Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
263
Views
0
Helpful
2
Replies

Hairpinning

fredle123
Level 1
Level 1

‎06-29-2015 01:59 AM

 

Hi,

I need to give VPN clients on 10.40.220.0 access to the 10.39.216.0 s2s VPN via this ASA on group MTLONVPN.

Any help appreciated. Thanks

 


ASA Version 8.2(5)
!
hostname MTLDRASA01
enable password yWL0OyyyF2vJCKw6 encrypted
passwd EMM5CEA7494udygX encrypted
names
name 33.33.33.192 MATLONPub1
name 44.44.44.208 MATLONPub2
name 55.55.55.144 MASIN
name 66.77.62.56 MAHKG
name 10.40.216.2 MTDRADC01
!
interface Ethernet0/0
 description *** Outside Interface ***
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 description *** VMNic2 Production Replica Network ***
 switchport access vlan 39
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description *** Inside VLAN ***
 nameif inside
 security-level 100
 ip address 10.40.217.254 255.255.254.0
!
interface Vlan2
 description *** Outside VLAN ***
 nameif outside
 security-level 0
 ip address 00.00.000.59 255.255.255.248
!
interface Vlan39
 description *** Production Replica Network ***
 nameif prod_rep
 security-level 100
 no ip address
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup prod_rep
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network MATSCO_HOSTS
 network-object MATLONPub1 255.255.255.224
 network-object MATLONPub2 255.255.255.248
 network-object MASIN 255.255.255.248
 network-object MAHKG 255.255.255.248
object-group service crmport tcp
 port-object eq 8443
 port-object eq www
 port-object eq https
access-list outside_access_in extended permit icmp object-group MATSCO_HOSTS interface outside echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any parameter-problem
access-list outside_access_in extended permit tcp any host 00.00.000.60 object-group crmport
access-list outside_access_in extended permit tcp any host 00.00.000.61 eq https
access-list outside_access_in extended permit tcp any host 00.00.000.58 eq https
access-list inside_nat0_outbound extended permit ip 10.40.216.0 255.255.254.0 10.40.220.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.40.216.0 255.255.254.0 10.39.216.0 255.255.254.0
access-list inside_nat0_outbound extended permit ip any 10.40.220.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 10.40.220.0 255.255.255.0
access-list MTLDR_MTLON_S2S_VPN extended permit ip 10.40.216.0 255.255.254.0 10.39.216.0 255.255.254.0
access-list ProdRepVPN_splitTunnelAcl standard permit 10.39.216.0 255.255.254.0
access-list ProdRepVPN_splitTunnelAcl standard permit 10.40.216.0 255.255.254.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 40960
logging console critical
logging monitor critical
logging buffered debugging
logging asdm informational
logging device-id string MTLDRASA01
mtu inside 1500
mtu outside 1500
mtu prod_rep 1500
ip local pool MTLDRVPNPool 10.40.220.100-10.40.220.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (outside) 20 00.00.000.60
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 10.40.216.0 255.255.254.0
nat (prod_rep) 20 10.39.216.0 255.255.254.0
static (inside,outside) tcp 00.00.000.60 www 10.40.216.13 www netmask 255.255.255.255
static (inside,outside) tcp 00.00.000.60 8443 10.40.216.13 8443 netmask 255.255.255.255
static (inside,outside) tcp 00.00.000.61 https 10.40.216.41 https netmask 255.255.255.255
static (inside,outside) tcp 00.00.000.58 https 10.40.216.7 https netmask 255.255.255.255
static (inside,outside) tcp 00.00.000.60 https MTDRADC01 https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 00.00.000.57 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD-Auth protocol radius
aaa-server AD-Auth (inside) host MTDRADC01
 key *****
 radius-common-pw *****
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http MATLONPub1 255.255.255.224 outside
http MATLONPub2 255.255.255.248 outside
http MASIN 255.255.255.248 outside
http MAHKG 255.255.255.248 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 match address MTLDR_MTLON_S2S_VPN
crypto map outside_map 10 set peer 11.11.111.94
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh MATLONPub1 255.255.255.224 outside
ssh MATLONPub2 255.255.255.248 outside
ssh MASIN 255.255.255.248 outside
ssh MAHKG 255.255.255.248 outside
ssh timeout 30
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy ProdRepVPN internal
group-policy ProdRepVPN attributes
 dns-server value 10.40.216.2
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ProdRepVPN_splitTunnelAcl
 default-domain none
group-policy DfltGrpPolicy attributes
 dns-server value 10.40.216.2
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol webvpn
username mimadmin password ewJkTpoWUl19fINi encrypted privilege 15
username Matsco password ims7VZCZE9SCOS4I encrypted privilege 15
tunnel-group 11.11.111.94 type ipsec-l2l
tunnel-group 11.11.111.94 ipsec-attributes
 pre-shared-key *****
tunnel-group ProdRepVPN type remote-access
tunnel-group ProdRepVPN general-attributes
 address-pool MTLDRVPNPool
 default-group-policy ProdRepVPN
tunnel-group ProdRepVPN ipsec-attributes
 pre-shared-key *****
tunnel-group MTLONVPN type remote-access
tunnel-group MTLONVPN general-attributes
 address-pool MTLDRVPNPool
 authentication-server-group AD-Auth LOCAL
 default-group-policy ProdRepVPN
tunnel-group MTLONVPN ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 4096
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:80d43f83813a3b444237f18419a28f2f
: end

Labels:
0 Helpful
2 Replies 2

Dan Lukes
VIP Alumni
VIP Alumni

‎06-29-2015 05:47 AM

Wrong forum. The Feedback Forum is dedicated to other topics. See description for details.

This thread will be moved to VPN

0 Helpful

rosaho
Level 3
Level 3
In response to Dan Lukes

‎07-07-2015 03:43 PM

This discussion has been reposted from Cisco Small Business Support Community to the VPN community.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents