Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
0
Helpful
1
Replies

SSL VPN issue with 2 ASA's connected via Site to Site

aaron.chow
Level 1
Level 1

‎07-29-2011 02:09 PM

So I have 2 ASA's in two different data centers.  They are connected with a site-to-site VPN tunnel which has been work great.  We recently decided to allow some users to access the network via the Anyconnect client.  We configured it in datacenter 1 which has a network of 10.1.1.0/24.  The network in datacenter 2 is 10.1.10.0/24.  When the user connects he can access any of the machines that are on the same subnet as they are.  When they try to access any of the machines in datacenter 2 they are not able to get access.  I am sure there is an ACL I am missing somewhere but I cant seem to find it.  Below is the VPN part of my running config.

Thanks

Aaron

access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.10.0 255.255.255.0

access-list outside_access_in extended permit tcp any host (external IP) object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any host (external IP) object-group DM_INLINE_TCP_2

access-list outside_access_in extended permit tcp any host (external IP) object-group DM_INLINE_TCP_3

access-list inside_access_in extended permit ip any any

access-list workvpn_splitTunnelACL standard permit 10.1.1.0 255.255.255.0

access-list workvpn_splitTunnelACL standard permit 10.1.10.0 255.255.255.0

ip local pool VPN_DHCP 10.1.1.123-10.1.1.130 mask 255.255.255.0

ldap attribute-map CISCOMAP

  map-name  msNPAllowDialin IETF-Radius-Class

  map-value msNPAllowDialin FALSE NOACCESS

  map-value msNPAllowDialin TRUE anyconnect

dynamic-access-policy-record DfltAccessPolicy

aaa-server AD protocol ldap

aaa-server AD (inside) host 10.1.1.101

ldap-base-dn dc=testdomain,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn CN=Administrator,CN=Users,DC=testdomain,DC=com

server-type microsoft

ldap-attribute-map CISCOMAP

aaa-server AD (inside) host 10.1.1.102

ldap-base-dn dc=testdomain,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn cn=administrator,cn=users,dc=testdomain,dc=com

server-type microsoft

ldap-attribute-map CISCOMAP

aaa authentication ssh console LOCAL

http server enable

http 10.1.1.0 255.255.255.0 inside

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 65535 set pfs group1

crypto dynamic-map outside_dyn_map 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer (datacenter 2 IP)

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=cala-asa01

crl configure

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy NOACCESS internal

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy anyconnect internal

group-policy anyconnect attributes

wins-server none

dns-server value 10.1.1.101 10.1.1.102

vpn-tunnel-protocol IPSec l2tp-ipsec svc

webvpn

  svc ask none default svc

tunnel-group (datacenter 2 IP) type ipsec-l2l

tunnel-group (datacenter 2 IP) ipsec-attributes

pre-shared-key *

tunnel-group anyconnect type remote-access

tunnel-group anyconnect general-attributes

address-pool VPN_DHCP

authentication-server-group AD

default-group-policy anyconnect

tunnel-group anyconnect webvpn-attributes

group-alias AnyConnect enable

Labels:
0 Helpful
1 Reply 1

jonrojas
Level 1
Level 1

‎07-30-2011 11:51 AM

Hi Aaron,

Make sure you have the "same-security-traffic permit intrainterface" command enabled, this will allow traffic coming from an interface to leave through that same interface which in this case is true, traffic comes from the outside and leaves on the outside.

Regards,

Jonnathan Rojas

0 Helpful
Customers Also Viewed These Support Documents