05-01-2013 06:47 AM
I have an ASA 5510 8.2(5) in Site1 and a ASA 5505 8.2(1) Site2 they are setup with a site to site tunnel.
Each site has VPN clients that connect and I would like to allow clients from both sides access to servers on the other side of the site-to-site tunnel.
I enabled same-security-traffic permit intra-interface I also added the remote networks to access-list that is doing the split tunneling.
I think that I'm doing something wrong with nat but I'm not sure, any help would be greatly appreciated.
Site1 (172.17.2.0/24) Clients1 (10.0.254.0/24)
ASA Version 8.2(5)
!
hostname site1
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address site1 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.17.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif DMZ
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list VPN-UK extended permit ip 172.17.2.0 255.255.255.0 172.18.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.2.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.2.0 255.255.255.0 172.18.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.2.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list inside_nat0_outbound remark US Client to UK Server
access-list inside_nat0_outbound extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.123.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.17.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.18.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.123.0 255.255.255.0
access-list Split_Tunnel_List remark UK VPN Client Pool
access-list Split_Tunnel_List standard permit 172.255.2.0 255.255.255.0
access-list outside-2-inside extended permit tcp any any eq smtp
access-list outside-2-inside extended permit tcp any any eq 82
access-list outside-2-inside extended permit tcp any any eq 81
access-list outside-2-inside extended permit tcp any any eq https
access-list outside-2-inside extended permit tcp any any eq imap4
access-list outside-2-inside extended permit tcp any any eq ldaps
access-list outside-2-inside extended permit tcp any any eq pop3
access-list outside-2-inside extended permit tcp any any eq www
access-list outside-2-inside extended permit tcp any any eq 5963
access-list outside-2-inside extended permit tcp any any eq ftp
access-list outside-2-inside extended permit tcp any any eq ftp-data
access-list outside-2-inside extended permit tcp any any eq 3389
access-list outside-2-inside extended deny tcp any any log
access-list outside-2-inside extended deny ip any any log
access-list outside-2-inside extended deny udp any any log
access-list VPN-CLIENTS extended permit ip 172.17.2.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list VPN-CLIENTS extended permit ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list VPN-CLIENTS extended permit ip 192.168.123.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 172.17.2.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 172.18.2.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 192.168.123.0 255.255.255.0
access-list VPNClient_splittunnel remark UK VPN Client Pool
access-list VPNClient_splittunnel standard permit 172.255.2.0 255.255.255.0
access-list VPN-Northwoods extended permit ip 172.17.2.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list outside_nat0_outbound remark AD 5/1/13
access-list outside_nat0_outbound extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPNUserPool 10.0.254.25-10.0.254.45 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.17.2.0 255.255.255.0
static (inside,outside) tcp interface smtp 172.17.2.200 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 82 172.17.2.253 82 netmask 255.255.255.255
static (inside,outside) tcp interface 81 192.168.123.253 81 netmask 255.255.255.255
static (inside,outside) tcp interface https 172.17.2.10 https netmask 255.255.255.255
static (inside,outside) tcp interface imap4 172.17.2.10 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface ldaps 172.17.2.10 ldaps netmask 255.255.255.255
static (inside,outside) tcp interface pop3 172.17.2.10 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www 172.17.2.19 www netmask 255.255.255.255
static (inside,outside) tcp interface 5963 172.17.2.108 5963 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 172.17.2.7 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 172.17.2.7 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface 3389 172.17.2.29 3389 netmask 255.255.255.255
access-group outside-2-inside in interface outside
route outside 0.0.0.0 0.0.0.0 74.213.51.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DCSI_Auth protocol radius
aaa-server DCSI_Auth (inside) host 172.17.2.29
key *****
aaa-server AD protocol nt
aaa-server AD (inside) host 172.16.1.211
aaa-server AD (inside) host 172.17.2.29
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set trans_set esp-des esp-sha-hmac
crypto ipsec transform-set VPN-Client esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 20 set reverse-route
crypto dynamic-map outside_dyn_map 20 set transform-set VPN-Client
crypto map outside_map 20 match address VPN-UK
crypto map outside_map 20 set peer site2
crypto map outside_map 20 set transform-set trans_set
crypto map outside_map 30 match address VPN-Northwoods
crypto map outside_map 30 set peer othersite
crypto map outside_map 30 set transform-set trans_set
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNClients internal
group-policy VPNClients attributes
dns-server value 10.0.1.30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNClient_splittunnel
default-domain value domain.local
user-authentication enable
tunnel-group VPNclient type remote-access
tunnel-group VPNclient general-attributes
address-pool VPNUserPool
authentication-server-group DCSI_Auth
default-group-policy VPNClients
tunnel-group VPNclient ipsec-attributes
pre-shared-key *****
tunnel-group othersite type ipsec-l2l
tunnel-group othersite ipsec-attributes
pre-shared-key *****
tunnel-group site2 type ipsec-l2l
tunnel-group site2 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map p2p
match port tcp eq www
class-map P2P
match port tcp eq www
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
policy-map IM_P2P
class imblock
inspect im impolicy
class P2P
inspect http P2P_HTTP
!
service-policy global_policy global
service-policy IM_P2P interface inside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7717a11f5f2dce11af0f35cee7b4c893
: end
Site2 (172.18.2.0/24) Clients1 (172.255.2.0/24)
ASA Version 8.2(1)
!
names
name 172.18.2.2 UKserver
!
interface Vlan1
nameif inside
security-level 100
ip address 172.18.2.1 255.255.255.0
!
interface Vlan2
nameif GuestWiFi
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
ip address site2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport trunk allowed vlan 1-2
switchport trunk native vlan 2
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit intra-interface
access-list USER_VPN extended permit ip 172.18.2.0 255.255.255.0 172.255.2.0 255.255.255.0
access-list USER_VPN extended permit ip 172.17.2.0 255.255.255.0 172.255.2.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 172.18.2.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 172.17.2.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 172.255.2.0 255.255.255.0
access-list Outside_2_Inside extended permit tcp any host otherhost eq smtp
access-list Outside_2_Inside extended permit tcp any host otherhost eq pop3
access-list Outside_2_Inside extended permit tcp any host otherhost eq imap4
access-list Outside_2_Inside extended permit tcp any host otherhost eq www
access-list Outside_2_Inside extended permit tcp any host otherhost eq https
access-list Outside_2_Inside extended permit tcp any host otherhost eq ldap
access-list Outside_2_Inside extended permit tcp any host otherhost eq ldaps
access-list Outside_2_Inside extended permit tcp any host otherhost eq nntp
access-list Outside_2_Inside extended permit tcp any host otherhost eq 135
access-list Outside_2_Inside extended permit tcp any host otherhost eq 102
access-list Outside_2_Inside extended permit tcp any host otherhost eq 390
access-list Outside_2_Inside extended permit tcp any host otherhost eq 3268
access-list Outside_2_Inside extended permit tcp any host otherhost eq 3269
access-list Outside_2_Inside extended permit tcp any host otherhost eq 993
access-list Outside_2_Inside extended permit tcp any host otherhost eq 995
access-list Outside_2_Inside extended permit tcp any host otherhost eq 563
access-list Outside_2_Inside extended permit tcp any host otherhost eq 465
access-list Outside_2_Inside extended permit tcp any host otherhost eq 691
access-list Outside_2_Inside extended permit tcp any host otherhost eq 6667
access-list Outside_2_Inside extended permit tcp any host otherhost eq 994
access-list Outside_2_Inside extended permit icmp any any echo
access-list Outside_2_Inside extended permit icmp any any echo-reply
access-list Outside_2_Inside extended permit tcp any host site2 eq smtp
access-list Outside_2_Inside extended permit tcp any host site2 eq pop3
access-list Outside_2_Inside extended permit tcp any host site2 eq imap4
access-list Outside_2_Inside extended permit tcp any host site2 eq www
access-list Outside_2_Inside extended permit tcp any host site2 eq https
access-list Outside_2_Inside extended permit tcp any host site2 eq ldap
access-list Outside_2_Inside extended permit tcp any host site2 eq ldaps
access-list Outside_2_Inside extended permit tcp any host site2 eq nntp
access-list Outside_2_Inside extended permit tcp any host site2 eq 135
access-list Outside_2_Inside extended permit tcp any host site2 eq 102
access-list Outside_2_Inside extended permit tcp any host site2 eq 390
access-list Outside_2_Inside extended permit tcp any host site2 eq 3268
access-list Outside_2_Inside extended permit tcp any host site2 eq 3269
access-list Outside_2_Inside extended permit tcp any host site2 eq 993
access-list Outside_2_Inside extended permit tcp any host site2 eq 995
access-list Outside_2_Inside extended permit tcp any host site2 eq 563
access-list Outside_2_Inside extended permit tcp any host site2 eq 465
access-list Outside_2_Inside extended permit tcp any host site2 eq 691
access-list Outside_2_Inside extended permit tcp any host site2 eq 6667
access-list Outside_2_Inside extended permit tcp any host site2 eq 994
access-list Outside_2_Inside extended permit tcp any host site2 eq sip
access-list Outside_2_Inside extended permit tcp any host site2 range 8000 8005
access-list Outside_2_Inside extended permit udp any host site2 range 8000 8005
access-list Outside_2_Inside extended permit udp any host site2 eq sip
access-list Outside_2_Inside extended deny tcp any any log
access-list Outside_2_Inside extended deny udp any any log
access-list VPN-USA extended permit ip 172.255.2.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 172.255.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.255.2.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list Split_Tunnel_List remark Networks to allow over VPN
access-list Split_Tunnel_List standard permit 172.18.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.17.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.255.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.0.254.0 255.255.255.0
pager lines 20
logging enable
logging monitor debugging
logging buffered debugging
logging asdm informational
logging debug-trace
mtu inside 1500
mtu GuestWiFi 1500
mtu outside 1500
ip local pool ClientVPN 172.255.2.100-172.255.2.124
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.18.2.0 255.255.255.0
nat (GuestWiFi) 2 192.168.2.0 255.255.255.0
static (inside,outside) tcp interface smtp UKserver smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 UKserver pop3 netmask 255.255.255.255
static (inside,outside) tcp interface imap4 UKserver imap4 netmask 255.255.255.255
static (inside,outside) tcp interface www UKserver www netmask 255.255.255.255
static (inside,outside) tcp interface https UKserver https netmask 255.255.255.255
static (inside,outside) tcp interface ldap UKserver ldap netmask 255.255.255.255
static (inside,outside) tcp interface ldaps UKserver ldaps netmask 255.255.255.255
static (inside,outside) tcp interface nntp UKserver nntp netmask 255.255.255.255
static (inside,outside) tcp interface 135 UKserver 135 netmask 255.255.255.255
static (inside,outside) tcp interface 102 UKserver 102 netmask 255.255.255.255
static (inside,outside) tcp interface 390 UKserver 390 netmask 255.255.255.255
static (inside,outside) tcp interface 3268 UKserver 3268 netmask 255.255.255.255
static (inside,outside) tcp interface 3269 UKserver 3269 netmask 255.255.255.255
static (inside,outside) tcp interface 993 UKserver 993 netmask 255.255.255.255
static (inside,outside) tcp interface 995 UKserver 995 netmask 255.255.255.255
static (inside,outside) tcp interface 563 UKserver 563 netmask 255.255.255.255
static (inside,outside) tcp interface 465 UKserver 465 netmask 255.255.255.255
static (inside,outside) tcp interface 691 UKserver 691 netmask 255.255.255.255
static (inside,outside) tcp interface 6667 UKserver 6667 netmask 255.255.255.255
static (inside,outside) tcp interface 994 UKserver 994 netmask 255.255.255.255
access-group Outside_2_Inside in interface outside
route outside 0.0.0.0 0.0.0.0 87.224.93.53 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host UKserver
key DCSI_vpn_Key07
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set trans_set esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set trans_set
crypto dynamic-map DYN_MAP 20 set reverse-route
crypto map outside_map 20 match address VPN-USA
crypto map outside_map 20 set peer othersite2 site1
crypto map outside_map 20 set transform-set trans_set
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 25
console timeout 0
dhcpd dns UKserver 8.8.8.8
!
dhcpd address 172.18.2.100-172.18.2.149 inside
dhcpd enable inside
!
dhcpd address 192.168.2.50-192.168.2.74 GuestWiFi
dhcpd enable GuestWiFi
!
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy USER_VPN internal
group-policy USER_VPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
user-authentication enable
tunnel-group othersite2 type ipsec-l2l
tunnel-group othersite2 ipsec-attributes
pre-shared-key *
tunnel-group USER_VPN type remote-access
tunnel-group USER_VPN general-attributes
address-pool ClientVPN
authentication-server-group (outside) vpn
default-group-policy USER_VPN
tunnel-group USER_VPN ipsec-attributes
pre-shared-key *
tunnel-group site1 type ipsec-l2l
tunnel-group site1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d000c75c8864547dfabaf3652d81be71
: end
Solved! Go to Solution.
05-01-2013 11:27 AM
Hi,
The ouput seems to state that the traffic is indeed forwarded to the L2L VPN connection
Can you PING from the 172.18.2.0/24 network hosts to the 172.17.2.0/24 network hosts?
Have you tried multiple different target hosts on the networks you are trying to ping so that we possibly rule out that the actual devices just arent answering to these PINGs?
- Jouni
05-01-2013 07:02 AM
Hi,
Site 1 is missing the L2L VPN ACL Configuration line for the traffic from VPN Pool to Site 2 network
access-list VPN-UK permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.255.0
Site 2 lacks the "outside" interface NAT0 configuration
access-list outside_nat0_outbound extended permit ip 172.255.2.0 255.255.255.0 172.17.2.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
Also for some reason your Site 2 L2L VPN ACL has the VPN Pool to Site 1 configuration but lacks the line for the Site 2 network to Site 1 network line
access-list VPN-USA extended permit ip 172.18.2.0 255.255.255.0 172.17.2.0 255.255.255.0
- Jouni
05-01-2013 07:04 AM
Thanks, I'll try that and let you know!
05-01-2013 07:07 AM
Also,
If you are testing with ICMP please add the following configurations on both ASAs
fixup protocol icmp
It should add the following configuration (bolded section under the policy-map)
policy-map global_policy
class inspection_default
inspect icmp
Or alternatively you can go under the "policy-map global_policy" and then under the "class inspection_default" and then configure "inspect icmp" to achieve the same.
- Jouni
05-01-2013 07:18 AM
Alright, I added those lines, I had to change access-list VPN-UK permit ip to access-list VPN-UK extended permit ip
I ran clear xlate and reconnected my vpn client and it is still not working.
05-01-2013 07:24 AM
I gues you still need to add ACL lines to the "inside" interface NAT0 rules
Site 2
access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0
Site 1
access-list inside_nat0_outbound extended permit ip 172.17.2.0 255.255.255.0 172.255.2.0 255.255.255.0
- Jouni
05-01-2013 07:17 AM
Hi Below ar ethe thing that you need to do the same.
We need to add 3 things
IN the Us ASA
IN the UK ASA
Make sure the 172.18.2.0/24 is added in the Split tunnel and that should be it.
ON the US ASA – Add the value in Red
access-list VPN-UK extended permit ip 172.17.2.0 255.255.255.0 172.18.2.0 255.255.255.0
access-list VPN-UK extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0
ASA Uk
access-list VPN-USA extended permit ip 172.255.2.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list VPN-USA extended permit ip 172.18.2.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0
That should get things going.
have a good one.
Rohit
05-01-2013 07:30 AM
After I added the line access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0
that was missing the US clients can ping the Uk severs but UK clients cannot ping US server.
05-01-2013 07:35 AM
Hi,
Also add the other NAT0 configuration on the other site that I suggested.
And let us know how it goes.
- Jouni
05-01-2013 07:37 AM
After adding those two lines the US clients are working but not the uk
05-01-2013 07:39 AM
Do you mean that Site 2 Clients cant access Site 1 network?
Can you also post the current configurations just to be sure.
- Jouni
05-01-2013 07:40 AM
That is correct, I will post them.
05-01-2013 07:47 AM
Site1
ASA Version 8.2(5)
!
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address site1 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.17.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif DMZ
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list VPN-UK extended permit ip 172.17.2.0 255.255.255.0 172.18.2.0 255.255.255.0
access-list VPN-UK extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.2.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.2.0 255.255.255.0 172.18.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.2.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list inside_nat0_outbound remark US Client to UK Server
access-list inside_nat0_outbound extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.123.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.2.0 255.255.255.0 172.255.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.17.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.18.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.123.0 255.255.255.0
access-list Split_Tunnel_List remark UK VPN Client Pool
access-list Split_Tunnel_List standard permit 172.255.2.0 255.255.255.0
access-list outside-2-inside extended permit tcp any any eq smtp
access-list outside-2-inside extended permit tcp any any eq 82
access-list outside-2-inside extended permit tcp any any eq 81
access-list outside-2-inside extended permit tcp any any eq https
access-list outside-2-inside extended permit tcp any any eq imap4
access-list outside-2-inside extended permit tcp any any eq ldaps
access-list outside-2-inside extended permit tcp any any eq pop3
access-list outside-2-inside extended permit tcp any any eq www
access-list outside-2-inside extended permit tcp any any eq 5963
access-list outside-2-inside extended permit tcp any any eq ftp
access-list outside-2-inside extended permit tcp any any eq ftp-data
access-list outside-2-inside extended permit tcp any any eq 3389
access-list outside-2-inside extended deny tcp any any log
access-list outside-2-inside extended deny ip any any log
access-list outside-2-inside extended deny udp any any log
access-list VPN-CLIENTS extended permit ip 172.17.2.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list VPN-CLIENTS extended permit ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list VPN-CLIENTS extended permit ip 192.168.123.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 172.17.2.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 172.18.2.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 192.168.123.0 255.255.255.0
access-list VPNClient_splittunnel remark UK VPN Client Pool
access-list VPNClient_splittunnel standard permit 172.255.2.0 255.255.255.0
access-list VPN-Northwoods extended permit ip 172.17.2.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list outside_nat0_outbound remark AD 5/1/13
access-list outside_nat0_outbound extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPNUserPool 10.0.254.25-10.0.254.45 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.17.2.0 255.255.255.0
static (inside,outside) tcp interface smtp 172.17.2.200 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 82 172.17.2.253 82 netmask 255.255.255.255
static (inside,outside) tcp interface 81 192.168.123.253 81 netmask 255.255.255.255
static (inside,outside) tcp interface https 172.17.2.10 https netmask 255.255.255.255
static (inside,outside) tcp interface imap4 172.17.2.10 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface ldaps 172.17.2.10 ldaps netmask 255.255.255.255
static (inside,outside) tcp interface pop3 172.17.2.10 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www 172.17.2.19 www netmask 255.255.255.255
static (inside,outside) tcp interface 5963 172.17.2.108 5963 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 172.17.2.7 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 172.17.2.7 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface 3389 172.17.2.29 3389 netmask 255.255.255.255
access-group outside-2-inside in interface outside
route outside 0.0.0.0 0.0.0.0 gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DCSI_Auth protocol radius
aaa-server DCSI_Auth (inside) host 172.17.2.29
key *****
aaa-server AD protocol nt
aaa-server AD (inside) host 172.16.1.211
aaa-server AD (inside) host 172.17.2.29
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set trans_set esp-des esp-sha-hmac
crypto ipsec transform-set VPN-Client esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 20 set reverse-route
crypto dynamic-map outside_dyn_map 20 set transform-set VPN-Client
crypto map outside_map 20 match address VPN-UK
crypto map outside_map 20 set peer site2
crypto map outside_map 20 set transform-set trans_set
crypto map outside_map 30 match address VPN-Northwoods
crypto map outside_map 30 set peer 50.194.181.189
crypto map outside_map 30 set transform-set trans_set
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNClients internal
group-policy VPNClients attributes
dns-server value 10.0.1.30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNClient_splittunnel
default-domain value doamain.local
user-authentication enable
tunnel-group VPNclient type remote-access
tunnel-group VPNclient general-attributes
address-pool VPNUserPool
authentication-server-group DCSI_Auth
default-group-policy VPNClients
tunnel-group VPNclient ipsec-attributes
pre-shared-key *****
tunnel-group othersite type ipsec-l2l
tunnel-group othersite ipsec-attributes
pre-shared-key *****
tunnel-group site2 type ipsec-l2l
tunnel-group site2 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map p2p
match port tcp eq www
class-map P2P
match port tcp eq www
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
policy-map IM_P2P
class imblock
inspect im impolicy
class P2P
inspect http P2P_HTTP
!
service-policy global_policy global
service-policy IM_P2P interface inside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2a01b820b8c3f2106fe6f71e449226dc
: end
05-01-2013 07:50 AM
Hi,
Can you add this to Site 1
access-list VPN-UK extended permit ip 172.17.2.0 255.255.255.0 172.255.2.0 255.255.255.0
- Jouni
05-01-2013 07:50 AM
names
name 172.18.2.2 UKserver
!
interface Vlan1
nameif inside
security-level 100
ip address 172.18.2.1 255.255.255.0
!
interface Vlan2
nameif GuestWiFi
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
ip address site2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport trunk allowed vlan 1-2
switchport trunk native vlan 2
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit intra-interface
access-list USER_VPN extended permit ip 172.18.2.0 255.255.255.0 172.255.2.0 255.255.255.0
access-list USER_VPN extended permit ip 172.17.2.0 255.255.255.0 172.255.2.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 172.18.2.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 172.17.2.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 172.255.2.0 255.255.255.0
access-list Outside_2_Inside extended permit tcp any host otherhost eq smtp
access-list Outside_2_Inside extended permit tcp any host otherhost eq pop3
access-list Outside_2_Inside extended permit tcp any host otherhost eq imap4
access-list Outside_2_Inside extended permit tcp any host otherhost eq www
access-list Outside_2_Inside extended permit tcp any host otherhost eq https
access-list Outside_2_Inside extended permit tcp any host otherhost eq ldap
access-list Outside_2_Inside extended permit tcp any host otherhost eq ldaps
access-list Outside_2_Inside extended permit tcp any host otherhost eq nntp
access-list Outside_2_Inside extended permit tcp any host otherhost eq 135
access-list Outside_2_Inside extended permit tcp any host otherhost eq 102
access-list Outside_2_Inside extended permit tcp any host otherhost eq 390
access-list Outside_2_Inside extended permit tcp any host otherhost eq 3268
access-list Outside_2_Inside extended permit tcp any host otherhost eq 3269
access-list Outside_2_Inside extended permit tcp any host otherhost eq 993
access-list Outside_2_Inside extended permit tcp any host otherhost eq 995
access-list Outside_2_Inside extended permit tcp any host otherhost eq 563
access-list Outside_2_Inside extended permit tcp any host otherhost eq 465
access-list Outside_2_Inside extended permit tcp any host otherhost eq 691
access-list Outside_2_Inside extended permit tcp any host otherhost eq 6667
access-list Outside_2_Inside extended permit tcp any host otherhost eq 994
access-list Outside_2_Inside extended permit icmp any any echo
access-list Outside_2_Inside extended permit icmp any any echo-reply
access-list Outside_2_Inside extended permit tcp any host site2 eq smtp
access-list Outside_2_Inside extended permit tcp any host site2 eq pop3
access-list Outside_2_Inside extended permit tcp any host site2 eq imap4
access-list Outside_2_Inside extended permit tcp any host site2 eq www
access-list Outside_2_Inside extended permit tcp any host site2 eq https
access-list Outside_2_Inside extended permit tcp any host site2 eq ldap
access-list Outside_2_Inside extended permit tcp any host site2 eq ldaps
access-list Outside_2_Inside extended permit tcp any host site2 eq nntp
access-list Outside_2_Inside extended permit tcp any host site2 eq 135
access-list Outside_2_Inside extended permit tcp any host site2 eq 102
access-list Outside_2_Inside extended permit tcp any host site2 eq 390
access-list Outside_2_Inside extended permit tcp any host site2 eq 3268
access-list Outside_2_Inside extended permit tcp any host site2 eq 3269
access-list Outside_2_Inside extended permit tcp any host site2 eq 993
access-list Outside_2_Inside extended permit tcp any host site2 eq 995
access-list Outside_2_Inside extended permit tcp any host site2 eq 563
access-list Outside_2_Inside extended permit tcp any host site2 eq 465
access-list Outside_2_Inside extended permit tcp any host site2 eq 691
access-list Outside_2_Inside extended permit tcp any host site2 eq 6667
access-list Outside_2_Inside extended permit tcp any host site2 eq 994
access-list Outside_2_Inside extended permit tcp any host site2 eq sip
access-list Outside_2_Inside extended permit tcp any host site2 range 8000 8005
access-list Outside_2_Inside extended permit udp any host site2 range 8000 8005
access-list Outside_2_Inside extended permit udp any host site2 eq sip
access-list Outside_2_Inside extended deny tcp any any log
access-list Outside_2_Inside extended deny udp any any log
access-list VPN-USA extended permit ip 172.255.2.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list VPN-USA extended permit ip 172.18.2.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 172.255.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.255.2.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list Split_Tunnel_List remark Networks to allow over VPN
access-list Split_Tunnel_List standard permit 172.18.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.17.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.255.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.0.254.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 172.255.2.0 255.255.255.0 172.17.2.0 255.255.255.0
pager lines 20
logging enable
logging monitor debugging
logging buffered debugging
logging asdm informational
logging debug-trace
mtu inside 1500
mtu GuestWiFi 1500
mtu outside 1500
ip local pool ClientVPN 172.255.2.100-172.255.2.124
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.18.2.0 255.255.255.0
nat (GuestWiFi) 2 192.168.2.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
static (inside,outside) tcp interface smtp UKserver smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 UKserver pop3 netmask 255.255.255.255
static (inside,outside) tcp interface imap4 UKserver imap4 netmask 255.255.255.255
static (inside,outside) tcp interface www UKserver www netmask 255.255.255.255
static (inside,outside) tcp interface https UKserver https netmask 255.255.255.255
static (inside,outside) tcp interface ldap UKserver ldap netmask 255.255.255.255
static (inside,outside) tcp interface ldaps UKserver ldaps netmask 255.255.255.255
static (inside,outside) tcp interface nntp UKserver nntp netmask 255.255.255.255
static (inside,outside) tcp interface 135 UKserver 135 netmask 255.255.255.255
static (inside,outside) tcp interface 102 UKserver 102 netmask 255.255.255.255
static (inside,outside) tcp interface 390 UKserver 390 netmask 255.255.255.255
static (inside,outside) tcp interface 3268 UKserver 3268 netmask 255.255.255.255
static (inside,outside) tcp interface 3269 UKserver 3269 netmask 255.255.255.255
static (inside,outside) tcp interface 993 UKserver 993 netmask 255.255.255.255
static (inside,outside) tcp interface 995 UKserver 995 netmask 255.255.255.255
static (inside,outside) tcp interface 563 UKserver 563 netmask 255.255.255.255
static (inside,outside) tcp interface 465 UKserver 465 netmask 255.255.255.255
static (inside,outside) tcp interface 691 UKserver 691 netmask 255.255.255.255
static (inside,outside) tcp interface 6667 UKserver 6667 netmask 255.255.255.255
static (inside,outside) tcp interface 994 UKserver 994 netmask 255.255.255.255
access-group Outside_2_Inside in interface outside
route outside 0.0.0.0 0.0.0.0 gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host UKserver
key *****
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set trans_set esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set trans_set
crypto dynamic-map DYN_MAP 20 set reverse-route
crypto map outside_map 20 match address VPN-USA
crypto map outside_map 20 set peer 216.201.188.116 site1
crypto map outside_map 20 set transform-set trans_set
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 25
console timeout 0
dhcpd dns UKserver 8.8.8.8
!
dhcpd address 172.18.2.100-172.18.2.149 inside
dhcpd enable inside
!
dhcpd address 192.168.2.50-192.168.2.74 GuestWiFi
dhcpd enable GuestWiFi
!
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy USER_VPN internal
group-policy USER_VPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
user-authentication enable
tunnel-group othersite type ipsec-l2l
tunnel-group othersite ipsec-attributes
pre-shared-key *
tunnel-group USER_VPN type remote-access
tunnel-group USER_VPN general-attributes
address-pool ClientVPN
authentication-server-group (outside) vpn
default-group-policy USER_VPN
tunnel-group USER_VPN ipsec-attributes
pre-shared-key *
tunnel-group site1 type ipsec-l2l
tunnel-group site1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6605fa6ad71d3e0cf7d01af0459dcdfe
: end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide