07-29-2011 02:09 PM
So I have 2 ASA's in two different data centers. They are connected with a site-to-site VPN tunnel which has been work great. We recently decided to allow some users to access the network via the Anyconnect client. We configured it in datacenter 1 which has a network of 10.1.1.0/24. The network in datacenter 2 is 10.1.10.0/24. When the user connects he can access any of the machines that are on the same subnet as they are. When they try to access any of the machines in datacenter 2 they are not able to get access. I am sure there is an ACL I am missing somewhere but I cant seem to find it. Below is the VPN part of my running config.
Thanks
Aaron
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list outside_access_in extended permit tcp any host (external IP) object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host (external IP) object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any host (external IP) object-group DM_INLINE_TCP_3
access-list inside_access_in extended permit ip any any
access-list workvpn_splitTunnelACL standard permit 10.1.1.0 255.255.255.0
access-list workvpn_splitTunnelACL standard permit 10.1.10.0 255.255.255.0
ip local pool VPN_DHCP 10.1.1.123-10.1.1.130 mask 255.255.255.0
ldap attribute-map CISCOMAP
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE anyconnect
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol ldap
aaa-server AD (inside) host 10.1.1.101
ldap-base-dn dc=testdomain,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=Administrator,CN=Users,DC=testdomain,DC=com
server-type microsoft
ldap-attribute-map CISCOMAP
aaa-server AD (inside) host 10.1.1.102
ldap-base-dn dc=testdomain,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=administrator,cn=users,dc=testdomain,dc=com
server-type microsoft
ldap-attribute-map CISCOMAP
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 65535 set pfs group1
crypto dynamic-map outside_dyn_map 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer (datacenter 2 IP)
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=cala-asa01
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy NOACCESS internal
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy anyconnect internal
group-policy anyconnect attributes
wins-server none
dns-server value 10.1.1.101 10.1.1.102
vpn-tunnel-protocol IPSec l2tp-ipsec svc
webvpn
svc ask none default svc
tunnel-group (datacenter 2 IP) type ipsec-l2l
tunnel-group (datacenter 2 IP) ipsec-attributes
pre-shared-key *
tunnel-group anyconnect type remote-access
tunnel-group anyconnect general-attributes
address-pool VPN_DHCP
authentication-server-group AD
default-group-policy anyconnect
tunnel-group anyconnect webvpn-attributes
group-alias AnyConnect enable
07-30-2011 11:51 AM
Hi Aaron,
Make sure you have the "same-security-traffic permit intrainterface" command enabled, this will allow traffic coming from an interface to leave through that same interface which in this case is true, traffic comes from the outside and leaves on the outside.
Regards,
Jonnathan Rojas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide