Advertisement

04.29.2008 at 03:11PM PDT, ID: 23363831
[x]
Attachment Details

How to get hairpinning working on an ASA 5510

Asked by wcstrategy in Virtual Private Networking (VPN)

Tags: , ,

I have several site-to-site VPNs established as well as a Remote Acces VPN.  The one thing that I am missing is the ability for the Remote VPN users to access resources on the other end of the site-to-site VPNs.  I've been trying things for a while now to no avail, so hopefully someone can help.  My attempts at finding a solution may have led to some unuecessary clutter in my config which I'll copy below.

: Saved
:
ASA Version 8.0(3)
!
hostname wcsasa
domain-name mydomain.com
enable password ********* encrypted
names
name 192.168.24.0 S-nets
name 192.168.1.0 E-1
name 172.31.0.0 E-172-31
name 172.29.9.0 E-172-29
name 192.168.50.0 E-50
name 192.168.8.0 El-nets
name 192.168.40.0 G-nets
name 76.12.1.0 HMS-E-nets
name 66.241.194.0 HMS-QW-nets
name 192.168.100.0 RADR100
name 192.168.101.0 RADR101
name 192.168.12.0 WCS_plus_VPN_clients
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 67.152.34.218 255.255.255.248
!
interface Ethernet0/1
 nameif dmz
 security-level 50
 ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/2
 nameif inside
 security-level 100
 ip address 192.168.12.3 255.255.254.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.211.1 255.255.255.0
 management-only
!
passwd ********** encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.12.5
 name-server 192.168.12.6
 domain-name mydomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network VPN-Clients
 network-object 192.168.15.0 255.255.255.0
object-group network E
 network-object E-1 255.255.255.0
 network-object E-50 255.255.255.0
 network-object E-172-31 255.255.255.0
 network-object E-172-29 255.255.255.0
 network-object host 147.31.204.97
object-group network El
 network-object El-nets 255.255.252.0
object-group network G
 network-object G-nets 255.255.252.0
object-group network SG
 network-object S-nets 255.255.255.0
object-group network Education-HMS
 network-object HMS-E-nets 255.255.255.0
object-group network QW-HMS
 network-object HMS-QW-nets 255.255.255.0
object-group network WCS-NETS
 network-object WCS_plus_VPN_clients 255.255.254.0
object-group service Site2Site tcp
 port-object eq 88
 port-object eq 3269
 port-object eq imap4
 port-object eq 3268
 port-object eq telnet
 port-object eq domain
 port-object eq 379
 port-object eq smtp
 port-object eq 135
 port-object eq ldaps
 port-object eq 42
 port-object eq netbios-ssn
 port-object eq 3389
 port-object eq www
 port-object eq 445
 port-object eq https
 port-object eq ldap
object-group network EDDSites
 group-object E
 group-object El
 group-object G
 group-object SG
object-group service Site2SiteUDP tcp-udp
 port-object eq domain
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group icmp-type testingping
 icmp-object echo-reply
 icmp-object source-quench
 icmp-object time-exceeded
 icmp-object unreachable
 icmp-object echo
object-group network RADR
 network-object RADR100 255.255.255.0
 network-object RADR101 255.255.255.0
object-group network DM_INLINE_NETWORK_1
 network-object RADR100 255.255.255.0
 network-object RADR101 255.255.255.0
access-list inside_nat0_outbound extended permit ip WCS_plus_VPN_clients 255.255.252.0 HMS-E-nets 255.255.255.0
access-list inside_nat0_outbound extended permit ip WCS_plus_VPN_clients 255.255.252.0 S-nets 255.255.255.0
access-list inside_nat0_outbound extended permit ip WCS_plus_VPN_clients 255.255.252.0 El-nets 255.255.252.0
access-list inside_nat0_outbound extended permit ip WCS_plus_VPN_clients 255.255.252.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip WCS_plus_VPN_clients 255.255.252.0 object-group E
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 WCS_plus_VPN_clients 255.255.252.0
access-list inside_nat0_outbound extended permit ip WCS_plus_VPN_clients 255.255.252.0 192.168.15.0 255.255.255.0
access-list outside_access_in extended permit icmp any any object-group testingping
access-list Inside_access_out extended permit ip WCS_plus_VPN_clients 255.255.254.0 any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any object-group testingping
access-list outside_cryptomap extended permit ip any 192.168.15.0 255.255.255.0
access-list outside_cryptomap_20.20 extended permit ip any object-group VPN-Clients
access-list WCSVPN_splitTunnelAcl standard permit WCS_plus_VPN_clients 255.255.254.0
access-list WCSVPN_splitTunnelAcl standard permit HMS-E-nets 255.255.255.0
access-list WCSVPN_splitTunnelAcl standard permit HMS-QW-nets 255.255.255.0
access-list site_to_site extended permit ip WCS_plus_VPN_clients 255.255.252.0 object-group EDDSites
access-list site_to_site extended permit ip object-group E WCS_plus_VPN_clients 255.255.255.0
access-list site_to_site extended permit ip object-group El WCS_plus_VPN_clients 255.255.255.0
access-list site_to_site extended permit ip object-group G WCS_plus_VPN_clients 255.255.255.0
access-list site_to_site extended permit ip object-group SG WCS_plus_VPN_clients 255.255.255.0
access-list site_to_site extended permit ip WCS_plus_VPN_clients 255.255.254.0 object-group RADR
access-list site_to_site extended permit ip object-group RADR WCS_plus_VPN_clients 255.255.254.0
access-list site_to_site extended permit ip object-group Education-HMS WCS_plus_VPN_clients 255.255.252.0
access-list outside extended permit ip S-nets 255.255.255.0 WCS_plus_VPN_clients 255.255.254.0 inactive
access-list outside_cryptomap_20 extended permit ip WCS_plus_VPN_clients 255.255.254.0 object-group E inactive
access-list outside_cryptomap_1 extended permit ip WCS_plus_VPN_clients 255.255.254.0 S-nets 255.255.255.0
access-list VPN_access extended permit ip object-group VPN-Clients any
access-list outside_2_cryptomap extended permit ip WCS_plus_VPN_clients 255.255.254.0 object-group RADR
access-list outside_cryptomap_2 extended permit ip WCS_plus_VPN_clients 255.255.252.0 HMS-E-nets 255.255.255.0
access-list outside_cryptomap_2 extended permit ip HMS-E-nets 255.255.255.0 WCS_plus_VPN_clients 255.255.252.0
access-list outside_4_cryptomap extended permit ip WCS_plus_VPN_clients 255.255.252.0 El-nets 255.255.252.0
access-list outside_4_cryptomap extended permit ip El-nets 255.255.252.0 WCS_plus_VPN_clients 255.255.252.0
pager lines 24
logging enable
logging list DebugLog level informational
logging buffered errors
logging asdm warnings
logging from-address asa@mydomain.com
logging recipient-address me@mydomain.com level errors
logging debug-trace
logging class vpdn buffered debugging asdm debugging
logging class vpn buffered debugging asdm debugging
logging class vpnc buffered debugging asdm debugging
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu management 1500
ip local pool VPN_Client_Pool2 192.168.15.2-192.168.15.254 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 200 interface
nat (outside) 200 192.168.15.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 200 0.0.0.0 0.0.0.0
nat (inside) 200 WCS_plus_VPN_clients 255.255.254.0 outside
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 67.152.34.217 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server WCSDCS protocol radius
aaa-server WCSDCS host 192.168.12.5
 key *******
aaa authentication ssh console WCSDCS LOCAL
aaa authorization exec authentication-server
http server enable
http WCS_plus_VPN_clients 255.255.254.0 inside
http E-1 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_20.20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 74.205.231.220
crypto map outside_map 1 set transform-set ESP-3DES-SHA ESP-AES-128-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 67.192.185.55
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set phase1-mode aggressive
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer 208.112.65.231
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map 3 set nat-t-disable
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 216.143.158.99
crypto map outside_map 4 set transform-set ESP-3DES-MD5
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 147.31.204.97
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp disconnect-notify
no vpn-addr-assign dhcp
telnet WCS_plus_VPN_clients 255.255.255.0 inside
telnet timeout 5
ssh WCS_plus_VPN_clients 255.255.254.0 inside
ssh 192.168.12.151 255.255.255.255 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
ntp server 207.46.197.32 source outside
group-policy DfltGrpPolicy attributes
 vpn-filter value outside
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 default-domain value internaldomain.com
group-policy WCSVPN internal
group-policy WCSVPN attributes
 wins-server value 192.168.12.5 192.168.12.6
 dns-server value 192.168.12.5 192.168.12.6
 vpn-filter value VPN_access
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value WCSVPN_splitTunnelAcl
 default-domain value internaldomain.com
group-policy Site-to-site internal
group-policy Site-to-site attributes
 vpn-filter value site_to_site
 vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group WCSASA type remote-access
tunnel-group WCSASA general-attributes
 address-pool VPN_Client_Pool2
 authentication-server-group WCSDCS
 default-group-policy WCSVPN
tunnel-group WCSASA ipsec-attributes
 pre-shared-key *
tunnel-group 147.31.204.97 type ipsec-l2l
tunnel-group 147.31.204.97 general-attributes
 default-group-policy Site-to-site
tunnel-group 147.31.204.97 ipsec-attributes
 pre-shared-key *
tunnel-group 74.205.231.220 type ipsec-l2l
tunnel-group 74.205.231.220 general-attributes
 default-group-policy Site-to-site
tunnel-group 74.205.231.220 ipsec-attributes
 pre-shared-key *
tunnel-group 67.192.185.55 type ipsec-l2l
tunnel-group 67.192.185.55 general-attributes
 default-group-policy Site-to-site
tunnel-group 67.192.185.55 ipsec-attributes
 pre-shared-key *
tunnel-group 208.112.65.231 type ipsec-l2l
tunnel-group 208.112.65.231 general-attributes
 default-group-policy Site-to-site
tunnel-group 208.112.65.231 ipsec-attributes
 pre-shared-key *
tunnel-group 216.143.158.99 type ipsec-l2l
tunnel-group 216.143.158.99 general-attributes
 default-group-policy Site-to-site
tunnel-group 216.143.158.99 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
smtp-server 192.168.12.7
prompt hostname context
: end
asdm image disk0:/asdm-611.bin
asdm location E-172-29 255.255.255.0 outside
asdm location E-172-31 255.255.255.0 outside
asdm location E-1 255.255.255.0 outside
asdm location El-nets 255.255.252.0 outside
asdm location S-nets 255.255.255.0 outside
asdm location G-nets 255.255.252.0 outside
asdm location E-50 255.255.255.0 outside
asdm location HMS-QW-nets 255.255.255.0 outside
asdm location 192.168.15.0 255.255.255.0 outside
asdm location RADR100 255.255.255.0 inside
asdm location RADR101 255.255.255.0 inside
asdm location WCS_plus_VPN_clients 255.255.252.0 inside
asdm location HMS-E-nets 255.255.255.0 outside
asdm group VPN-Clients outside
asdm group E outside
asdm group El outside
asdm group G outside
asdm group SG outside
asdm group Education-HMS outside
asdm group QW-HMS outside
asdm group WCS-NETS inside
no asdm history enable
Start Free Trial
[+][-]05.02.2008 at 10:56PM PDT, ID: 21491439

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.09.2008 at 10:35AM PDT, ID: 21534978

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.09.2008 at 01:25PM PDT, ID: 21536185

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.09.2008 at 03:09PM PDT, ID: 21536675

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.09.2008 at 03:19PM PDT, ID: 21536727

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.09.2008 at 03:36PM PDT, ID: 21536808

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.09.2008 at 03:47PM PDT, ID: 21536866

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zone: Virtual Private Networking (VPN)
Tags: Cisco, ASA, 5510
Sign Up Now!
Solution Provided By: batry_boy
Participating Experts: 1
Solution Grade: B
 
 
[+][-]05.09.2008 at 04:01PM PDT, ID: 21536915

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.09.2008 at 04:05PM PDT, ID: 21536936

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.27.2008 at 08:38AM PDT, ID: 21652800

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628