Solved: VPN site-to-site acces through a client VPN

harinirina · ‎08-08-2012

Hi all,

From our headquarter, we use a vpn site-to-site to connect to another site and it works fine.

we have just configured VPN client on our headquarter, remote VPN user can access the LAN in headquarter.

We need that remote user can also access the LAN in the other site, but it does not work.

The site-to-site VPN and VPN client are configured on the same device, using same outside interface.

The adress pool for vpn client is already included in the address allowed to go through site-to-site VPN.

We would like to know if it is possible to access site-to-site VPN when connecting to VPN client and when the architecture is as mentionned above?

in case we use different devices and different internet connection for VPN client and site-to-site VPN, could we access the LAN in the other site via remote VPN user ?

Regards,

Jennifer Halim · ‎08-08-2012

Since you already have 10.13.0.0/16 in your site-to-site crypto ACL, that already includes the vpn pool so you don't need to specifically configure it.

You are missing the following command:

same-security-traffic permit intra-interface

The split tunnel ACL should be standard ACL as follows:

access-list ACL-CL-VPN permit 10.13.0.0 255.255.0.0

access-list ACL-CL-VPN permit 10.14.0.0 255.255.248.0

View solution in original post

Jennifer Halim · ‎08-08-2012

Yes, you should be able to access the remote LAN subnet via VPN Client through the LAN-to-LAN tunnel.

Can you share your config on both end to see if there might be missing config.

harinirina · ‎08-08-2012

Hi Jennifer,

Thanks for your prompt reply, we extremelly appreciate.

We would like to know if the IP of the remote VPN user should be also specified in the ACL for site-to-site VPN ?

Please, find below the configuration in the headquarter

==========

ASA Version 8.2(5)

interface GigabitEthernet0/0

nameif INSIDE-1

security-level 100

ip address 10.13.6.225 255.255.255.240

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address IP_Pub 255.255.255.252

!

regex domainlist1 "\.youtube\.com"

ftp mode passive

dns server-group DefaultDNS

domain-name dmn.mg

same-security-traffic permit inter-interface

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

access-list outside_mpc extended permit ip any any

access-list ACL-VPN extended permit ip 10.13.0.0 255.255.0.0 10.14.0.0 255.255.248.0

access-list ACL-VPN extended permit ip any 10.13.16.0 255.255.255.248

access-list ACL-VPN extended permit ip 10.14.0.0 255.255.248.0 10.13.16.0 255.255.255.248

access-list ACL-VPN extended permit ip 10.13.16.0 255.255.255.248 10.14.0.0 255.255.248.0

access-list NAT extended permit ip 10.13.0.0 255.255.0.0 any

access-list url_inspection extended permit tcp any any eq www

access-list url_inspection extended permit tcp any any eq 8080

access-list INSIDE-1_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any

access-list outside_access_in extended permit icmp any any

access-list REDISTR standard deny host 0.0.0.0

access-list REDISTR standard permit any

access-list outside_3_cryptomap extended permit ip 10.13.0.0 255.255.0.0 10.14.0.0 255.255.248.0

access-list ACL-CL-VPN extended permit ip 10.13.0.0 255.255.0.0 10.13.16.0 255.255.255.248

access-list ACL-CL-VPN extended permit ip 10.14.0.0 255.255.248.0 10.13.16.0 255.255.255.248

pager lines 24

logging enable

logging asdm informational

mtu INSIDE-1 1500

mtu INSIDE-2 1500

mtu dmz 1500

mtu outside 1500

mtu management 1500

ip local pool PoolCstr 10.13.16.1-10.13.16.7 mask 255.255.255.248

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any INSIDE-1

icmp permit any INSIDE-2

icmp permit any dmz

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (INSIDE-1) 0 access-list ACL-VPN

nat (INSIDE-1) 1 access-list NAT

access-group INSIDE-1_access_in in interface INSIDE-1

access-group outside_access_in in interface outside

!

route-map REDISTR permit 10

match ip address REDISTR

!

router eigrp 7

no auto-summary

network 10.13.6.224 255.255.255.240

redistribute static metric 1 1 1 1 1

!

route outside 0.0.0.0 0.0.0.0 IP_NXT_HOP 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set peer PEER_IP_ADDR

crypto map outside_map 3 set transform-set ESP-AES-256-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp policy 30

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

group-policy BkpCstr internal

group-policy BkpCstr attributes

wins-server value WINS_IP

dns-server value DNS_IP

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ACL-CL-VPN

default-domain value dmn.mg

username UsrCstr password 27IV6SctvRia91lD encrypted

username dmn password opz3BUccXnuS9BZU encrypted privilege 15

tunnel-group PEER_IP_ADDR type ipsec-l2l

tunnel-group PEER_IP_ADDR ipsec-attributes

pre-shared-key *****

tunnel-group BkpCstr type remote-access

tunnel-group BkpCstr general-attributes

address-pool PoolCstr

default-group-policy BkpCstr

tunnel-group BkpCstr ipsec-attributes

pre-shared-key *****

!

class-map type regex match-any DomainBlockList

match regex domainlist1

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

class-map ips-class

match access-list outside_mpc

class-map inspection_default

match default-inspection-traffic

class-map httptraffic

match access-list url_inspection

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect http http_inspection_policy

parameters

protocol-violation action drop-connection

match request method connect

drop-connection log

class BlockDomainsClass

reset log

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

policy-map outside-policy

description IPS policy

class ips-class

ips inline fail-open sensor vs0

policy-map inside-policy

description URL_inspection policy and IPS policy

class httptraffic

inspect http http_inspection_policy

class ips-class

ips inline fail-open sensor vs0

!

service-policy global_policy global

service-policy inside-policy interface INSIDE-1

service-policy outside-policy interface dmz

service-policy outside-policy interface outside

======

We do not have the configuration of the other site.

The site-to-site vpn works fine when we connect from the headquater.

It's sure the ACL for the site-to-site VPN on the other site is

permit ip 10.14.0.0 255.255.248.0 10.13.0.0 255.255.0.0

Regards,

Jennifer Halim · ‎08-08-2012

Since you already have 10.13.0.0/16 in your site-to-site crypto ACL, that already includes the vpn pool so you don't need to specifically configure it.

You are missing the following command:

same-security-traffic permit intra-interface

The split tunnel ACL should be standard ACL as follows:

access-list ACL-CL-VPN permit 10.13.0.0 255.255.0.0

access-list ACL-CL-VPN permit 10.14.0.0 255.255.248.0

harinirina · ‎08-20-2012

Hi Jennifer,

Thanks a lot for your helpful reply, we extremmely appreciate.

it works fine now.