Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1989
Views
0
Helpful
19
Replies

Another Problem with Configuring Cisco VPN Client to Site2site VPN access

Go to solution
nealbrothers
Level 1
Level 1

‎06-04-2013 09:30 AM

We have a Cisco ASA 5505 at our CORP location, which I have configured the Site2Site VPN to our COLO with a Juniper SRX220h, the site to site works fine, but when users access the Cisco VPN client from home, they cant ping or SSH through the Site2Site.  Contacted JTAC and they said its not on their end, so I tried to contact Cisco TAC, no support.  So here I am today, after for the 3 days (including Friday last week) of searching the Internet for over 6hrs a day, and trying different examples of other users. NO LUCK. The VPN client show the secured route to 10.1.0.0

Sorry to post this but I am getting frustrated and Boss is breathing down my neck to complete this. 

CORP netowrk 192.168.1.0

VPN IP pool      192.168.12.0

Colo internal ip      10.1.0.0

Also here is an example of my ASA config

: Saved

:

ASA Version 8.2(1)

!

hostname lwchsasa

names

name 10.1.0.1 colo

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

backup interface Vlan12

nameif outside_pri

security-level 0

ip address 64.20.30.170 255.255.255.248

!

interface Vlan12

nameif backup

security-level 0

ip address 173.165.159.241 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 12

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network NY

network-object 192.168.100.0 255.255.255.0

object-group service BSRO-3387 tcp

port-object eq 3387

object-group service BSRO-3388 tcp

port-object eq 3388

object-group service BSRO-3389 tcp

port-object eq 3389

object-group service OpenAtrium tcp

port-object eq 8100

object-group service Proxy tcp

port-object eq 982

object-group service VOIP10K-20K udp

port-object range 10000 20000

object-group network clientvpn

network-object 192.168.12.0 255.255.255.0

object-group service APEX-SSL tcp

description Apex Secure Dashboard Service

port-object eq 8586

object-group network CHS-Colo

network-object 10.1.0.0 255.255.255.0

object-group network DM_INLINE_NETWORK_1

network-object 192.168.1.0 255.255.255.0

network-object host 64.20.30.170

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object icmp

service-object icmp traceroute

service-object tcp-udp eq www

service-object tcp eq ftp

service-object tcp eq ftp-data

service-object tcp eq sqlnet

service-object tcp eq ssh

service-object udp eq www

service-object udp eq tftp

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object icmp

service-object tcp eq ssh

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group clientvpn

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group NY

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group CHS-Colo

access-list inside_nat0_outbound extended permit ip any 192.168.12.0 255.255.255.0

access-list outside_pri_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group NY

access-list outside_pri_access_in extended permit tcp any interface outside_pri eq www

access-list outside_pri_access_in extended permit tcp any interface outside_pri eq https

access-list outside_pri_access_in extended permit tcp any interface outside_pri eq 8100

access-list outside_pri_access_in extended permit tcp any interface outside_pri eq ssh inactive

access-list outside_pri_access_in extended permit icmp any any echo-reply

access-list outside_pri_access_in extended permit icmp any any source-quench

access-list outside_pri_access_in extended permit icmp any any unreachable

access-list outside_pri_access_in extended permit icmp any any time-exceeded

access-list outside_pri_access_in extended permit tcp any 64.20.30.168 255.255.255.248 eq 8586

access-list levelwingVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list levelwingVPN_splitTunnelAcl standard permit 10.1.0.0 255.255.255.0

access-list outside_pri_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group CHS-Colo

access-list backup_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.12.0 255.255.255.0

access-list outside_pri_cryptomap_1 extended permit object-group DM_INLINE_SERVICE_2 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0

access-list outside_19_cryptomap extended permit ip 192.168.12.0 255.255.255.0 10.1.0.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 object-group CHS-Colo

access-list VPN-Corp-Colo extended permit object-group DM_INLINE_SERVICE_1 192.168.12.0 255.255.255.0 10.1.0.0 255.255.255.0

access-list OUTSIDE-NAT0 remark NAT0 for VPN Client to Remote Site

access-list OUTSIDE-NAT0 extended permit ip 192.168.12.0 255.255.255.0 10.1.0.0 255.255.255.0

access-list L2LVPN extended permit ip 192.168.12.0 255.255.255.0 10.1.0.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

logging asdm warnings

logging rate-limit unlimited level 4

flow-export destination inside 192.168.1.1 2055

flow-export template timeout-rate 1

mtu inside 1500

mtu outside_pri 1500

mtu backup 1500

ip local pool LVCHSVPN 192.168.12.100-192.168.12.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 100 burst-size 5

icmp permit any inside

icmp permit any outside_pri

no asdm history enable

arp timeout 14400

nat-control

global (outside_pri) 1 interface

global (backup) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound_1 outside

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside_pri) 0 access-list OUTSIDE-NAT0

nat (backup) 0 access-list backup_nat0_outbound

static (inside,outside_pri) tcp interface https 192.168.1.45 https netmask 255.255.255.255  dns

static (inside,outside_pri) tcp interface www 192.168.1.45 www netmask 255.255.255.255  dns

static (inside,outside_pri) tcp interface 8586 192.168.1.45 8586 netmask 255.255.255.255  dns

static (inside,inside) tcp interface 8100 192.168.1.45 8100 netmask 255.255.255.255  dns

access-group outside_pri_access_in in interface outside_pri

route outside_pri 0.0.0.0 0.0.0.0 64.20.30.169 1 track 1

route backup 0.0.0.0 0.0.0.0 173.165.159.246 254

timeout xlate 3:00:00

timeout conn 0:00:00 half-closed 0:30:00 udp 1:00:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 1:00:00 absolute uauth 1:00:00 inactivity

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable 981

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside_pri

http 0.0.0.0 0.0.0.0 backup

snmp-server group Authentication_Only v3 auth

snmp-server host inside 192.168.1.47 poll community lwmedia version 2c

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 1200

sla monitor 123

type echo protocol ipIcmpEcho 216.59.44.220 interface outside_pri

sla monitor schedule 123 life forever start-time now

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set esp-3des-sha1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec df-bit clear-df outside_pri

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_pri_map 1 match address outside_pri_1_cryptomap

crypto map outside_pri_map 1 set pfs

crypto map outside_pri_map 1 set peer 50.75.217.246

crypto map outside_pri_map 1 set transform-set ESP-AES-256-MD5

crypto map outside_pri_map 2 match address outside_pri_cryptomap

crypto map outside_pri_map 2 set peer 216.59.44.220

crypto map outside_pri_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_pri_map 2 set security-association lifetime seconds 86400

crypto map outside_pri_map 3 match address outside_pri_cryptomap_1

crypto map outside_pri_map 3 set peer 216.59.44.220

crypto map outside_pri_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_pri_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_pri_map interface outside_pri

crypto isakmp identity address

crypto isakmp enable outside_pri

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption aes

hash md5

group 2

lifetime 86400

!

track 1 rtr 123 reachability

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside_pri

!

dhcpd address 192.168.1.51-192.168.1.245 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd lease 86400 interface inside

dhcpd domain LM interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics host number-of-rate 2

no threat-detection statistics tcp-intercept

webvpn

port 980

enable inside

enable outside_pri

svc enable

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy GroupPolicy2 internal

group-policy GroupPolicy2 attributes

vpn-tunnel-protocol IPSec svc

group-policy levelwingVPN internal

group-policy levelwingVPN attributes

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value levelwingVPN_splitTunnelAcl

username aard password Z74.JN3DGMNlP0H2 encrypted privilege 0

username aard attributes

vpn-group-policy levelwingVPN

service-type remote-access

username rcossentino password 4UpCXRA6T2ysRRdE encrypted

username rcossentino attributes

vpn-group-policy levelwingVPN

service-type remote-access

username bcherok password evwBWqKKwrlABAUp encrypted

username bcherok attributes

vpn-group-policy levelwingVPN

service-type remote-access

username rscott password nIOnWcZCACUWjgaP encrypted privilege 0

username rscott attributes

vpn-group-policy levelwingVPN

username sryan password 47u/nJvfm6kprQDs encrypted

username sryan attributes

vpn-group-policy levelwingVPN

service-type nas-prompt

username cbruch password a8R5NwL5Cz/LFzRm encrypted privilege 0

username cbruch attributes

vpn-group-policy levelwingVPN

service-type remote-access

username apellegrino password yy2aM21dV/11h7fR encrypted

username apellegrino attributes

vpn-group-policy levelwingVPN

service-type remote-access

username rtuttle password /79ROD7fRw5C4.l5 encrypted privilege 0

username rtuttle attributes

vpn-group-policy levelwingVPN

username levelwingadmin password vJFHerTwBy8dRiyW encrypted privilege 15

username nbrothers password CAjm/rm5PYhoysB5 encrypted privilege 0

username nbrothers attributes

vpn-group-policy levelwingVPN

username clong password z.yb0Oc09oP3/mXV encrypted

username clong attributes

vpn-group-policy levelwingVPN

service-type remote-access

username finance password 9TxE6jWN/Di4eZ8w encrypted privilege 0

username finance attributes

vpn-group-policy levelwingVPN

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

service-type remote-access

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive disable

tunnel-group 50.75.217.246 type ipsec-l2l

tunnel-group 50.75.217.246 ipsec-attributes

pre-shared-key *

isakmp keepalive disable

tunnel-group levelwingVPN type remote-access

tunnel-group levelwingVPN general-attributes

address-pool LVCHSVPN

default-group-policy levelwingVPN

tunnel-group levelwingVPN ipsec-attributes

pre-shared-key *

tunnel-group 216.59.44.221 type ipsec-l2l

tunnel-group 216.59.44.221 ipsec-attributes

pre-shared-key *

tunnel-group 216.59.44.220 type ipsec-l2l

tunnel-group 216.59.44.220 ipsec-attributes

pre-shared-key *

isakmp keepalive disable

!

!

!

policy-map global_policy

!

prompt hostname context

Cryptochecksum:ed7f4451c98151b759d24a7d4387935b

: end

Labels:
0 Helpful
19 Replies 19

Go to solution
nealbrothers
Level 1
Level 1
In response to Jouni Forss

‎06-06-2013 07:06 AM

Any ideas?????

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to nealbrothers

‎06-06-2013 11:23 PM

Hi,

The "show crypto ipsec sa peer x.x.x.x" command doesnt show that the L2L VPN would have been formed between the 2 sites.

Either there is a problem with the local device and its unable to forward the traffic from VPN Client to the L2L VPN.

Would have to see the current version of the configuration to see if there is anything wrong there.

Have you made sure that the remote end has added your VPN Pool network 192.168.12.0/24 as something that can use the L2L VPN to connecto the remote network 10.1.0.0/24?

- Jouni

0 Helpful

Go to solution
nealbrothers
Level 1
Level 1
In response to Jouni Forss

‎06-07-2013 05:56 AM

The remote device is  Junipoer SRX220h, I will be in contact with their JTAC support today to verfiy this and get back you.  Do you have a thanks button or a donation button, you have been extremely helpful.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to nealbrothers

‎06-07-2013 06:01 AM

Hi,

You can use the button at the bottom of the replys to mark replys as correct answer if they were.

Or you can hover the mouse pointer over the "Stars" at the bottom of each reply to give a rating between 1 - 5 stars and confirming it with a mousebutton click.

Those are the way to best way to thank for any help

Glad if I have been of help though it seems that the problem is not quite yet completely solved

- Jouni

0 Helpful

Go to solution
nealbrothers
Level 1
Level 1
In response to nealbrothers

‎06-13-2013 07:38 AM

Contacted JTAC, it was on the remote side, had to add the VPN pool 192.168.12.0/24 as well as a policy.  Thanks for all your help

0 Helpful
Customers Also Viewed These Support Documents
Top