cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1141
Views
0
Helpful
6
Replies

Cisco Remote Access VPN

snapfulfil001
Level 1
Level 1

Hi,

Got a single asa 5505 configured in the office. we have 3 site to site vpn connections from this device, which all work from within the office.

Ive not setup my pc to connect from home to the asa via the ciso client.

i can connect to all LAN servers on the local subnet, however i cannot connect through the ASA to any of my site to site vpn's.

if i do an ipconfig on my home pc i can see my local ip, mask & gw, and i can see my assigned remote access ip & mask but no gw.

I cannot ping any remote site to site pc's by IP or name.

Any ideas on what im missing?

Many Thanks

1 Accepted Solution

Accepted Solutions

The configuration on the ASA is correct, with one missing configuration line:

same-security-traffic permit intra-interface

This should resolve the issue.

View solution in original post

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

To access all the site-to-site vpn, via remote access vpn client to 5505, the following is required:

ASA 5505:

1)  If you have split tunnel configured for remote access vpn, you would  need to include all the remote site-to-site LAN subnet as well in the split tunnel  ACL.

2) Configure "same-security-traffic permit intra-interface"

3) On each of the crypto map towards the site-to-site vpn, you would need to include the respective crypto ACL as follows:

access-list permit ip

Each remote site-to-site vpn:

1) Crypto map towards the ASA5505, crypto ACL as follows:

access-list permit ip

2) NAT exemption access-list to include exemption between to

Hope this helps.

Hi, Thanks for the response,

is there a way in the ASDM Gui to make the changes? im still very new to the cisco.

Many Thanks

Yes, you can make changes via ASDM as per my explaination above. It would be difficult to provide you with the step by step via ASDM.

If you can send a copy of "show run", i can give you the command line that you can enter.

BTW, do you also have access to the other end of the site-to-site vpn as you would need to make changes there as well.

Hi, heres a copy of my running config

: Saved
:
ASA Version 8.2(1) 
!
hostname ciscoasa
domain-name synlog.co.uk
enable password wN5U1JK95lCIofCc encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.48.106.0 scanw description scanw
name 10.48.38.0 scap description scap
name 10.48.106.2 NWCMS description SCANW_CMS
name 10.48.106.3 NWDB description SCANW_DB
name 10.48.106.4 NW_BK description SCANW_BK
name 10.48.38.127 PrudhoDB description Prudhoe_DB
name 10.48.38.135 PrudhoeBK description Prudhoe_BK
name 10.48.38.131 PrudhoeCMS description Prudhoe_CMS
name 10.250.37.0 Boston description Boston
name 10.249.14.0 iLondon description iLondon
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.159.100.252 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 212.2.16.213 255.255.255.240 
!
interface Vlan5
 nameif dmz
 security-level 50
 ip address dhcp 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 135.196.0.14
 name-server 8.8.8.8
 name-server 156.154.70.1
 domain-name synlog.co.uk
object-group network SCA
 description SCA S2S VPN
 network-object scanw 255.255.255.0
 network-object scap 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_1
 service-object icmp 
 service-object tcp eq ftp 
 service-object tcp 
 service-object ip 
object-group network SCAVPN
 network-object host NWCMS
 network-object host NWDB
 network-object host NW_BK
 network-object host PrudhoDB
 network-object host PrudhoeCMS
 network-object host PrudhoeBK
object-group service DM_INLINE_SERVICE_2
 service-object ip 
 service-object icmp 
 service-object tcp-udp eq www 
 service-object tcp eq sqlnet 
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_3
 service-object ip 
 service-object icmp 
 service-object tcp 
 service-object tcp eq www 
 service-object tcp eq sqlnet 
object-group service DM_INLINE_SERVICE_4
 service-object ip 
 service-object icmp 
 service-object tcp 
 service-object tcp eq www 
 service-object tcp eq sqlnet 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 object-group SCAVPN 192.159.100.0 255.255.255.0 
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 Boston 255.255.255.0 192.159.100.0 255.255.255.0 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 iLondon 255.255.255.0 192.159.100.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 192.159.100.128 255.255.255.224 
access-list inside_nat0_outbound extended permit ip 192.159.100.0 255.255.255.0 object-group SCAVPN 
access-list inside_nat0_outbound extended permit ip 192.159.100.0 255.255.255.0 Boston 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.159.100.0 255.255.255.0 iLondon 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.159.100.0 255.255.255.0 192.159.100.128 255.255.255.224 
access-list inside_nat0_outbound extended permit ip iLondon 255.255.255.0 192.159.100.128 255.255.255.224 
access-list inside_nat0_outbound extended permit ip Boston 255.255.255.0 192.159.100.128 255.255.255.224 
access-list outside_1_cryptomap extended permit ip 192.159.100.0 255.255.255.0 object-group SCAVPN 
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.159.100.0 255.255.255.0 object-group SCAVPN 
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 192.159.100.0 255.255.255.0 any 
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 192.159.100.0 255.255.255.0 Boston 255.255.255.0 
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 192.159.100.0 255.255.255.0 iLondon 255.255.255.0 
access-list outside_2_cryptomap extended permit ip 192.159.100.0 255.255.255.0 Boston 255.255.255.0 
access-list outside_3_cryptomap extended permit ip 192.159.100.0 255.255.255.0 iLondon 255.255.255.0 
access-list synvpn_cisco_splitTunnelAcl standard permit Boston 255.255.255.0 
access-list synvpn_cisco_splitTunnelAcl standard permit iLondon 255.255.255.0 
access-list synvpn_cisco_splitTunnelAcl standard permit 192.159.100.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl standard permit host NWDB 
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.159.100.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl standard permit iLondon 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl standard permit Boston 255.255.255.0 
access-list Synergyvpn_splitTunnelAcl standard permit iLondon 255.255.255.0 
access-list Synergyvpn_splitTunnelAcl standard permit Boston 255.255.255.0 
access-list Synergyvpn_splitTunnelAcl standard permit 192.159.100.0 255.255.255.0 
pager lines 24
logging enable
logging asdm-buffer-size 350
logging asdm debugging
logging from-address cisco_asa@xxxx..co.uk
logging recipient-address anish@xxxx.co.uk level errors
logging ftp-bufferwrap
logging ftp-server 192.159.100.187 \log ciscolog ****
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN_IP_Pool 192.159.100.141-192.159.100.149 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 212.xxx.xxx.211 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http server idle-timeout 10
http 192.159.100.0 255.255.255.0 inside
http 212.xxx.xxx.xx2 255.255.255.255 outside
http 66.236.xxx.xxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set transform-set TRANS_ESP_3DES_MD5 ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 193.xxx.xxx.3 
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer 64.xxx.xxx.2 
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 89.xxx.xxx.2 
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
telnet timeout 5
ssh 66.xxx.xxx.46 255.255.255.255 outside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd auto_config outside
!
dhcpd dns 192.159.100.201 192.159.100.204 interface inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 135.196.68.97 source outside prefer
ntp server 192.159.100.204 source inside prefer
webvpn
 enable outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 192.159.100.204 192.159.100.201
 dns-server value 192.159.100.204 192.159.100.201
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 default-domain value synlog.co.uk
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
 dns-server value 192.159.100.204 192.159.100.201
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value synlog.co.uk
group-policy Synergyvpn internal
group-policy Synergyvpn attributes
 wins-server value 192.159.100.204
 dns-server value 192.159.100.204 192.159.100.201
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value synlog.co.uk
username afell001 password 8VrHWA45uBkqQfOIU8Pjqw== nt-encrypted privilege 0
username afell001 attributes
 vpn-group-policy DefaultRAGroup
username amackan password 3YGN2gDYGpVslfyx/ZiNqQ== nt-encrypted privilege 0
username amackan attributes
 vpn-group-policy DefaultRAGroup
username anish password 8+idUUQRIw6HW9nYjNetZg== nt-encrypted privilege 0
username anish attributes
 vpn-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_IP_Pool
 authorization-server-group LOCAL
 default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
tunnel-group 193.xxx.xxx.3 type ipsec-l2l
tunnel-group 193.xxx.xxx.3 ipsec-attributes
 pre-shared-key *
tunnel-group 64.xxx.xxx.2 type ipsec-l2l
tunnel-group 64.xxx.xxx.2 ipsec-attributes
 pre-shared-key *
tunnel-group 89.xxx.xxx.2 type ipsec-l2l
tunnel-group 89.xxx.xxx.2 ipsec-attributes
 pre-shared-key *
tunnel-group Synergyvpn type remote-access
tunnel-group Synergyvpn general-attributes
 address-pool VPN_IP_Pool
 default-group-policy Synergyvpn
tunnel-group Synergyvpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
smtp-server 192.159.100.199
prompt hostname context 
Cryptochecksum:b8f81a7ed53921bcec21cb0ee7652705
: end
asdm location scap 255.255.255.0 inside
asdm location scanw 255.255.255.0 inside
asdm location PrudhoDB 255.255.255.255 inside
asdm location PrudhoeCMS 255.255.255.255 inside
asdm location PrudhoeBK 255.255.255.255 inside
asdm location NWCMS 255.255.255.255 inside
asdm location NWDB 255.255.255.255 inside
asdm location NW_BK 255.255.255.255 inside
asdm location iLondon 255.255.255.0 inside
asdm location Boston 255.255.255.0 inside
no asdm history enable

Many Thanks again.

The configuration on the ASA is correct, with one missing configuration line:

same-security-traffic permit intra-interface

This should resolve the issue.

Thanks, this is now working.