11-21-2012 05:23 AM - edited 02-21-2020 06:29 PM
11-21-2012 11:19 AM
Two things first. Do you want to do split tunneling where the remote users can get to the internet via their own local internet or do you want them to get to the internet via the VPN?
Split Tunneling = you will have to under group policy choose the option to "Tunnel only Networks Below" and define an ACL for them
Tunnel All = you will have to make sure that traffic can make a U turn i.e come in "outside" interface and go out the same.
03-01-2013 01:35 AM
Hey Mohammad! I would really appreciate if you could tell me how to do a "U-turn" without split tunneling and go out through the same interface I came in on.
I
I assume you'd have to do some double nat of some sort?
My config looks like this
hostname e2-asa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool vpn_pool 10.10.10.1-10.10.10.10 mask 255.255.255.0
ip local pool Local 192.168.1.10-192.168.1.20 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa911-k8.bin
boot system disk0:/asa901-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network vpn_pool
subnet 10.10.10.0 255.255.255.0
description VPN-Pool
object network e2-desktop-192.168.1.3
host 192.168.1.3
object service Utorrent_Tcp
service tcp source eq 24564 destination eq 24564
object service Utorrent_Udp
service udp source eq 24564 destination eq 24564
description Utorrent_UDP
object network e2-desktop1
host 192.168.1.3
description UDP
object network Inside_network
subnet 192.168.1.0 255.255.255.0
object network vpn_local
range 192.168.1.10 192.168.1.20
object-group network obj_any
object-group network NETWORK_OBJ_10.10.10.0_28
object-group network NETWORK_OBJ_192.168.1.0_24
object-group network e2-utorrent
object-group network e2_ftp
object-group service FTP_TLS
object-group service ftp_passive_range
object-group service Utorrent1 tcp-udp
port-object eq 24564
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service FTP
access-list outside_access_in extended permit icmp any4 any4
access-list outside_access_in extended permit object-group TCPUDP any4 192.168.1.0 255.255.255.0 object-group Utorrent1
access-list inside_access_in extended permit ip any4 any4
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list global_access extended permit object-group TCPUDP any4 any4 eq domain
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,any) source static vpn_local vpn_local destination static Inside_network Inside_network no-proxy-arp
!
object network obj_any-01
nat (inside,outside) dynamic interface
object network e2-desktop-192.168.1.3
nat (inside,outside) static interface service tcp 24564 24564
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map dyno 10 set pfs group1
crypto dynamic-map dyno 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyno 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=e2-asa
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 821fa150
3082022c 30820195 a0030201 02020482 1fa15030 0d06092a 864886f7 0d010105
05003028 310f300d 06035504 03130665 322d6173 61311530 1306092a 864886f7
0d010902 16066532 2d617361 301e170d 31323131 31323137 34343032 5a170d32
32313131 30313734 3430325a 3028310f 300d0603 55040313 0665322d 61736131
15301306 092a8648 86f70d01 09021606 65322d61 73613081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 81810087 c1938552 e5909bd4 efd7d503
4d67355e a78c4376 51dbb9a3 70d56b8d 7dd42e5d 5522c9bc 0be44ab8 d8a11025
d386a752 db0462f5 3e683a03 900d824f a4013aa3 58c9460d 2cc6164e 910996a1
95c75a84 ecd12fdd ec73cf2e b4a413ff 27495508 9cf4bf4b c342d115 38a825bd
3fbf6e40 63275355 431a5685 8fe48e31 ffebcf02 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 801419e3 ccd8350a 931cfd4f 6b9c4af6 9b755de0 bb37301d
0603551d 0e041604 1419e3cc d8350a93 1cfd4f6b 9c4af69b 755de0bb 37300d06
092a8648 86f70d01 01050500 03818100 1205944a 88b3ded4 023f478d 2b54dc3e
e6e1eb0b 98283ce1 5e8d6e1d 0de9285c 023fed0e 0db80c0a 522ff403 81dae9cb
2bb5a2bc 62b084d6 85bddfa2 1e639232 bfc75d40 843ac789 8bb74573 fe00c849
47f1298c ab7801e4 24647ebf cfc50971 e3fe6583 ccf58f7e 392cc4d0 33d27426
0f95701e 306b5400 2d842652 4e29f05f
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 20
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.100 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.157.38.60 source outside prefer
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.02040-k9.pkg 1
anyconnect profiles default disk0:/default.xml
anyconnect enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 81.26.226.3 81.26.228.3
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value e2.local
webvpn
url-list value e2-portal
username e2n password ITMoM.NSLkPPgA0/ encrypted privilege 15
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool Local
tunnel-group DefaultWEBVPNGroup ipsec-attributes
ikev1 pre-shared-key *****
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1c426af49974563e1f7ff9bd6a07cd41
: end
Cheers!
03-01-2013 01:43 AM
Hi,
You probably need to add one command and do NAT configuration for the Internet trafffic of the VPN Client
The command
same-security-traffic permit intra-interface
That will allow traffic to enter and leave the same interface
And the NAT configuration for the VPN pool
object-group network VPN-POOL
network-object
nat (outside,outside) after-auto source VPN-POOL interface
I would recommend using some other network other than your current LAN as the VPN Pool.
- Jouni
03-01-2013 05:47 AM
Thanks! I got it working by adding
same-security-traffic permit intra-interface
and
nat (outside,outside) after-auto source static vpn_pool interface no-proxy-arp
I also changed to another pool.
Cheers!
03-07-2014 11:54 PM
hi all ,
ive also asking the same thing ,
i have
LAN1======asa1-----internet-----------asa2---------LAN2
Now , Lan1 can see lan2
i hve site-site vpn ikev1 ,
i want LAN1 to use internet thorugh asa2
the question is :
what do i need to modify on asa1 so that lan1 go internet by asa2 ??
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: