Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
253
Views
0
Helpful
2
Replies

site-to-site vpn down when ssl vpn configured for remote users

Jayaratnam Vinthan
Level 1
Level 1

‎10-22-2015 07:24 PM

I have two asa firewalls in two branches(singapore and malaysia). site-to-site vpn is already up and running.

when i try to create the ssl vpn for remote users in singapore branch, malaysia side servers & users cannot able to reach the singapore side.

anyone know why it's happening?

 

below is singapore side configuration before configuring remote ssl vpn:

 

show running-config

: Saved

:

: Serial Number: FCH1923J11E

: Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)

:

ASA Version 9.2(2)4

!

hostname ASA5515-SSG520M

enable password grVxGSQzqHmREj.3 encrypted

names

!

interface GigabitEthernet0/0

 nameif inside

 security-level 100

 ip address 192.168.0.202 255.255.255.0

!

interface GigabitEthernet0/1

 nameif DMZ

 security-level 50

 ip address 192.168.5.3 255.255.255.0

!

interface GigabitEthernet0/2

 nameif outside

 security-level 0

 ip address z.z.z.z 255.255.255.224

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/5

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 management-only

 no nameif

 no security-level

 no ip address

!

banner login Unauthorized access strictly prohibited and prosecuted to the full extent of the law

boot system disk0:/asa922-4-smp-k8.bin

ftp mode passive

clock timezone GMT 8

object network MK

 subnet 192.168.2.0 255.255.255.0

object network SG

 subnet 192.168.0.0 255.255.255.0

object network SG_DMZ

 subnet 192.168.5.0 255.255.255.0

object network SG_Inside

 subnet 10.1.0.0 255.255.0.0

object network SG_Local

 subnet 192.168.99.0 255.255.255.0

object network MK_DMZ

 subnet 192.168.12.0 255.255.255.0

object network MK_Local

 subnet 10.2.0.0 255.255.0.0

object network MK_Switch

 subnet 10.6.0.0 255.255.0.0

object network MK_Inside

 subnet 192.168.254.4 255.255.255.252

object network KS

 subnet 10.28.0.0 255.255.0.0

object network KS_DMZ

 subnet 10.27.0.0 255.255.0.0

object network KS_Office

 subnet 10.29.0.0 255.255.0.0

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG object MK

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG object MK_DMZ

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG object MK_Local

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG object MK_Switch

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG object MK_Inside

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG_DMZ object MK_DMZ

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG_DMZ object MK_Local

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG_DMZ object MK_Switch

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG_DMZ object MK_Inside

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG_DMZ object MK

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG_Local object MK_DMZ

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG_Local object MK_Local

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG_Local object MK_Switch

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG_Local object MK_Inside

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG_Local object MK

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG_Inside object MK_DMZ

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG_Inside object MK_Local

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG_Inside object MK_Switch

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG_Inside object MK_Inside

access-list VPN-INTERESTING-TRAFIC extended permit ip object SG_Inside object MK

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

access-list DMZ_access_in extended permit ip any any

access-list outside_cryptomap extended permit ip object SG object KS

pager lines 24

logging enable

logging timestamp

logging buffer-size 30000

logging buffered debugging

logging trap debugging

logging history debugging

logging asdm errors

mtu inside 1500

mtu DMZ 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-7221.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static SG SG destination static MK MK no-proxy-arp route-lookup

nat (inside,outside) source static SG SG destination static KS KS no-proxy-arp route-lookup

access-group inside_access_in in interface inside

access-group DMZ_access_in in interface DMZ

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 119.73.250.65 1

route inside 10.1.0.0 255.255.0.0 192.168.0.199 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

dynamic-access-policy-record GroupPolicy1

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps syslog

crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

 protocol esp encryption des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

 protocol esp encryption 3des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

 protocol esp encryption aes

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

 protocol esp encryption aes-192

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFIC

crypto map CRYPTO-MAP 1 set peer x.x.x.x

crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM

crypto map CRYPTO-MAP 2 match address outside_cryptomap

crypto map CRYPTO-MAP 2 set peer y.y.y.y

crypto map CRYPTO-MAP 2 set ikev1 transform-set VPN-TRANSFORM

crypto map CRYPTO-MAP interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 10

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

no ssh stricthostkeycheck

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 139.162.20.174

ntp server 128.199.209.79

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

group-policy GroupPolicy2 internal

group-policy GroupPolicy2 attributes

 vpn-tunnel-protocol ikev1

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

 vpn-tunnel-protocol ikev1

username gmsadmin password sh/VyK0jtJ/PANQT encrypted privilege 15

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x general-attributes

 default-group-policy GroupPolicy1

tunnel-group x.x.x.x ipsec-attributes

 ikev1 pre-shared-key *****

tunnel-group y.y.y.y type ipsec-l2l

tunnel-group y.y.y.y general-attributes

 default-group-policy GroupPolicy2

tunnel-group y.y.y.y ipsec-attributes

 ikev1 pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 description global

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect http

  inspect icmp

  inspect icmp error

  inspect snmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:9984dcdc753e3c5b3100de6921102205

: end 

Labels:
0 Helpful
2 Replies 2

Jayaratnam Vinthan
Level 1
Level 1

‎10-22-2015 07:31 PM

this the configuration for remote site ssl users:

 

same-security-traffic permit intra-interface

webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.11004-k9.pkg 1
 anyconnect image disk0:/anyconnect-linux-3.1.11004-k9.pkg 2
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.11004-k9.pkg 3
 anyconnect enable
 tunnel-group-list enable

ip local pool remote-vpn 192.168.75.1-192.168.75.10 mask 255.255.255.0

 

object network obj-remotevpn
    subnet 192.168.75.0 255.255.255.0
    nat(outside,outside) dynamic interface

 no object network obj-localtraffic-for-vpn
    subnet 192.168.0.0 255.255.255.0
    nat (inside,outside) dynamic interface

nat (inside,outside) source static obj-localtraffic-for-vpn obj-localtraffic-for-vpn destination static obj-remotevpn obj-remotevpn
access-list SPLIT-ACL standard permit 192.168.0.0 255.255.0.0
access-list SPLIT-ACL standard permit 192.168.75.0 255.255.255.0

 

group-policy clientgroup internal
group-policy clientgroup attributes
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified (tunnelall)
    split-tunnel-network-list SPLIT-ACL
    
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
    address-pool remote-vpn
    default-group-policy clientgroup

tunnel-group sslgroup webvpn-attributes    
    group-alias sslgroup-users enable


username ssluser1 password ******
username ssluser1 attributes
    service-type remote-access

0 Helpful

Jayaratnam Vinthan
Level 1
Level 1
In response to Jayaratnam Vinthan

‎10-23-2015 01:56 AM

Hi can anyone help me on this issue? really struggling with this problem

0 Helpful
Customers Also Viewed These Support Documents