I am working on setting up an ASA 5505 at a remote site (192.168.12.0/24) that I want to connect back to a 3005 VPN concentrator at another site (192.168.15.0/24) We need all of the .12 network to be able to talk to all of the .15 network and vice-versa. The ASA is setup as a VPN Easy Remote with IPSEC over TCP back to the 3005 (as a remote access client....like the old 3002 hardware client did).
Currently the ASA connects just fine...and the network behind the ASA (.12) can see the network behind the 3005 (.15) just fine but we have two problems:
1) The ASA itself cannot talk to the .15 network
2) The .15 network (including the 3005) cannot talk to any of the .12 network.
This is the ASA config:
: Saved
:
ASA Version 7.2(3)
!
hostname franklinasa5505
domain-name blah.com
enable password <removed> encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.12.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd <removed> encrypted
banner login This device is monitored: Logoff immediately if you do not have written permission to access this device.
banner asdm This device is monitored: Logoff immediately if you do not have written permission to access this device.
ftp mode passive
clock timezone
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.15.xxx
name-server 192.168.15.xxx
domain-name domain.com
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
pager lines 24
logging enable
logging timestamp
logging list nformational level informational
logging trap nformational
logging asdm informational
logging from-address blah@blah.com
logging recipient-address blah@blah.com level errors
logging device-id ipaddress inside
logging host inside 192.168.15.xxx
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool pool01 192.168.12.25-192.168.12.5
0 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.12.0 255.255.255.0 inside
http 192.168.15.0 255.255.255.0 inside
snmp-server host inside 192.168.15.xxx poll community public
snmp-server host inside 192.168.15.xxx poll community public
snmp-server location theplace
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto isakmp disconnect-notify
telnet 192.168.15.0 255.255.255.0 inside
telnet 192.168.12.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.15.xxx 192.168.15.xxx
dhcpd wins 192.168.15.xxx 192.168.15.xxx
dhcpd domain blah.com
dhcpd auto_config outside
!
dhcpd address 192.168.12.100-192.168.12.
150 inside
dhcpd dns 192.168.15.xxx 192.168.15.xxx interface inside
dhcpd wins 192.168.15.xxx 192.168.15.xxx interface inside
dhcpd domain blah.com interface inside
dhcpd enable inside
!
vpnclient server <externalipofvpnconcentrat
or>
vpnclient mode client-mode
vpnclient vpngroup franklin password ********
vpnclient username franklinvpn password ********
vpnclient ipsec-over-tcp port xyz123
vpnclient enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 192.168.15.xxx
prompt hostname context
Cryptochecksum:1111
: end
Start Free Trial
