255.255.224
access-list inside_nat0 extended permit ip 192.168.2.0 255.255.255.0 Wayne-Network 255.255.255.0
access-list inside_nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.224
access-list TunnelSplit1 standard permit 192.168.11.0 255.255.255.224
access-list TunnelSplit1 standard permit 192.168.2.0 255.255.255.0
access-list IPSec_Access extended permit ip 192.168.2.0 255.255.255.0 Wayne-Network 255.255.255.0
access-list IPSec_Access extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.224
access-list RemoteTunnel_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list Raleigh_IPSec extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 192.168.11.1-192.168.11.30 mask 255.255.255.224
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0
nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.199.234.230 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set VPNTransformSet esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DynamicMap 1 set pfs group1
crypto dynamic-map DynamicMap 1 set transform-set VPNTransformSet
crypto dynamic-map DynamicMap 1 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map VPNMap 1 ipsec-isakmp dynamic DynamicMap
crypto map IPSec_map 1 match address IPSec_Access
crypto map IPSec_map 1 set peer 70.91.18.205
crypto map IPSec_map 1 set transform-set VPNTransformSet
crypto map IPSec_map 2 match address Raleigh_IPSec
crypto map IPSec_map 2 set peer 98.101.139.210
crypto map IPSec_map 2 set transform-set ESP-3DES-MD5
crypto map IPSec_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.2.100-192.168.2.199 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RemoteTunnel internal
group-policy RemoteTunnel attributes
dns-server value 75.75.75.75 75.75.76.76
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteTunnel_splitTunnelAcl
username eric password 0vcSd5J/TLsFy7nU encrypted
tunnel-group 50.199.234.229 type ipsec-l2l
tunnel-group 70.91.18.205 type ipsec-l2l
tunnel-group 70.91.18.205 ipsec-attributes
pre-shared-key *****
tunnel-group RemoteTunnel type remote-access
tunnel-group RemoteTunnel general-attributes
address-pool VPNPool
default-group-policy RemoteTunnel
tunnel-group RemoteTunnel ipsec-attributes
pre-shared-key *****
tunnel-group 98.101.139.210 type ipsec-l2l
tunnel-group 98.101.139.210 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7c2791cb239228d5504dda75fca9516f
: end

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to ematelyan

‎05-13-2013 12:02 PM

Hi,

Did I manage to break something?

To my understanding the configurations I provided specifically mention only the VPN pool network and the remote site LAN network. So on the basis of that I am not totally sure why it would break anything. Though sometimes NAT0 configurations might cause problems. Especially when they arent done with very specific/accurate information.

Can you first try to add this on the ASA with the 192.168.2.0/24 network

policy-map global_policy

class inspection_default

  inspect icmp

And try the ICMP through the connection again.

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-13-2013 12:09 PM

Hi,

Actually this might be the problem

no sysopt connection permit-vpn

Though what I am not sure about is why I see an ACL attached to your "outside" interface but I dont see the ACL in the configuration.

But again, the above command basically tells the ASA the following

DONT ALLOW any connectiong through a VPN connection (client or L2L) UNLESS its ALLOWED on the "outside" interface ACL (or the ACL of the interface where the VPN is terminated BUT 99% of the time its "outside")

So either open the needed traffic in the "outside" interface ACL

Or allow the traffic coming through VPN to automatically BYPASS the "outside" interface ACL by issuing the command

sysopt connection permit-vpn

- Jouni

0 Helpful

Go to solution
ematelyan
Level 1
Level 1
In response to Jouni Forss

‎05-13-2013 12:40 PM

You've done it again!  That was the problem, and that was my fault.  I turned that on this morning as I was playing around with setting up the IPSec.  I completely forgot to reverse it. 

I just tested the VPN from the PA office, and the remote VPN.  Both look good now, I'm able to RDP to my machines and ping across the IPSec tunnels.

So in setting up the access to the NC office with the WRVS4400N, I should issue the following commands on the PA ASA?  NC network is 192.168.5.0

access-list RemoteTunnel_splitTunnelAcl_1 standard permit 192.168.5.0 255.255.255.0

access-list IPSec_Access extended permit ip 192.168.10.0 255.255.255.224 192.168.5.0 255.255.255.0

access-list OUTSIDE-NAT0 permit ip 192.168.10.0 255.255.255.224 192.168.5.0 255.255.255.0

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to ematelyan

‎05-13-2013 12:45 PM

Hi,

Yes, basically the ASA hosting the VPN Client service in this case has pretty much the same configuration related to both sites except for ofcourse the obvious

  • Networks/Subnets
  • Different ACL for each L2L VPN

Though naturally the problem from my part is the WRVS4400N configuration.

Basically you are doing the same things on that device as the other remote site.

You add the VPN Pool as another remote network to the L2L VPN configurations. You also confirm that there is NAT0 operation for that network also. I am not sure I can help there as I dont know the device.

Can you please mark the question as answered and rate other helpfull answers

Naturally ask more and I will try to help if I can

- Jouni

0 Helpful

Go to solution
ematelyan
Level 1
Level 1
In response to Jouni Forss

‎05-13-2013 01:05 PM

Marked as answered and Rated.  Thank you again for everything!

0 Helpful
Customers Also Viewed These Support Documents