Re: Remote VPN users access to site to site networks (mostly configured)
- From: John Smyth <newsgroup@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 19 Feb 2010 09:21:09 -0600
On Thu, 18 Feb 2010 00:35:58 -0600, John Smyth wrote:
I’m not sure which piece I am missing but I think I am almost there.
set up is:
---------------- -----------------
----------------- |PIX | |ASA |
|VPN | |506E |---works-----|5520
|--works---|connections | |inside IP | |inside IP
| |IP range | |192.168.4.0/24|
|192.168.26.0/24| |192.168.27.0/24| ----------------
----------------- -----------------
| |
-----------no communication between VPN and PIX-----------
The ASA ASDM’s packet trace says both directions from the PIX to the
VPN connections should work (192.168.27.x <-> 192.168.4.x). I think
there is still something on the pix that is not saying that the tunnel
to 192.168.26.x also contains 192.168.27.x.
Can anyone see where I am missing an entry? or making a mistake?
thanks in advance.
John
------- PIX configuration ----------
: Saved
: Written by enable_15 at 08:23:34.545 MST Wed Feb 17 2010 PIX Version
6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXX encrypted
passwd XXX encrypted
hostname PIX
domain-name domain.com
clock timezone CST -6
fixup protocol dns maximum-length 512 fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.26.0 colo
name 192.168.27.0 colo-vpns
access-list inside_access_in permit ip any any access-list
inside_access_in permit icmp any any access-list inside_access_in permit
gre any any access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq https access-list
outside_access_in permit tcp any any eq pop3 access-list
outside_access_in permit tcp any any eq pptp access-list
outside_access_in permit icmp any any access-list outside_access_in deny
ip any any access-list 100 permit ip 192.168.4.0 255.255.255.0 colo
255.255.255.0 access-list 100 permit ip 192.168.4.0 255.255.255.0
colo-vpns 255.255.255.0
access-list access1 permit ip 192.168.4.0 255.255.255.0 colo-vpns
255.255.255.0
access-list access1 permit ip 192.168.4.0 255.255.255.0 colo
255.255.255.0
pager lines 1000
logging on
logging history informational
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.4 255.255.255.248 ip address inside
192.168.4.1 255.255.255.0 ip audit info action alarm
ip audit attack action alarm
ip local pool vpnrange 192.168.5.50-192.168.5.100 pdm logging
informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside access-group
inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0
10.10.10.161 1 timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout
sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius aaa-server partnerauth
max-failed-attempts 3 aaa-server partnerauth deadtime 10
http server enable
http 192.168.4.0 255.255.255.0 inside snmp-server host inside
192.168.4.184 snmp-server host inside 192.168.4.50
snmp-server location earth
snmp-server contact admin
snmp-server community community
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac crypto
dynamic-map outside_dyn_map 20 set transform-set esp-3des-md5 crypto map
newmap 40 ipsec-isakmp
crypto map newmap 40 match address access1 crypto map newmap 40 set peer
10.10.10.166 crypto map newmap 40 set transform-set esp-3des-md5 crypto
map newmap 65535 ipsec-isakmp dynamic outside_dyn_map crypto map newmap
interface outside
isakmp enable outside
isakmp key XXX address 10.10.10.166 netmask 255.255.255.255 no-xauth no-
config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share isakmp policy 10 encryption
3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpngroup1 address-pool vpnrange vpngroup vpngroup1 dns-server
192.168.4.12 vpngroup vpngroup1 default-domain domain.com vpngroup
vpngroup1 split-tunnel vpngroup1_splitTunnelAcl vpngroup vpngroup1
idle-time 7200
vpngroup vpngroup1 password XXX
telnet 192.168.4.0 255.255.255.0 inside telnet timeout 5
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 192.168.4.155-192.168.4.230 inside dhcpd dns 192.168.4.12
dhcpd wins 192.168.4.12
dhcpd lease 14400
dhcpd ping_timeout 750
dhcpd domain domain.com
dhcpd auto_config outside
dhcpd enable inside
username admin password XXX encrypted privilege 15 terminal width 80
Cryptochecksum:e3903383e5abec6f52cf29db4e87d29c : end
------ ASA configuration ---------
: Saved
: Written by enable_15 at 04:30:22.421 UTC Thu Feb 18 2010 !
ASA Version 8.2(2)
!
hostname ASA-5520
domain-name domain.com
enable password XXX encrypted
passwd XXX encrypted
no names
!
interface GigabitEthernet0/0
nameif internet
security-level 0
ip address 10.10.10.166 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 75
ip address 192.168.26.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup internet
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.26.103
name-server 192.168.4.19
domain-name domain.com
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host 10.10.10.164
access-list inside_access_in extended permit ip 192.168.26.0
255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.26.0
255.255.255.0 192.168.4.0 255.255.255.0 access-list inside_access_in
extended permit ip 192.168.4.0 255.255.255.0 192.168.26.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.27.0
255.255.255.0 192.168.4.0 255.255.255.0 access-list inside_access_in
extended permit ip 192.168.4.0 255.255.255.0 192.168.27.0 255.255.255.0
access-list internet_access_in extended permit object-group TCPUDP any
host 10.10.10.166 eq www
access-list internet_access_in extended permit tcp any host 10.10.10.166
eq https
access-list internet_access_in extended permit tcp object-group
DM_INLINE_NETWORK_1 host 10.10.10.166 eq smtp access-list
internap_access extended permit ip 192.168.26.0 255.255.255.0
192.168.4.0 255.255.255.0
access-list 100 extended permit ip 192.168.26.0 255.255.255.0
192.168.4.0 255.255.255.0
access-list internet_1_cryptomap extended permit ip 192.168.26.0
255.255.255.0 192.168.4.0 255.255.255.0 access-list vpns extended permit
ip 192.168.26.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list vpns extended permit ip 192.168.27.0 255.255.255.0
192.168.4.0 255.255.255.0
access-list vpns extended permit ip any 192.168.27.0 255.255.255.0
access-list Split_tunnel_list standard permit 192.168.26.0 255.255.255.0
access-list Split_tunnel_list standard permit 192.168.4.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 100000
logging buffered debugging
logging asdm informational
mtu internet 1500
mtu inside 1500
mtu management 1500
ip local pool CLIENT_VPNS 192.168.27.100-192.168.27.250 mask
255.255.255.0 no failover
icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
nat-control
global (internet) 101 192.168.26.2-192.168.26.254 netmask 255.255.255.0
global (internet) 102 interface
nat (internet) 102 192.168.26.0 255.255.255.0 nat (inside) 0 access-list
vpns
nat (inside) 102 192.168.26.0 255.255.255.0 nat (management) 102 0.0.0.0
0.0.0.0
static (inside,internet) tcp interface www 192.168.26.107 www netmask
255.255.255.255
static (inside,internet) udp interface www 192.168.26.107 www netmask
255.255.255.255
static (inside,internet) tcp interface https 192.168.26.102 https
netmask 255.255.255.255
static (inside,internet) tcp interface smtp 192.168.26.102 smtp netmask
255.255.255.255
access-group internet_access_in in interface internet access-group
inside_access_in in interface inside route internet 0.0.0.0 0.0.0.0
10.10.10.161 1 timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout
tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy aaa-server DOMAIN protocol
nt
aaa-server DOMAIN (inside) host 192.168.26.103
nt-auth-domain-controller 192.168.26.103
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management http 192.168.26.111
255.255.255.255 inside http 192.168.26.101 255.255.255.255 inside http
192.168.4.0 255.255.255.0 inside snmp-server host inside 192.168.4.184
poll community community snmp-server location mars
snmp-server contact admin
snmp-server community community
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec
transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec
transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec
transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec
transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec
transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec
transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec
transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec
transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec
security-association lifetime seconds 28800 crypto ipsec
security-association lifetime kilobytes 4608000 crypto dynamic-map
SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP- AES-128-SHA
ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256- SHA
ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto
map internet_map 1 match address vpns crypto map internet_map 1 set pfs
crypto map internet_map 1 set peer 10.10.10.164 crypto map internet_map
1 set transform-set ESP-3DES-MD5 crypto map internet_map 65535
ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet_map interface internet crypto isakmp enable internet
crypto isakmp enable inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.26.0 255.255.255.0 inside telnet 192.168.4.0
255.255.255.0 inside telnet timeout 5
ssh 0.0.0.0 0.0.0.0 internet
ssh 192.168.26.101 255.255.255.255 inside ssh 192.168.26.111
255.255.255.255 inside ssh timeout 5
console timeout 0
dhcpd address 192.168.26.25-192.168.26.50 inside dhcpd dns
192.168.26.103 192.168.4.19 interface inside dhcpd domain domain.com
interface inside dhcpd enable inside
!
dhcpd address 192.168.1.50-192.168.1.75 management dhcpd dns
192.168.26.103 192.168.4.19 interface management dhcpd wins
192.168.26.103 192.168.4.19 interface management dhcpd domain domain.com
interface management !
threat-detection basic-threat
threat-detection statistics access-list no threat-detection statistics
tcp-intercept tftp-server inside 192.168.26.111 /
webvpn
port 4443
enable internet
dtls port 4443
svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 1 svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
wins-server value 192.168.26.103
dns-server value 192.168.26.103
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn split-dns value
domain.com
group-policy phonehome internal
group-policy phonehome attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy VP internal
group-policy VP attributes
wins-server value 192.168.26.103 192.168.4.19 dns-server value
192.168.26.103 192.168.4.19 vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_tunnel_list default-domain value
domain.com
group-policy TAC internal
group-policy TAC attributes
vpn-tunnel-protocol svc
username user1 password XXX encrypted privilege 15 tunnel-group
DefaultRAGroup general-attributes
authentication-server-group DOMAIN
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group none
tunnel-group 10.10.10.164 type ipsec-l2l tunnel-group 10.10.10.164
ipsec-attributes
pre-shared-key r0@D@pp1L3
tunnel-group CLIENT_VPN type remote-access tunnel-group CLIENT_VPN
general-attributes
authentication-server-group DOMAIN
default-group-policy VP
tunnel-group CLIENT_VPN ipsec-attributes
pre-shared-key junction
tunnel-group VP type remote-access
tunnel-group VP general-attributes
address-pool CLIENT_VPNS
authentication-server-group DOMAIN
authentication-server-group (inside) DOMAIN default-group-policy VP
tunnel-group VP webvpn-attributes
group-alias VP enable
group-url https://10.10.10.166:4443/VP enable
tunnel-group VP ipsec-attributes
pre-shared-key key1
tunnel-group VP ppp-attributes
authentication ms-chap-v2
!
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/
services/DDCEService
destination address email callhome@xxxxxxxxx destination
transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7c7ead81dc4b832a83e584386eb556a4 : end
And just becuase I hate seeing these months and years later with no
solution:
all I needed to do to get traffic flowing was enter the command "same-
security-traffic permit intra-interface" from the CLI in configure mode.
good luck to all that have this similar problem.
.
- Prev by Date: Re: Remote VPN users access to site to site networks (mostly configured)
- Next by Date: Help with DECNet problem
- Previous by thread: Re: Remote VPN users access to site to site networks (mostly configured)
- Next by thread: Help with DECNet problem
- Index(es):
Relevant Pages
|
