cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3488
Views
0
Helpful
6
Replies

Cisco ASA 5505 site to site Multiple subnet.

osolbakken
Level 1
Level 1

Hi. I need some help configuring my cisco asa 5505.

I've set up a VPN tunnel between two ASA 5505

Site 1:

Subnet 192.168.77.0

Site 2:

Have multiple vlans and now the tunnel goes to vlan400 - 192.168.1.0

What I need help with:

From site 1 i need to be able to reach another vlan on site 2. vlan480 - 192.168.20.0

And from site 1 I need to reach 192.168.77.0 subnet from vlan480 - 192.168.20.0

Vlan480 is used for phones. In vlan480 we have a PABX central.

Is this possible to do?

Any help would be greatfully appreciated!

Config site 2:

: Saved

:

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password x encrypted

names

name 192.168.1.250 DomeneServer

name 192.168.1.10 NotesServer

name 192.168.1.90 OvServer

name 192.168.1.97 TerminalServer

name 192.168.1.98 w8-eyeshare

name 192.168.50.10 w8-print

name 192.168.1.94 w8-app

name 192.168.1.89 FonnaFlyMedia

!

interface Vlan1

nameif Vlan1

security-level 100

ip address 192.168.200.100 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address 79.x.x.226 255.255.255.224

ospf cost 10

!

interface Vlan400

nameif vlan400

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan450

nameif Vlan450

security-level 100

ip address 192.168.210.1 255.255.255.0

ospf cost 10

!

interface Vlan460

nameif Vlan460-SuldalHotell

security-level 100

ip address 192.168.2.1 255.255.255.0

ospf cost 10

!

interface Vlan461

nameif Vlan461-SuldalHotellGjest

security-level 100

ip address 192.168.3.1 255.255.255.0

ospf cost 10

!

interface Vlan462

nameif Vlan462-Suldalsposten

security-level 100

ip address 192.168.4.1 255.255.255.0

ospf cost 10

!

interface Vlan470

nameif vlan470-Kyrkjekontoret

security-level 100

ip address 192.168.202.1 255.255.255.0

ospf cost 10

!

interface Vlan480

nameif vlan480-Telefoni

security-level 100

ip address 192.168.20.1 255.255.255.0

ospf cost 10

!

interface Vlan490

nameif Vlan490-QNapBackup

security-level 100

ip address 192.168.10.1 255.255.255.0

ospf cost 10

!

interface Vlan500

nameif Vlan500-HellandBadlands

security-level 100

ip address 192.168.30.1 255.255.255.0

ospf cost 10

!

interface Vlan510

nameif Vlan510-IsTak

security-level 100

ip address 192.168.40.1 255.255.255.0

ospf cost 10

!

interface Vlan600

nameif Vlan600-SafeQ

security-level 100

ip address 192.168.50.1 255.255.255.0

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 500

switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610

switchport mode trunk

!

interface Ethernet0/3

switchport access vlan 490

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd x encrypted

ftp mode passive

clock timezone WAT 1

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service Lotus_Notes_Utgaaande tcp

description Frim Notes og ut til alle

port-object eq domain

port-object eq ftp

port-object eq www

port-object eq https

port-object eq lotusnotes

port-object eq pop3

port-object eq pptp

port-object eq smtp

object-group service Lotus_Notes_inn tcp

description From alle og inn til Notes

port-object eq www

port-object eq lotusnotes

port-object eq pop3

port-object eq smtp

object-group service Reisebyraa tcp-udp

port-object range 3702 3702

port-object range 5500 5500

port-object range 9876 9876

object-group service Remote_Desktop tcp-udp

description Tilgang til Remote Desktop

port-object range 3389 3389

object-group service Sand_Servicenter_50000 tcp-udp

description Program tilgang til Sand Servicenter AS

port-object range 50000 50000

object-group service VNC_Remote_Admin tcp

description Frå oss til alle

port-object range 5900 5900

object-group service Printer_Accept tcp-udp

port-object range 9100 9100

port-object eq echo

object-group icmp-type Echo_Ping

icmp-object echo

icmp-object echo-reply

object-group service Print tcp

port-object range 9100 9100

object-group service FTP_NADA tcp

description Suldalsposten NADA tilgang

port-object eq ftp

port-object eq ftp-data

object-group service Telefonsentral tcp

description Hoftun

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

port-object eq telnet

object-group service Printer_inn_800 tcp

description Fra 800  nettet og inn til 400 port 7777

port-object range 7777 7777

object-group service Suldalsposten tcp

description Sending av mail vha Mac Mail programmet - åpner smtp

port-object eq pop3

port-object eq smtp

object-group service http2 tcp

port-object range 81 81

object-group service DMZ_FTP_PASSIVE tcp-udp

port-object range 55536 56559

object-group service DMZ_FTP tcp-udp

port-object range 20 21

object-group service DMZ_HTTPS tcp-udp

port-object range 443 443

object-group service DMZ_HTTP tcp-udp

port-object range 8080 8080

object-group service DNS_Query tcp

port-object range domain domain

object-group service DUETT_SQL_PORT tcp-udp

description For kobling mellom andre nett og duett server

port-object range 54659 54659

access-list outside_access_in extended permit ip any any

access-list outside_access_out extended permit ip any any

access-list vlan400_access_in extended deny ip any host 149.20.56.34

access-list vlan400_access_in extended deny ip any host 149.20.56.32

access-list vlan400_access_in extended permit ip any any

access-list Vlan450_access_in extended deny ip any host 149.20.56.34

access-list Vlan450_access_in extended deny ip any host 149.20.56.32

access-list Vlan450_access_in extended permit ip any any

access-list Vlan460_access_in extended deny ip any host 149.20.56.34

access-list Vlan460_access_in extended deny ip any host 149.20.56.32

access-list Vlan460_access_in extended permit ip any any

access-list vlan400_access_out extended permit icmp any any object-group Echo_Ping

access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande

access-list vlan400_access_out extended permit tcp any host DomeneServer object-group Remote_Desktop

access-list vlan400_access_out extended permit tcp any host TerminalServer object-group Remote_Desktop

access-list vlan400_access_out extended permit tcp any host OvServer object-group http2

access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_inn

access-list vlan400_access_out extended permit tcp any host NotesServer object-group Remote_Desktop

access-list vlan400_access_out extended permit tcp any host w8-eyeshare object-group Remote_Desktop

access-list vlan400_access_out extended permit tcp any host w8-app object-group Remote_Desktop

access-list vlan400_access_out extended permit tcp any host FonnaFlyMedia range 8400 8600

access-list vlan400_access_out extended permit udp any host FonnaFlyMedia range 9000 9001

access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host DomeneServer

access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host w8-app object-group DUETT_SQL_PORT

access-list Vlan500_access_in extended deny ip any host 149.20.56.34

access-list Vlan500_access_in extended deny ip any host 149.20.56.32

access-list Vlan500_access_in extended permit ip any any

access-list vlan470_access_in extended deny ip any host 149.20.56.34

access-list vlan470_access_in extended deny ip any host 149.20.56.32

access-list vlan470_access_in extended permit ip any any

access-list Vlan490_access_in extended deny ip any host 149.20.56.34

access-list Vlan490_access_in extended deny ip any host 149.20.56.32

access-list Vlan490_access_in extended permit ip any any

access-list Vlan450_access_out extended permit icmp any any object-group Echo_Ping

access-list Vlan1_access_out extended permit ip any any

access-list Vlan1_access_out extended permit tcp any host w8-print object-group Remote_Desktop

access-list Vlan1_access_out extended deny ip any any

access-list Vlan1_access_out extended permit icmp any any echo-reply

access-list Vlan460_access_out extended permit icmp any any object-group Echo_Ping

access-list Vlan490_access_out extended permit icmp any any object-group Echo_Ping

access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP

access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE

access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTPS

access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTP

access-list Vlan500_access_out extended permit icmp any any object-group Echo_Ping

access-list vlan470_access_out extended permit icmp any any object-group Echo_Ping

access-list vlan470_access_out extended permit tcp any host 192.168.202.10 object-group Remote_Desktop

access-list Vlan510_access_out extended permit icmp any any object-group Echo_Ping

access-list vlan480_access_out extended permit ip any any

access-list Vlan510_access_in extended permit ip any any

access-list Vlan600_access_in extended permit ip any any

access-list Vlan600_access_out extended permit icmp any any

access-list Vlan600_access_out extended permit tcp any host w8-print object-group Remote_Desktop

access-list Vlan600_access_out extended permit tcp 192.168.1.0 255.255.255.0 host w8-print eq www

access-list Vlan600_access_out extended permit tcp 192.168.202.0 255.255.255.0 host w8-print eq www

access-list Vlan600_access_out extended permit tcp 192.168.210.0 255.255.255.0 host w8-print eq www

access-list Vlan600_access_in_1 extended permit ip any any

access-list Vlan461_access_in extended permit ip any any

access-list Vlan461_access_out extended permit icmp any any object-group Echo_Ping

access-list vlan400_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list outside_20_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list Vlan462-Suldalsposten_access_in extended permit ip any any

access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo-reply

access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo-reply

access-list Vlan462-Suldalsposten_access_in_1 extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu Vlan1 1500

mtu outside 1500

mtu vlan400 1500

mtu Vlan450 1500

mtu Vlan460-SuldalHotell 1500

mtu Vlan461-SuldalHotellGjest 1500

mtu vlan470-Kyrkjekontoret 1500

mtu vlan480-Telefoni 1500

mtu Vlan490-QNapBackup 1500

mtu Vlan500-HellandBadlands 1500

mtu Vlan510-IsTak 1500

mtu Vlan600-SafeQ 1500

mtu Vlan462-Suldalsposten 1500

no failover

monitor-interface Vlan1

monitor-interface outside

monitor-interface vlan400

monitor-interface Vlan450

monitor-interface Vlan460-SuldalHotell

monitor-interface Vlan461-SuldalHotellGjest

monitor-interface vlan470-Kyrkjekontoret

monitor-interface vlan480-Telefoni

monitor-interface Vlan490-QNapBackup

monitor-interface Vlan500-HellandBadlands

monitor-interface Vlan510-IsTak

monitor-interface Vlan600-SafeQ

monitor-interface Vlan462-Suldalsposten

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (vlan400) 0 access-list vlan400_nat0_outbound

nat (vlan400) 1 0.0.0.0 0.0.0.0 dns

nat (Vlan450) 1 0.0.0.0 0.0.0.0 dns

nat (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0

nat (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0

nat (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0

nat (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns

nat (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0

nat (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0

nat (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0

nat (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0

static (vlan400,outside) 79.x.x.x DomeneServer netmask 255.255.255.255

static (vlan470-Kyrkjekontoret,outside) 79.x.x.x 192.168.202.10 netmask 255.255.255.255

static (vlan400,outside) 79.x.x.x NotesServer netmask 255.255.255.255 dns

static (vlan400,outside) 79.x.x.231 TerminalServer netmask 255.255.255.255

static (vlan400,outside) 79.x.x.234 OvServer netmask 255.255.255.255

static (vlan400,outside) 79.x.x.232 w8-eyeshare netmask 255.255.255.255

static (Vlan490-QNapBackup,outside) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns

static (Vlan600-SafeQ,outside) 79.x.x.235 w8-print netmask 255.255.255.255

static (vlan400,outside) 79.x.x.236 w8-app netmask 255.255.255.255

static (Vlan450,vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

static (Vlan500-HellandBadlands,vlan400) 192.168.30.0 192.168.30.0 netmask 255.255.255.0

static (vlan400,Vlan500-HellandBadlands) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (vlan400,Vlan450) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (vlan400,outside) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255

static (Vlan462-Suldalsposten,vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (vlan400,Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (vlan400,Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (Vlan600-SafeQ,vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan600-SafeQ,Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan600-SafeQ,vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan450,Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

static (vlan470-Kyrkjekontoret,Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0

access-group Vlan1_access_out out interface Vlan1

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group vlan400_access_in in interface vlan400

access-group vlan400_access_out out interface vlan400

access-group Vlan450_access_in in interface Vlan450

access-group Vlan450_access_out out interface Vlan450

access-group Vlan460_access_in in interface Vlan460-SuldalHotell

access-group Vlan460_access_out out interface Vlan460-SuldalHotell

access-group Vlan461_access_in in interface Vlan461-SuldalHotellGjest

access-group Vlan461_access_out out interface Vlan461-SuldalHotellGjest

access-group vlan470_access_in in interface vlan470-Kyrkjekontoret

access-group vlan470_access_out out interface vlan470-Kyrkjekontoret

access-group vlan480_access_out out interface vlan480-Telefoni

access-group Vlan490_access_in in interface Vlan490-QNapBackup

access-group Vlan490_access_out out interface Vlan490-QNapBackup

access-group Vlan500_access_in in interface Vlan500-HellandBadlands

access-group Vlan500_access_out out interface Vlan500-HellandBadlands

access-group Vlan510_access_in in interface Vlan510-IsTak

access-group Vlan510_access_out out interface Vlan510-IsTak

access-group Vlan600_access_in_1 in interface Vlan600-SafeQ

access-group Vlan600_access_out out interface Vlan600-SafeQ

access-group Vlan462-Suldalsposten_access_in_1 in interface Vlan462-Suldalsposten

access-group Vlan462-Suldalsposten_access_out_1 out interface Vlan462-Suldalsposten

route outside 0.0.0.0 0.0.0.0 79.x.x.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username x password x encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable