cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
662
Views
0
Helpful
5
Replies

VPN Client Pool over site to site

Bernd Windisch
Level 1
Level 1

Hello,

i´ve troubles getting this to work:

Location A

ASA5505 (10.1.2.0/24)

EasyVPN Server (VPN Pool 172.20.2.0/24)

Location B

878w (192.168.0.0/24)

between A and B is a site to site VPN (both devices are behind a provider gateway, i´ve set up static routes on it)

Traffic between A and B works fine!

now i´d like to allow vpn user´s (172.20.2.0) access to Location B, and here begin the problems.

my first step was to add the 172er subnet to the access-list on Location B

when i send a ping from Location B to the 172er subnet, the vpn tunnel between A and B goes down....?!

can anyone give me a tip where to go? i need to set up staic routes on the 878er?

here my config´s

LOCATION A (ASA)

: Saved

:

ASA Version 9.1(3)

!

hostname vpn

domain-name home

enable password ENCRYPTED encrypted

names

ip local pool VPN-Pool 172.20.2.1-172.20.2.10 mask 255.255.255.0

ip local pool VPN-Pool2 10.254.254.1-10.254.254.10 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.1.2.230 255.255.255.0

!

interface Vlan2

shutdown

nameif outside

security-level 0

ip address dhcp

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.1.2.250

domain-name home

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network LAN-Firma

subnet 192.168.0.0 255.255.255.0

object network NETWORK_OBJ_10.1.2.0_24

subnet 10.1.2.0 255.255.255.0

object network NETWORK_OBJ_172.20.2.0_28

subnet 172.20.2.0 255.255.255.240

access-list inside_cryptomap extended permit ip 10.1.2.0 255.255.255.0 object LAN-Firma

access-list inside_access_in extended permit ip any any

access-list VPN2LAN_splitTunnelAcl standard permit 10.1.2.0 255.255.255.0

access-list VPNCERT_splitTunnelAcl remark LAN Home

access-list VPNCERT_splitTunnelAcl standard permit 10.1.2.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,inside) source static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24 destination static NETWORK_OBJ_172.20.2.0_28 NETWORK_OBJ_172.20.2.0_28 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

route inside 0.0.0.0 0.0.0.0 10.1.2.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.1.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map inside_map 1 match address inside_cryptomap

crypto map inside_map 1 set peer 195.248.54.231

crypto map inside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map inside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint1

keypair ASDM_TrustPoint1

crl configure

crypto ca trustpoint Carmen

keypair Carmen

crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint0

certificate ca 4f8689e745b986ab4420b66164e20fe4

    30820392 3082027a a0030201 0202104f 8689e745 b986ab44 20b66164 e20fe430

    0d06092a 864886f7 0d010105 05003048 31153013 060a0992 268993f2 2c640119

    16056c6f 63616c31 1a301806 0a099226 8993f22c 64011916 0a636572 74736572

    76657231 13301106 03550403 130a5a65 72745365 72766572 301e170d 31333131

    32353039 34333231 5a170d31 38313132 35303935 3235365a 30483115 3013060a

    09922689 93f22c64 01191605 6c6f6361 6c311a30 18060a09 92268993 f22c6401

    19160a63 65727473 65727665 72311330 11060355 0403130a 5a657274 53657276

    65723082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282

    010100de 5ec9e689 6b9c332d b5aa3b62 dae0c53c b5c6482c 00adaf3c 4f8bcf8e

    8f07e129 f37abf92 1c26fd67 e02875fb d154aa7e 546cd288 94b42aa7 e0c494d0

    d486705d 37004529 e177d338 0ca63078 6f992270 6fb98fd0 1122cfb7 df2a50d2

    675cc72b 5d982638 b62893a6 c68af0cd a8a4fb11 6e31a736 8d4d6348 6b75a97c

    8cd69422 fad16723 2bd091eb 4050dd64 8697d7e9 197d7962 21251173 9cf6fe23

    09cc6686 04bf840d 1f51723f f3ae484d d42873c6 ffdb1bd9 472b0a87 b5c7b5d2

    bd74e17e 4c736a79 3acbafe2 daa1166f 95e46fc6 efd8bdd9 19cda194 2de5ade3

    e2d1cedd 99541769 ccd702b9 aaf0aa84 799c7c44 b920b5ac b4e6b532 18e53c46

    d8ba9f02 03010001 a3783076 300b0603 551d0f04 04030201 86300f06 03551d13

    0101ff04 05300301 01ff301d 0603551d 0e041604 14b5fbe5 d282e426 67959c01

    4d25f4b3 9781ad5d 9b301206 092b0601 04018237 15010405 02030100 01302306

    092b0601 04018237 15020416 0414c02f 9f0c28e5 fec3c48e 49787188 784e0458

    facf300d 06092a86 4886f70d 01010505 00038201 010069c8 3927a216 6ae4c320

    d368494d 0d9b2640 b2ff0b12 9c54e822 1f6c16f1 44af6196 3b9af309 67194851

    5b11dd13 1454c804 c4cc0346 46450dac 89eb10a4 7009bf79 4b517af4 bcaa5011

    1d7d8df6 cc3d418c a869675e 416a329e f628449f d382e4e9 424776cb a3c40629

    bc2cd5d1 4d483df6 ab8fd8fc 4e5d89a0 4183fae5 7241e685 254fc278 fb34bac1

    593397e9 26de0ddb 4f58628f 7196b57d 57e06c63 a5bdfff6 c8516404 3186ed7a

    2cb9dc23 253961d9 c134dd38 9972f4dd 2b889326 61cd5d21 1051118a 121a5170

    66ad1611 b2756d1f b059d49f 14e52832 8049bdcb aef6b988 d5e2c622 9bd809ee

    5b292a81 a0d33c19 6109f5eb 6c88cfa0 d075a4f0 2047

  quit

crypto ca certificate chain ASDM_TrustPoint1

certificate 61198fc3000100000016

    308203c1 308202a9 a0030201 02020a61 198fc300 01000000 16300d06 092a8648

    86f70d01 01050500 30483115 3013060a 09922689 93f22c64 01191605 6c6f6361

    6c311a30 18060a09 92268993 f22c6401 19160a63 65727473 65727665 72311330

    11060355 0403130a 5a657274 53657276 6572301e 170d3133 31313236 31393331

    33305a17 0d313531 31323631 39333133 305a3081 9e310b30 09060355 04061302

    41543113 30110603 55040813 0a537465 6965726d 61726b31 0d300b06 03550407

    13044772 617a3110 300e0603 55040a13 0756504e 43455254 3110300e 06035504

    0b130756 504e4345 52543117 30150603 55040313 0e426572 6e642057 696e6469

    73636831 2e302c06 092a8648 86f70d01 0901161f 6265726e 642e7769 6e646973

    63684076 6964656f 2d746563 686e696b 2e617430 819f300d 06092a86 4886f70d

    01010105 0003818d 00308189 02818100 b05befc7 f1ea9aa0 0e625a35 0c18bac6

    73a04ff0 97b8e290 41e5ff2e eef5faa8 1a205a96 099b04e3 9dc1fd09 9d204b23

    fcb631a5 5d19965f 9edd5406 e7fa6a45 afe550a7 e7d04077 e9492a75 ae2e45d7

    9769247b b0c0e5bb 6b8130c5 4d6faa35 9b74217b 2e38d3f9 a23ee7c4 c36817bf

    08fb1ad9 9cb40a99 6e101ed5 15fbb915 02030100 01a381d9 3081d630 0b060355

    1d0f0404 030205a0 301d0603 551d0e04 16041482 38942cf8 cf4cd7b0 b9159a33

    d772fff6 5c5c2630 3c06092b 06010401 82371507 042f302d 06252b06 01040182

    37150885 86e41b82 b9855381 ed8b0686 8edf2e87 cecf5670 f3e22084 b8872402

    01640201 02301f06 03551d23 04183016 8014b5fb e5d282e4 2667959c 014d25f4

    b39781ad 5d9b3013 0603551d 25040c30 0a06082b 06010505 08020230 1b06092b

    06010401 8237150a 040e300c 300a0608 2b060105 05080202 30170603 551d1104

    10300e82 0c38352e 3132362e 38352e38 38300d06 092a8648 86f70d01 01050500

    03820101 00c1d2cc bba37410 159808b2 0ce8835a 5f045b5b 57e09828 4def7ffa

    710eefa1 1352baf9 9e4ec65a 81da6699 fa4b3e3d fb131214 69cda982 59f06541

    4ea0ad3a 49027ad7 e401cd0e e4761e9a 3b607269 c79ed2c6 45d5eb8e 6bd02e88

    7c79eade a0cc2d82 f9ca0d76 fd15b4d6 130f99b1 8834b77e db029e29 0551be88

    c9f68cd5 ae8bb30b 714466f2 5f451341 5df5b34e 2f389fef 17af4a04 a84094c0

    970fc21d ed12c99f f8f8e6b4 4cfe6970 3517e9f9 edb831a8 8c6e4b58 64239af9

    bdcf047a c09cb6f2 758691b1 3bb1f46f 4cc265dd e1979320 b71a722a 1da08375

    74822a6c 34b908be 6fab7a12 7f1aa404 bcad1d77 6f9b1aa3 e1b2d468 59ae611a

    17ab0ca4 01

  quit

crypto ca certificate chain Carmen

certificate 61225231000100000019

    308203c2 308202aa a0030201 02020a61 22523100 01000000 19300d06 092a8648

    86f70d01 01050500 30483115 3013060a 09922689 93f22c64 01191605 6c6f6361

    6c311a30 18060a09 92268993 f22c6401 19160a63 65727473 65727665 72311330

    11060355 0403130a 5a657274 53657276 6572301e 170d3133 31323034 31393236

    35325a17 0d313531 32303431 39323635 325a3081 a0310b30 09060355 04061302

    41543113 30110603 55040813 0a537465 6965726d 61726b31 0d300b06 03550407

    13044772 617a3110 300e0603 55040a13 0756504e 43455254 3110300e 06035504

    0b130756 504e4345 52543118 30160603 55040313 0f436172 6d656e20 57696e64

    69736368 312f302d 06092a86 4886f70d 01090116 20636172 6d656e2e 77696e64

    69736368 40766964 656f2d74 6563686e 696b2e61 7430819f 300d0609 2a864886

    f70d0101 01050003 818d0030 81890281 8100a806 2822f09b 0743e641 2a57c89c

    01a91bbf bf6a112f 54bce28a 31534324 45a09a4e c78a64ac a2e00adb 84e9b546

    628836e5 449c1923 475922bb 1aed5dbf 557ee1e7 00a4f21f 325bbdf7 83dce59d

    c8bd66c0 4afe15e8 fbad492c d4b363b7 6967a8fe 2f3cf6c2 32fc4cea 18607123

    65279e88 100266b5 813089b5 bc375bda 14fb0203 010001a3 81d83081 d5300b06

    03551d0f 04040302 05a0301d 0603551d 0e041604 142056e6 68b919bc f96314df

    e0de0551 020e83a2 16303c06 092b0601 04018237 1507042f 302d0625 2b060104

    01823715 088586e4 1b82b985 5381ed8b 06868edf 2e87cecf 5670f3e2 2084b887

    24020164 02010230 1f060355 1d230418 30168014 b5fbe5d2 82e42667 959c014d

    25f4b397 81ad5d9b 30130603 551d2504 0c300a06 082b0601 05050802 02301b06

    092b0601 04018237 150a040e 300c300a 06082b06 01050508 02023016 0603551d

    11040f30 0d820b38 352e3132 3638352e 3838300d 06092a86 4886f70d 01010505

    00038201 01005bd7 51a2da8c 60eea83c 9a017cf4 bba68dc7 d0201e0a 85ad88db

    5b4da95a d08d8730 f94e4536 c0d2d217 69a0846e 7e2a99ab f5e877d1 e240354a

    06f5eab1 22f01cfa 01346c48 4733038f c70544a0 2389e758 fd67d912 5d13edfe

    0faeeadb a6e3ae16 13f225a0 04be942c a8af65ad a47516f3 f6dca239 4feb5f9a

    19280c3b 78eb821b a9aa30a9 1520ffa3 7c555b52 6337f518 9acf524c c7704a16

    fe0e0b82 d80e2753 c7038ed6 7f3ba19c 3b525675 bfd424ff 985b82c5 8dbd0c01

    8a9a280d b0ded3d0 5e0464c3 a4ef1899 ab192f6b 2566f6f2 2125fece 01b75558

    e83935d4 560bfc20 7ee20897 d193c948 36e297b0 b486784c 8a85c91e ce92d9c8

    9bd75a0e 913d

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable inside

crypto ikev1 enable inside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 10.1.2.1-10.1.2.32 inside

dhcpd dns 10.1.2.250 10.1.2.254 interface inside

dhcpd domain home interface inside

dhcpd option 3 ip 10.1.2.254 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.0.253

group-policy GroupPolicy_195.248.54.231 internal

group-policy GroupPolicy_195.248.54.231 attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy VPN2LAN internal

group-policy VPN2LAN attributes

dns-server value 10.1.2.250

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN2LAN_splitTunnelAcl

default-domain value home

group-policy VPNCERT internal

group-policy VPNCERT attributes

dns-server value 10.1.2.250

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPNCERT_splitTunnelAcl

default-domain value home

username USERNAME password PASSWD encrypted

username USERNAME attributes

password-storage enable

service-type remote-access

username admin password PASSWD encrypted

username USERNAME1 password PASSWD encrypted privilege 15

username USERNAME1 attributes

vpn-idle-timeout none

password-storage enable

tunnel-group PUBLIC-IP Location B type ipsec-l2l

tunnel-group PUBLIC-IP Location B general-attributes

default-group-policy GroupPolicy_PUBLIC-IP Location B

tunnel-group PUBLIC-IP Location B ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group VPN2LAN type remote-access

tunnel-group VPN2LAN general-attributes

address-pool VPN-Pool

default-group-policy VPN2LAN

tunnel-group VPN2LAN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group VPNCERT type remote-access

tunnel-group VPNCERT general-attributes

address-pool VPN-Pool

default-group-policy VPNCERT

tunnel-group VPNCERT ipsec-attributes

ikev1 trust-point ASDM_TrustPoint1

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:0f21b500871a9a1e0dc008a34c45ec36

: end

no asdm history enable

LOCATION B (878w)

Building configuration...

Current configuration : 1783 bytes

!

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

logging buffered 52000

!

no aaa new-model

crypto pki token default removal timeout 0

!

!

dot11 syslog

ip source-route

!

!

!

ip cef

!

!

!

!

username admin privilege 15 password 0 PASSWORD

!

!

controller DSL 0

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key PSK address PUBLIC-IP LOCATION A

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to LOCATION A

set peer PUBLIC-IP LOCATION A

set transform-set ESP-3DES-SHA

match address 100

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Vlan1

ip address 192.168.0.250 255.255.255.0

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip http server

ip http authentication local

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.0.253

!

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.0.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.0.0 0.0.0.255 172.20.2.0 0.0.0.255

!

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

login

transport input all

!

end

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Why are you only using a single interface on each device? It seems like you have connected the LAN side of each device to your Internet router instead of dedicating one interface to be the WAN interface.

- Jouni

yes, that´s right! both devices are connected to LAN with one interface. i´m using the devices just for vpn connection! no routing.

Hi,

Can't say I have seen a setup like this before Or atleast done in this way.

It seems to me that there are atleast problems on the ASA side.

Seems to me that you have 2 VPN Client configurations so I am not sure which needs the additions since they use the same VPN Pool. You need to add the remote network to the Split Tunnel ACL

access-list VPN2LAN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

access-list VPNCERT_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

Then it also seems that you have not added the VPN Pool to the Encryption Domain of the L2L VPN connection

access-list inside_cryptomap extended permit ip 172.20.2.0 255.255.255.240 object LAN-Firma

Because of your setup (using a single interface) I am not sure if you even need a separate NAT0 configuration for the this traffic but if it were needed you could add this

object network VPN-POOL

subnet 172.20.2.0 255.255.255.240

object network REMOTE-LAN

subnet 192.168.0.0 255.255.255.0

nat (inside,inside) source static VPN-POOL VPN-POOL destination static REMOTE-LAN REMOTE-LAN

I am not sure where the problem with the VPN going comes from. It might be related to the fact that you are missing configurations on the ASA side and you have only added configurations to the Router side which makes the L2L VPN configurations so that they dont match.

- Jouni

i did it with your description, but the tunnel always goes down when i send traffic to the 172er subnet...

it looks like the 172 net is routet by the default route 0.0.0.0 0.0.0.0 192.168.0.253. Is there a way to deny the 172 net by the default route?