cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3726
Views
0
Helpful
6
Replies

Cisco ASA 5505 site to site Multiple subnet.

osolbakken
Level 1
Level 1

Hi. I need some help configuring my cisco asa 5505.

I've set up a VPN tunnel between two ASA 5505

Site 1:

Subnet 192.168.77.0

Site 2:

Have multiple vlans and now the tunnel goes to vlan400 - 192.168.1.0

What I need help with:

From site 1 i need to be able to reach another vlan on site 2. vlan480 - 192.168.20.0

And from site 1 I need to reach 192.168.77.0 subnet from vlan480 - 192.168.20.0

Vlan480 is used for phones. In vlan480 we have a PABX central.

Is this possible to do?

Any help would be greatfully appreciated!

Config site 2:

: Saved

:

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password x encrypted

names

name 192.168.1.250 DomeneServer

name 192.168.1.10 NotesServer

name 192.168.1.90 OvServer

name 192.168.1.97 TerminalServer

name 192.168.1.98 w8-eyeshare

name 192.168.50.10 w8-print

name 192.168.1.94 w8-app

name 192.168.1.89 FonnaFlyMedia

!

interface Vlan1

nameif Vlan1

security-level 100

ip address 192.168.200.100 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address 79.x.x.226 255.255.255.224

ospf cost 10

!

interface Vlan400

nameif vlan400

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan450

nameif Vlan450

security-level 100

ip address 192.168.210.1 255.255.255.0

ospf cost 10

!

interface Vlan460

nameif Vlan460-SuldalHotell

security-level 100

ip address 192.168.2.1 255.255.255.0

ospf cost 10

!

interface Vlan461

nameif Vlan461-SuldalHotellGjest

security-level 100

ip address 192.168.3.1 255.255.255.0

ospf cost 10

!

interface Vlan462

nameif Vlan462-Suldalsposten

security-level 100

ip address 192.168.4.1 255.255.255.0

ospf cost 10

!

interface Vlan470

nameif vlan470-Kyrkjekontoret

security-level 100

ip address 192.168.202.1 255.255.255.0

ospf cost 10

!

interface Vlan480

nameif vlan480-Telefoni

security-level 100

ip address 192.168.20.1 255.255.255.0

ospf cost 10

!

interface Vlan490

nameif Vlan490-QNapBackup

security-level 100

ip address 192.168.10.1 255.255.255.0

ospf cost 10

!

interface Vlan500

nameif Vlan500-HellandBadlands

security-level 100

ip address 192.168.30.1 255.255.255.0

ospf cost 10

!

interface Vlan510

nameif Vlan510-IsTak

security-level 100

ip address 192.168.40.1 255.255.255.0

ospf cost 10

!

interface Vlan600

nameif Vlan600-SafeQ

security-level 100

ip address 192.168.50.1 255.255.255.0

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 500

switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610

switchport mode trunk

!

interface Ethernet0/3

switchport access vlan 490

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd x encrypted

ftp mode passive

clock timezone WAT 1

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service Lotus_Notes_Utgaaande tcp

description Frim Notes og ut til alle

port-object eq domain

port-object eq ftp

port-object eq www

port-object eq https

port-object eq lotusnotes

port-object eq pop3

port-object eq pptp

port-object eq smtp

object-group service Lotus_Notes_inn tcp

description From alle og inn til Notes

port-object eq www

port-object eq lotusnotes

port-object eq pop3

port-object eq smtp

object-group service Reisebyraa tcp-udp

port-object range 3702 3702

port-object range 5500 5500

port-object range 9876 9876

object-group service Remote_Desktop tcp-udp

description Tilgang til Remote Desktop

port-object range 3389 3389

object-group service Sand_Servicenter_50000 tcp-udp

description Program tilgang til Sand Servicenter AS

port-object range 50000 50000

object-group service VNC_Remote_Admin tcp

description Frå oss til alle

port-object range 5900 5900

object-group service Printer_Accept tcp-udp

port-object range 9100 9100

port-object eq echo

object-group icmp-type Echo_Ping

icmp-object echo

icmp-object echo-reply

object-group service Print tcp

port-object range 9100 9100

object-group service FTP_NADA tcp

description Suldalsposten NADA tilgang

port-object eq ftp

port-object eq ftp-data

object-group service Telefonsentral tcp

description Hoftun

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

port-object eq telnet

object-group service Printer_inn_800 tcp

description Fra 800  nettet og inn til 400 port 7777

port-object range 7777 7777

object-group service Suldalsposten tcp

description Sending av mail vha Mac Mail programmet - åpner smtp

port-object eq pop3

port-object eq smtp

object-group service http2 tcp

port-object range 81 81

object-group service DMZ_FTP_PASSIVE tcp-udp

port-object range 55536 56559

object-group service DMZ_FTP tcp-udp

port-object range 20 21

object-group service DMZ_HTTPS tcp-udp

port-object range 443 443

object-group service DMZ_HTTP tcp-udp

port-object range 8080 8080

object-group service DNS_Query tcp

port-object range domain domain

object-group service DUETT_SQL_PORT tcp-udp

description For kobling mellom andre nett og duett server

port-object range 54659 54659

access-list outside_access_in extended permit ip any any

access-list outside_access_out extended permit ip any any

access-list vlan400_access_in extended deny ip any host 149.20.56.34

access-list vlan400_access_in extended deny ip any host 149.20.56.32

access-list vlan400_access_in extended permit ip any any

access-list Vlan450_access_in extended deny ip any host 149.20.56.34

access-list Vlan450_access_in extended deny ip any host 149.20.56.32

access-list Vlan450_access_in extended permit ip any any

access-list Vlan460_access_in extended deny ip any host 149.20.56.34

access-list Vlan460_access_in extended deny ip any host 149.20.56.32

access-list Vlan460_access_in extended permit ip any any

access-list vlan400_access_out extended permit icmp any any object-group Echo_Ping

access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande

access-list vlan400_access_out extended permit tcp any host DomeneServer object-group Remote_Desktop

access-list vlan400_access_out extended permit tcp any host TerminalServer object-group Remote_Desktop

access-list vlan400_access_out extended permit tcp any host OvServer object-group http2

access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_inn

access-list vlan400_access_out extended permit tcp any host NotesServer object-group Remote_Desktop

access-list vlan400_access_out extended permit tcp any host w8-eyeshare object-group Remote_Desktop

access-list vlan400_access_out extended permit tcp any host w8-app object-group Remote_Desktop

access-list vlan400_access_out extended permit tcp any host FonnaFlyMedia range 8400 8600

access-list vlan400_access_out extended permit udp any host FonnaFlyMedia range 9000 9001

access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host DomeneServer

access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host w8-app object-group DUETT_SQL_PORT

access-list Vlan500_access_in extended deny ip any host 149.20.56.34

access-list Vlan500_access_in extended deny ip any host 149.20.56.32

access-list Vlan500_access_in extended permit ip any any

access-list vlan470_access_in extended deny ip any host 149.20.56.34

access-list vlan470_access_in extended deny ip any host 149.20.56.32

access-list vlan470_access_in extended permit ip any any

access-list Vlan490_access_in extended deny ip any host 149.20.56.34

access-list Vlan490_access_in extended deny ip any host 149.20.56.32

access-list Vlan490_access_in extended permit ip any any

access-list Vlan450_access_out extended permit icmp any any object-group Echo_Ping

access-list Vlan1_access_out extended permit ip any any

access-list Vlan1_access_out extended permit tcp any host w8-print object-group Remote_Desktop

access-list Vlan1_access_out extended deny ip any any

access-list Vlan1_access_out extended permit icmp any any echo-reply

access-list Vlan460_access_out extended permit icmp any any object-group Echo_Ping

access-list Vlan490_access_out extended permit icmp any any object-group Echo_Ping

access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP

access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE

access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTPS

access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTP

access-list Vlan500_access_out extended permit icmp any any object-group Echo_Ping

access-list vlan470_access_out extended permit icmp any any object-group Echo_Ping

access-list vlan470_access_out extended permit tcp any host 192.168.202.10 object-group Remote_Desktop

access-list Vlan510_access_out extended permit icmp any any object-group Echo_Ping

access-list vlan480_access_out extended permit ip any any

access-list Vlan510_access_in extended permit ip any any

access-list Vlan600_access_in extended permit ip any any

access-list Vlan600_access_out extended permit icmp any any

access-list Vlan600_access_out extended permit tcp any host w8-print object-group Remote_Desktop

access-list Vlan600_access_out extended permit tcp 192.168.1.0 255.255.255.0 host w8-print eq www

access-list Vlan600_access_out extended permit tcp 192.168.202.0 255.255.255.0 host w8-print eq www

access-list Vlan600_access_out extended permit tcp 192.168.210.0 255.255.255.0 host w8-print eq www

access-list Vlan600_access_in_1 extended permit ip any any

access-list Vlan461_access_in extended permit ip any any

access-list Vlan461_access_out extended permit icmp any any object-group Echo_Ping

access-list vlan400_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list outside_20_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list Vlan462-Suldalsposten_access_in extended permit ip any any

access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo-reply

access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo-reply

access-list Vlan462-Suldalsposten_access_in_1 extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu Vlan1 1500

mtu outside 1500

mtu vlan400 1500

mtu Vlan450 1500

mtu Vlan460-SuldalHotell 1500

mtu Vlan461-SuldalHotellGjest 1500

mtu vlan470-Kyrkjekontoret 1500

mtu vlan480-Telefoni 1500

mtu Vlan490-QNapBackup 1500

mtu Vlan500-HellandBadlands 1500

mtu Vlan510-IsTak 1500

mtu Vlan600-SafeQ 1500

mtu Vlan462-Suldalsposten 1500

no failover

monitor-interface Vlan1

monitor-interface outside

monitor-interface vlan400

monitor-interface Vlan450

monitor-interface Vlan460-SuldalHotell

monitor-interface Vlan461-SuldalHotellGjest

monitor-interface vlan470-Kyrkjekontoret

monitor-interface vlan480-Telefoni

monitor-interface Vlan490-QNapBackup

monitor-interface Vlan500-HellandBadlands

monitor-interface Vlan510-IsTak

monitor-interface Vlan600-SafeQ

monitor-interface Vlan462-Suldalsposten

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (vlan400) 0 access-list vlan400_nat0_outbound

nat (vlan400) 1 0.0.0.0 0.0.0.0 dns

nat (Vlan450) 1 0.0.0.0 0.0.0.0 dns

nat (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0

nat (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0

nat (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0

nat (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns

nat (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0

nat (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0

nat (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0

nat (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0

static (vlan400,outside) 79.x.x.x DomeneServer netmask 255.255.255.255

static (vlan470-Kyrkjekontoret,outside) 79.x.x.x 192.168.202.10 netmask 255.255.255.255

static (vlan400,outside) 79.x.x.x NotesServer netmask 255.255.255.255 dns

static (vlan400,outside) 79.x.x.231 TerminalServer netmask 255.255.255.255

static (vlan400,outside) 79.x.x.234 OvServer netmask 255.255.255.255

static (vlan400,outside) 79.x.x.232 w8-eyeshare netmask 255.255.255.255

static (Vlan490-QNapBackup,outside) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns

static (Vlan600-SafeQ,outside) 79.x.x.235 w8-print netmask 255.255.255.255

static (vlan400,outside) 79.x.x.236 w8-app netmask 255.255.255.255

static (Vlan450,vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

static (Vlan500-HellandBadlands,vlan400) 192.168.30.0 192.168.30.0 netmask 255.255.255.0

static (vlan400,Vlan500-HellandBadlands) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (vlan400,Vlan450) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (vlan400,outside) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255

static (Vlan462-Suldalsposten,vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (vlan400,Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (vlan400,Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (Vlan600-SafeQ,vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan600-SafeQ,Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan600-SafeQ,vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan450,Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

static (vlan470-Kyrkjekontoret,Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0

access-group Vlan1_access_out out interface Vlan1

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group vlan400_access_in in interface vlan400

access-group vlan400_access_out out interface vlan400

access-group Vlan450_access_in in interface Vlan450

access-group Vlan450_access_out out interface Vlan450

access-group Vlan460_access_in in interface Vlan460-SuldalHotell

access-group Vlan460_access_out out interface Vlan460-SuldalHotell

access-group Vlan461_access_in in interface Vlan461-SuldalHotellGjest

access-group Vlan461_access_out out interface Vlan461-SuldalHotellGjest

access-group vlan470_access_in in interface vlan470-Kyrkjekontoret

access-group vlan470_access_out out interface vlan470-Kyrkjekontoret

access-group vlan480_access_out out interface vlan480-Telefoni

access-group Vlan490_access_in in interface Vlan490-QNapBackup

access-group Vlan490_access_out out interface Vlan490-QNapBackup

access-group Vlan500_access_in in interface Vlan500-HellandBadlands

access-group Vlan500_access_out out interface Vlan500-HellandBadlands

access-group Vlan510_access_in in interface Vlan510-IsTak

access-group Vlan510_access_out out interface Vlan510-IsTak

access-group Vlan600_access_in_1 in interface Vlan600-SafeQ

access-group Vlan600_access_out out interface Vlan600-SafeQ

access-group Vlan462-Suldalsposten_access_in_1 in interface Vlan462-Suldalsposten

access-group Vlan462-Suldalsposten_access_out_1 out interface Vlan462-Suldalsposten

route outside 0.0.0.0 0.0.0.0 79.x.x.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username x password x encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 192.168.210.0 255.255.255.0 Vlan450

http 192.168.200.0 255.255.255.0 Vlan1

http 192.168.1.0 255.255.255.0 vlan400

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap_1

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 62.92.159.137

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp enable vlan400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 62.92.159.137 type ipsec-l2l

tunnel-group 62.92.159.137 ipsec-attributes

pre-shared-key *

telnet 192.168.200.0 255.255.255.0 Vlan1

telnet 192.168.1.0 255.255.255.0 vlan400

telnet timeout 5

ssh 171.68.225.216 255.255.255.255 outside

ssh timeout 5

console timeout 0

dhcpd update dns both

!

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1

!

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface outside

!

dhcpd address 192.168.1.100-192.168.1.225 vlan400

dhcpd option 6 ip DomeneServer 81.167.36.11 interface vlan400

dhcpd option 3 ip 192.168.1.1 interface vlan400

dhcpd enable vlan400

!

dhcpd address 192.168.210.100-192.168.210.200 Vlan450

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450

dhcpd option 3 ip 192.168.210.1 interface Vlan450

dhcpd enable Vlan450

!

dhcpd address 192.168.2.100-192.168.2.150 Vlan460-SuldalHotell

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell

dhcpd option 3 ip 192.168.2.1 interface Vlan460-SuldalHotell

dhcpd enable Vlan460-SuldalHotell

!

dhcpd address 192.168.3.100-192.168.3.200 Vlan461-SuldalHotellGjest

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest

dhcpd option 3 ip 192.168.3.1 interface Vlan461-SuldalHotellGjest

dhcpd enable Vlan461-SuldalHotellGjest

!

dhcpd address 192.168.202.100-192.168.202.199 vlan470-Kyrkjekontoret

dhcpd option 3 ip 192.168.202.1 interface vlan470-Kyrkjekontoret

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret

dhcpd enable vlan470-Kyrkjekontoret

!

dhcpd option 3 ip 192.168.20.1 interface vlan480-Telefoni

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni

!

dhcpd address 192.168.10.80-192.168.10.90 Vlan490-QNapBackup

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup

dhcpd option 3 ip 192.168.10.1 interface Vlan490-QNapBackup

!

dhcpd address 192.168.30.100-192.168.30.199 Vlan500-HellandBadlands

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands

dhcpd option 3 ip 192.168.30.1 interface Vlan500-HellandBadlands

dhcpd enable Vlan500-HellandBadlands

!

dhcpd address 192.168.40.100-192.168.40.150 Vlan510-IsTak

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak

dhcpd option 3 ip 192.168.40.1 interface Vlan510-IsTak

dhcpd enable Vlan510-IsTak

!

dhcpd address 192.168.50.150-192.168.50.199 Vlan600-SafeQ

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ

dhcpd enable Vlan600-SafeQ

!

dhcpd address 192.168.4.100-192.168.4.150 Vlan462-Suldalsposten

dhcpd option 6 ip DomeneServer 81.167.36.11 interface Vlan462-Suldalsposten

dhcpd option 3 ip 192.168.4.1 interface Vlan462-Suldalsposten

dhcpd enable Vlan462-Suldalsposten

!

!

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

!

prompt hostname context

Cryptochecksum:x

: end

Config site 1:

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password x encrypted

passwd x encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.77.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group Telenor

ip address pppoe setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 15

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_access_in extended permit icmp any any echo-reply log disable

access-list outside_1_cryptomap extended permit ip 192.168.77.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.77.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 79.160.252.226

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.77.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group Telenor request dialout pppoe

vpdn group Telenor localname x

vpdn group Telenor ppp authentication chap

vpdn username x password x store-local

dhcpd auto_config outside

!

dhcpd address 192.168.77.100-192.168.77.130 inside

dhcpd dns 192.168.77.1 interface inside

dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside

dhcpd enable inside

!

dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface outside

!

tunnel-group 79.160.252.226 type ipsec-l2l

tunnel-group 79.160.252.226 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:x

: end

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The addition of a new network to the existing L2L VPN should be a pretty simple process.

Essentially you will have to add the network to the Crypto ACL present in the "crypto map" configurations. You will also have to configure the NAT0 configuration for it in the proper interfaces of the ASA. These configurations are all done on both ends of the L2L VPN connection.

Looking at your above configurations it would seem that you will need the following configurations

SITE 1

  • We add the new network to both the crypto ACL and the NAT0 ACL

access-list outside_1_cryptomap extended permit ip 192.168.77.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 192.168.20.0 255.255.255.0

SITE 2

  • We add the new network to the crypto ACL
  • We create a new NAT0 configuration for the Vlan480 interface as it has no previous NAT0 configuration

access-list outside_20_cryptomap_1 extended permit ip 192.168.20.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list VLAN480-NAT0 remark NAT0 for VPN

access-list VLAN480-NAT0 permit ip 192.168.20.0 255.255.255.0 192.168.77.0 255.255.255.0

nat (vlan480-Telefoni) 0 access-list VLAN480-NAT0

These configurations should pretty much do the trick.

Let me know if it worked

- Jouni

View solution in original post

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The addition of a new network to the existing L2L VPN should be a pretty simple process.

Essentially you will have to add the network to the Crypto ACL present in the "crypto map" configurations. You will also have to configure the NAT0 configuration for it in the proper interfaces of the ASA. These configurations are all done on both ends of the L2L VPN connection.

Looking at your above configurations it would seem that you will need the following configurations

SITE 1

  • We add the new network to both the crypto ACL and the NAT0 ACL

access-list outside_1_cryptomap extended permit ip 192.168.77.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 192.168.20.0 255.255.255.0

SITE 2

  • We add the new network to the crypto ACL
  • We create a new NAT0 configuration for the Vlan480 interface as it has no previous NAT0 configuration

access-list outside_20_cryptomap_1 extended permit ip 192.168.20.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list VLAN480-NAT0 remark NAT0 for VPN

access-list VLAN480-NAT0 permit ip 192.168.20.0 255.255.255.0 192.168.77.0 255.255.255.0

nat (vlan480-Telefoni) 0 access-list VLAN480-NAT0

These configurations should pretty much do the trick.

Let me know if it worked

- Jouni

Hi,

Thanks again for the quick response!

Should ping work? Could not get echo reply

Hi again.

Tried ping from the asa on site 1. That did not work.

But for a pc in 192.168.77.0 network it worked great! Thanks!

Hi,

From the perspective of the ASA configurations it should work

You can always test the rules from each direction

For example

Site 1

packet-tracer input inside icmp 192.168.77.100 8 0 192.168.20.100

Site 2

packet-tracer input vlan480-Telefoni icmp 192.168.20.100 8 0 192.168.77.100

If the actual ICMP doesnt work I would also consider the possibility that software firewall on the actual hosts might cause problems.

By the way, your Site 2 ASAs "outside" interface ACL is pretty unsecure as its allowing ALL traffic

access-list outside_access_in extended permit ip any any

access-group outside_access_in in interface outside

You do seem to have hosts/servers that have Static NAT to a public IP address so you probably need to allow some traffic. I would suggest you determine the services that need to be allowed and block rest of the traffic. Its a considerable security risk to have everything allowed from the public network.

- Jouni

Hi.

Thanks for the tip.

would the servers that have static nat be affected if i "close" down the outside interface.

If so should I then just create an any-any rule based on the service.

example:

RDP (3389) need to be open for several servers. should i then create as I said an any-any rule for that service?

--

Orjan

Hi,

Removing the current "permit ip any any" rule would affect the servers IF they need to be reached from the Internet which I suspect they need.

You could allow only the needed ports for each server.

And ofcourse if you can limit the source addresses for these rules then the more secure it will be. Naturally some traffic needs to be allowed from all source addresses, HTTP/HTTPS for example.

- Jouni