[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.1

Connecting to VPN router (1811w) behind ASA that terminates VPNS already

Asked by justin_smith in Cisco PIX Firewall, Virtual Private Networking (VPN), Network Routers

Tags: Cisco, 1811w and ASA 5520

Hi All,

i have a problem. I have setup my Cisco ASA 5520 as a VPN gateway for our users. We also have a Cisco 1811w in the internal network which connects our internal networks together. (192.168.1.x, 192.168.5.x and 10.0.1.x)

The asa's internal address is 192.168.1.89 so therefore when the users connect via vpn they can access everything on the 192.168.1.x network and nothing else.

Now i need IT to be able to access the 10.0.1.x and 192.168.5.0 networks via VPN, so i want top terminate IT's vpns on the 1811w (it has physicalc onnections to all three networks and routes between them)

the first config is the 1811w and the second config is the ASA

1811w:

Building configuration...

Current configuration : 5936 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-295350064
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-295350064
 revocation-check none
 rsakeypair TP-self-signed-295350064
!
!
crypto pki certificate chain TP-self-signed-295350064
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32393533 35303036 34301E17 0D303830 36313730 31353232
  345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3239 35333530
  30363430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  DA6FA8A8 D4095047 0917A8C6 12054F27 4D9B41CE C12D19BE C2D5ACE4 C1719D77
  7D689605 1515AA83 5FBB196F 1356267A C02C9841 9B740516 AFE6FCC5 AF46B8B2
  0CC67CA1 BEC59631 7719F556 55CCC795 8CB2488A 05D528EE 01FB724B 2A22880D
  46F33388 CD094B0D DFA36537 EED71F0B 2E8D29B4 00BA5666 C5154188 45BBE143
  02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
  11041B30 19821779 6F75726E 616D652E 796F7572 646F6D61 696E2E63 6F6D301F
  0603551D 23041830 1680140C CBC8DC56 286D55D8 D2C5C5C0 17D2643A 5ECF7B30
  1D060355 1D0E0416 04140CCB C8DC5628 6D55D8D2 C5C5C017 D2643A5E CF7B300D
  06092A86 4886F70D 01010405 00038181 005F5A9F 7093E988 A234C0D5 8A5666F5
  9F696312 2B8C15F6 CC5B5318 02195273 99A9F81A 9AB9C48F 658F197C DD4292ED
  0ED9BE51 00D5A0CF 4C94AD15 2739482B 3870ECDF DD031D2D 78A29CAC 9AB61B92
  22AD04D3 75A44964 FAB84548 2A7C8A71 97790233 22CF045D 5201B5F3 591E6A3F
  C8235CDD 09E11D16 AD1AD7C2 AABDE214 5B
        quit
dot11 syslog
!
dot11 ssid Idstxtra
   authentication open
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
no ip domain lookup
ip domain name yourdomain.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$AsxG$u4y/R9CVETuNE2bmn2hUJ1
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group IT
 key R0ckcl1mb
 dns 192.168.1.3 192.168.1.6
 wins 192.168.1.3
 domain Milperra.lonsyd.com.au
 pool SDM_POOL_1
crypto isakmp profile sdm-ike-profile-1
   match identity group IT
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!
!
crypto ctcp port 10000
archive
 log config
  hidekeys
!
!
!
!
!
interface Loopback0
 ip address 61.88.220.38 255.255.255.0
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
 switchport access vlan 4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 shutdown
 !
 encryption key 1 size 40bit 0 0297836113 transmit-key
 encryption mode wep mandatory
 !
 ssid Idstxtra
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 shutdown
 !
 encryption key 1 size 40bit 0 0297836113 transmit-key
 encryption mode wep mandatory
 !
 ssid Idstxtra
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 description $ES_LAN$
 no ip address
!
interface Vlan2
 ip address 192.168.1.180 255.255.255.0
 ip nat outside
 ip virtual-reassembly
!
interface Vlan3
 ip address 192.168.5.60 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan4
 ip address 10.0.1.200 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool SDM_POOL_1 192.168.30.1 192.168.30.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.89 permanent
ip route 10.0.1.0 255.255.255.0 Vlan4 permanent
ip route 61.88.220.0 255.255.255.0 Vlan3 permanent
ip route 192.168.1.0 255.255.255.0 Vlan2 permanent
ip route 192.168.2.0 255.255.255.0 Vlan2 permanent
ip route 192.168.5.0 255.255.255.0 Vlan3 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
no cdp run
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 flowcontrol hardware
line aux 0
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
end



1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:

Result of the command: "sh run"
 
: Saved
:
ASA Version 8.0(2) 
!
hostname LonsydASA
domain-name x.x.x.x
enable password M28DC8GpviqlPXJP encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif WAN
 security-level 0
 ip address x.x.x.x 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif Test
 security-level 100
 ip address 192.168.7.89 255.255.255.0 
!
interface GigabitEthernet0/2
 nameif Lonsyd
 security-level 100
 ip address 192.168.1.89 255.255.255.0 
!
interface GigabitEthernet0/3
 nameif IT
 security-level 100
 ip address 192.168.5.89 255.255.255.0 
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup WAN
dns server-group DefaultDNS
 name-server x.x.x.x
 domain-name x.x.x.x
same-security-traffic permit intra-interface
object-group network NZ
 network-object 192.168.2.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service RealVNC tcp
 port-object eq 5900
object-group service Sql tcp
 port-object range 1433 1434
object-group service Blackberry tcp-udp
 port-object eq 3101
object-group service RTP tcp-udp
 port-object eq 8000
object-group service PIUSI tcp
 port-object eq 7979
object-group service CiscoVPN tcp
 port-object eq 10000
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 61.88.220.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list WAN_access_in extended permit ip 192.168.20.0 255.255.255.0 any 
access-list WAN_access_in extended permit icmp any any 
access-list WAN_access_in extended permit object-group TCPUDP any any eq sip 
access-list WAN_access_in extended permit object-group TCPUDP any any object-group Blackberry 
access-list WAN_access_in extended permit object-group TCPUDP any any object-group RTP 
access-list WAN_access_in extended permit tcp any any eq pop3 
access-list WAN_access_in extended permit tcp any any eq ssh 
access-list WAN_access_in extended permit tcp any any object-group CiscoVPN 
access-list Lonsyd_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list Lonsyd_splitTunnelAcl extended permit ip 192.168.7.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list Lonsyd_splitTunnelAcl extended permit ip 192.168.5.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list Lonsyd_splitTunnelAcl extended permit ip 10.0.1.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list Lonsyd_splitTunnelAcl extended permit ip 192.168.20.0 255.255.255.0 any 
access-list Lonsyd_splitTunnelAcl extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list WAN_nat0_outbound extended permit ip any any 
access-list pingtraffic extended permit icmp any any echo-reply 
access-list Local_LAN_Access standard permit 192.168.7.0 255.255.255.0 
access-list Local_LAN_Access standard permit 192.168.1.0 255.255.255.0 
access-list Local_LAN_Access standard permit x.x.x.x 255.255.255.0 
access-list Local_LAN_Access standard permit 192.168.2.0 255.255.255.0 
access-list Local_LAN_Access standard permit 10.0.1.0 255.255.255.0 
access-list Local_LAN_Access standard permit 192.168.5.0 255.255.255.0 
access-list WAN_access_out extended permit ip any any 
access-list WAN_access_out_1 extended permit ip any 192.168.20.0 255.255.255.0 
access-list WAN_access_out_1 extended permit icmp any any 
access-list WAN_access_out_1 extended permit tcp any any eq ftp 
access-list WAN_access_out_1 extended permit tcp any any eq ftp-data 
access-list WAN_access_out_1 extended permit tcp any any eq https 
access-list WAN_access_out_1 extended permit object-group TCPUDP any any eq sip 
access-list WAN_access_out_1 extended permit tcp any any eq smtp 
access-list WAN_access_out_1 extended permit object-group TCPUDP any any eq www 
access-list WAN_access_out_1 extended permit object-group TCPUDP any any object-group Blackberry 
access-list WAN_access_out_1 extended permit object-group TCPUDP any any object-group RTP 
access-list WAN_access_out_1 extended permit tcp any any eq pop3 
access-list WAN_access_out_1 extended permit tcp any any object-group PIUSI 
access-list WAN_access_out_1 extended permit tcp any any object-group CiscoVPN 
access-list Lonsyd_access_in extended permit ip any any 
access-list Lonsyd_access_in_1 extended permit ip any any 
access-list Lonsyd_access_out extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu Test 1500
mtu Lonsyd 1500
mtu IT 1500
ip local pool Lonsyd 192.168.20.1-192.168.20.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WAN
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (WAN) 101 interface
nat (WAN) 0 access-list WAN_nat0_outbound
nat (WAN) 101 192.168.1.0 255.255.255.0
nat (WAN) 101 192.168.20.0 255.255.255.0
nat (Test) 0 access-list inside_nat0_outbound
nat (Lonsyd) 0 access-list inside_nat0_outbound
nat (Lonsyd) 101 10.0.1.0 255.255.255.0
nat (Lonsyd) 101 192.168.1.0 255.255.255.0
nat (Lonsyd) 101 192.168.5.0 255.255.255.0
nat (IT) 0 access-list inside_nat0_outbound
nat (IT) 101 61.88.220.0 255.255.255.0
static (Lonsyd,WAN) x.x.x.x 192.168.1.2 netmask 255.255.255.255 
access-group WAN_access_in in interface WAN
access-group WAN_access_out_1 out interface WAN
access-group Lonsyd_access_in_1 in interface Lonsyd
access-group Lonsyd_access_out out interface Lonsyd
route WAN 0.0.0.0 0.0.0.0 61.88.220.230 1
route Lonsyd 10.0.1.0 255.255.255.0 192.168.1.180 1
route Lonsyd 192.168.2.0 255.255.255.0 192.168.1.254 1
route Lonsyd 192.168.5.0 255.255.255.0 192.168.1.180 1
route Lonsyd 192.168.20.0 255.255.255.0 192.168.1.89 1
route Lonsyd 192.168.254.0 255.255.255.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.7.13 255.255.255.255 Test
http 192.168.7.69 255.255.255.255 Test
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map WAN_dyn_map 20 set pfs 
crypto dynamic-map WAN_dyn_map 20 set transform-set ESP-3DES-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map
crypto map WAN_map interface WAN
crypto isakmp identity hostname 
crypto isakmp enable WAN
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.1.69 255.255.255.255 Lonsyd
telnet timeout 5
ssh 192.168.7.69 255.255.255.255 Test
ssh 192.168.7.13 255.255.255.255 Test
ssh 192.168.1.69 255.255.255.255 Lonsyd
ssh timeout 5
console timeout 0
vpn load-balancing 
 interface lbpublic IT
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 20
 vpn-idle-timeout none
 split-tunnel-network-list value Lonsyd_splitTunnelAcl
group-policy Lonsyd internal
group-policy Lonsyd attributes
 wins-server value 192.168.1.3
 dns-server value x.x.x.x x.x.x.x
 split-tunnel-policy tunnelall
 split-tunnel-network-list value Lonsyd_splitTunnelAcl
 default-domain value x.x.x.x
group-policy IT internal
group-policy IT attributes
 wins-server value 192.168.1.3
 dns-server value 192.168.1.3 x.x.x.x
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Lonsyd_splitTunnelAcl
group-policy IDS internal
group-policy IDS attributes
 wins-server value 192.168.1.3
 dns-server value 192.168.1.3
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Lonsyd_splitTunnelAcl
 default-domain value x.x.x.x
 address-pools value Lonsyd
 
 
************
Vpn User info omitted
************
 
 
prompt hostname context 
Cryptochecksum:287f89d9ebd27f40b16f0734dc50d74f
: end
[+][-]10/01/08 01:17 AM, ID: 22612362Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]10/01/08 02:19 AM, ID: 22612584Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]10/01/08 07:18 AM, ID: 22614512Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Cisco PIX Firewall, Virtual Private Networking (VPN), Network Routers
Tags: Cisco, 1811w and ASA 5520
Sign Up Now!
Solution Provided By: lrmoore
Participating Experts: 3
Solution Grade: A
 
[+][-]10/01/08 11:21 AM, ID: 22617371Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091021-EE-VQP-81 - Hierarchy / EE_QW_2_20070628