cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1599
Views
0
Helpful
8
Replies

Is it possible to configure a client VPN tunnel to go through host to EasyVPN client

baskervi
Level 1
Level 1

We have a remote location on DSL, and I'd like to be able to VPN into the hub ASA, and then have the hub ASA relay the traffic back to the remote ASA running EasyVPN. Is this possible? Thank you.                  

8 Replies 8

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Yes,, Just like you can make an annyconnect client talk to a remote access Ipsec client.

Regards,

DO rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio, thanks for the reply. The logic for doing this is escaping me - I've set up the split tunnel and nonat access lists on the host ASA, so the routes are established when I VPN into the host ASA. However, I can't figure out what to configure between the host ASA and EasyVPN ASA. Can you throw me out some ideas? Thanks

      

Just to clarify, I also added the IPs to the split tunnel access lists in the group policy as well.

Just dawned on me I didn't reboot the remote ASA.

      

Still no luck after the reboot.

Hello,

That's it, The no_nat configuration and the Split tunnel policy!

Also the crypto ACL for the remote access IPSEc.

if you want you can post the configuration so we can review it.

Regards.

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Here's the configuration. I'm trying to go from 192.168.104.x (tunnel-group Jerry*vpn) to 192.168.103.x (tunnel-group corpAG*vpn). Thanks

hostname HOST-ASA
domain-name domain.com
enable password * encrypted
passwd * encrypted
no names
!
interface Vlan1
nameif outside
security-level 0
ip address 70.1.1.1 255.255.255.128
!
interface Vlan2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.15
domain-name corp.com
object-group network RESTRICTED-WEB-SITES
network-object 216.178.0.0 255.255.0.0
network-object 69.63.0.0 255.255.0.0
object-group icmp-type PERMITTED-ICMP
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group service INSECURE-TCP tcp
port-object range 135 netbios-ssn
port-object eq 445
object-group service INSECURE-UDP udp
port-object eq tftp
port-object range 135 139
port-object eq 445
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list NONAT extended permit ip 172.16.10.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list NONAT extended permit ip 192.168.103.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list NONAT extended permit ip 192.168.104.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 192.168.1.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 192.168.1.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 172.16.10.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 192.168.104.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 192.168.103.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list INSIDE remark Deny insecure TCP and UDP traffic
access-list INSIDE extended deny tcp any any object-group INSECURE-TCP
access-list INSIDE extended deny udp any any object-group INSECURE-UDP
access-list INSIDE extended deny tcp any object-group INSECURE-TCP any
access-list INSIDE extended deny udp any object-group INSECURE-UDP any
access-list INSIDE extended permit ip any any
access-list dynamic-filter_acl extended permit ip any any
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any time-exceeded
access-list OUTSIDE extended permit icmp any any unreachable
access-list OUTSIDE extended deny ip object-group HACKERS any
access-list OUTSIDE remark Permit journal from Mailbanc
access-list OUTSIDE extended permit tcp 98.129.23.0 255.255.255.0 host 70.164.68.31 eq smtp
access-list OUTSIDE extended permit tcp 98.129.35.0 255.255.255.0 host 70.164.68.31 eq smtp
access-list SPLIT-TUNNEL-JERRY extended permit ip 192.168.1.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list SPLIT-TUNNEL-JERRY extended permit ip 172.16.10.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list SPLIT-TUNNEL-JERRY extended permit ip 192.168.103.0 255.255.255.0 192.168.104.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN-POOL 172.16.10.1-172.16.10.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside
icmp permit any inside
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.15 smtp netmask 255.255.255.255
access-group OUTSIDE in interface outside
access-group INSIDE in interface inside
route outside 0.0.0.0 0.0.0.0 70.164.68.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.1.15
key *****
url-cache dst 100
http server enable
http 192.168.100.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNMAP 10 set transform-set ESP-3DES-SHA
crypto map CORPVPN 100 ipsec-isakmp dynamic DYNMAP
crypto map CORPVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh * 255.255.255.0 outside
ssh * 255.255.255.255 outside
ssh * 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 30

vpnclient vpngroup * password *****
vpnclient username * password *****
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-filter use-database
dynamic-filter enable interface outside classify-list dynamic-filter_acl
ntp server 67.67.4.29 source outside
ntp server 67.67.4.30 source outside prefer
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc profiles SBL disk0:/AnyConnectProfile.xml
svc enable
tunnel-group-list enable
group-policy corpwebvpn internal
group-policy corpwebvpn attributes
dns-server value 192.168.1.15 68.105.28.11
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value corpag.local
webvpn
  svc keep-installer installed
  svc rekey time 120
  svc rekey method ssl
  svc ask enable default svc
group-policy corpAG*vpn internal
group-policy corpAG*vpn attributes
dns-server value 192.168.1.15
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value corpag.local
nem enable
group-policy SBL internal
group-policy SBL attributes
dns-server value 192.168.1.15 68.105.28.11
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
webvpn
  svc modules value vpngina
group-policy Jerry*vpn internal
group-policy Jerry*vpn attributes
dns-server value 192.168.1.15
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL-JERRY
default-domain value corpag.local
nem enable
username admin password lt4ZAySH8rIeJViu encrypted privilege 15
username adsne password B8QtKJ7qnjuh.RdQ encrypted
username ezvpn password BJQ42kSMQcqohZHm encrypted
tunnel-group corpwebvpn type remote-access
tunnel-group corpwebvpn general-attributes
address-pool VPN-POOL
authentication-server-group RADIUS
default-group-policy corpwebvpn
tunnel-group corpwebvpn webvpn-attributes
group-alias webvpn enable
tunnel-group corpAG*vpn type remote-access
tunnel-group corpAG*vpn general-attributes
address-pool VPN-POOL
authentication-server-group RADIUS
default-group-policy corpAG*vpn
tunnel-group corpAG*vpn ipsec-attributes
pre-shared-key *****
tunnel-group SBL type remote-access
tunnel-group SBL general-attributes
address-pool VPN-POOL
authentication-server-group RADIUS
default-group-policy SBL
tunnel-group SBL webvpn-attributes
group-alias SBLwebvpn enable
tunnel-group Jerry*vpn type remote-access
tunnel-group Jerry*vpn general-attributes
address-pool VPN-POOL
authentication-server-group RADIUS
default-group-policy Jerry*vpn
tunnel-group Jerry*vpn ipsec-attributes
pre-shared-key *****
!
class-map dynamic-filter_snoop_class
match port udp eq domain
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 1536
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
policy-map dynamic-filter_snoop_policy
class dynamic-filter_snoop_class
  inspect dns dynamic-filter-snoop
!
service-policy global_policy global
service-policy dynamic-filter_snoop_policy interface outside
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

Hello,

Please add the following:

Access-List Nonat2 permit ip 192.168.103.0 255.255.255.0 192.168.104.0 255.255.255.0

access-list  Nonat2 permit ip 192.168.104.0 255.255.255.0 192.168.103.0 255.255.255.0

Nat (outside) 0  access-list Nonat2

same-security-traffic permit intra-interface

Regards,

Do rate all the helpul posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Tried it, no luck. What I am seeing is that for "tunnel-group Jerry*vpn" there is an SA created for traffic between the two endpoints. This isn't the case for "tunnel-group corpAG*vpn".

Hello,

You need to bring up both SAs first....ping from the VPN Client to the EzVPN client and then from the EzVPN Client to the VPN Client. That will bring up both SAs and you will be able to pass traffic after that.

Julio, you are right the "same-security-traffic permit intra-interface" command but in this particular case we dont need a nat exemption for this traffic, from the hub perspective the packets go from outside to outside and since there is no nat (outside) then we dont need the nonat.

You may want to remove this line as well:

access-list SPLIT-TUNNEL extended permit ip 192.168.103.0 255.255.255.0 192.168.104.0 255.255.255.0

We do recommend using standard ACLs for the split-tunnel however the way you have it should work too.

HTH!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: