[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.6

VPN connection does not go 'everywhere'

Asked by carl_legere in Virtual Private Networking (VPN), Cisco PIX Firewall

Tags: cisco, asa5510, asa5510

See code snippet, addresses changed to protect the guilty.

This is a functioning live config that is missing something, please help me find how to modify it as follows-
Using Cisco VPN client you connect to tunnel-group vpn3.  When you arrive there you get a IP address in the pool 192.168.125.x and can ping/connect to devices in the 192.168.100.x ip space

How to allow your VPN client connection to be able to ping/connect to 192.168.120.x and 10.10.x.x ?  (192.168.120.x and 10.10.x.x are WAN addresses via hardwired VPN's connected via the internet)

thanks!! 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:

ASA Version 7.0(7)
!
hostname 5510
enable password 
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 64.94.23.249 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.100.2 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 
ftp mode passive
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.125.0 2
55.255.255.0
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.120.0 2
55.255.255.0
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 10.10.0.0 255.2
55.0.0
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 2
55.255.255.0
access-list 100 extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255
.255.255.0
access-list 101 extended permit ip 192.168.100.0 255.255.255.0 192.168.120.0 255
.255.255.0
access-list 102 extended permit ip 192.168.100.0 255.255.255.0 10.10.0.0 255.255
.0.0
access-list Split_Tunnel_List standard permit 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq https
 
access-list outside_access_in extended permit tcp any interface outside eq 8081
access-list outside_access_in extended permit tcp any interface outside eq 8082
access-list outside_access_in extended permit tcp any interface outside eq 7211
access-list outside_access_in extended permit tcp any interface outside eq 7205
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool remote 192.168.125.25-192.168.125.100 mask 255.255.255.0
ip local pool vpnpool1 192.168.125.201
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.100.0 255.255.255.0
static (inside,outside) tcp interface pop3 192.168.100.13 pop3 netmask 255.255.2
55.255
static (inside,outside) tcp interface https 192.168.100.13 https netmask 255.255
.255.255
static (inside,outside) tcp interface 8081 192.168.100.13 8081 netmask 255.255.2
55.255
static (inside,outside) tcp interface 8082 192.168.100.13 8082 netmask 255.255.2
55.255
static (inside,outside) tcp interface 7211 192.168.100.11 7211 netmask 255.255.2
55.255
static (inside,outside) tcp interface 7205 192.168.100.5 7205 netmask 255.255.25
5.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.94.23.247 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy tma3 internal
group-policy tma3 attributes
 dns-server value 192.168.100.5
 default-domain value tma.internal
 webvpn
group-policy tmaclient internal
group-policy tmaclient attributes
 dns-server value 192.168.100.5
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 default-domain value tma.internal
 webvpn
username pauls password  encrypted
username pauls attributes
 vpn-group-policy tmaclient
 webvpn
username jkaminsky password  encrypted
username jkaminsky attributes
 vpn-group-policy tma3
 webvpn
username carl password  encrypted
username carl attributes
 vpn-group-policy tmaclient
 webvpn
username fredm password  encrypted
username fredm attributes
 vpn-group-policy tmaclient
 webvpn
username lhahn password  encrypted
username lhahn attributes
 vpn-group-policy tmaclient
 webvpn
username lisah password  encrypted
username lisah attributes
 vpn-group-policy tmaclient
 webvpn
username johnd password  encrypted
username johnd attributes
 vpn-group-policy tma3
 webvpn
username trossignol password  encrypted
username trossignol attributes
 vpn-group-policy tmaclient
 webvpn
username jleifer password  encrypted
username jleifer attributes
 vpn-group-policy tmaclient
 webvpn
username emurray password  encrypted
username emurray attributes
 vpn-group-policy tmaclient
 webvpn
username jcullen password  encrypted
username jcullen attributes
 vpn-group-policy tma3
 webvpn
username karen password  encrypted
username karen attributes
 vpn-group-policy tmaclient
 webvpn
username alanp password 4 encrypted
username alanp attributes
 vpn-group-policy tmaclient
 webvpn
username timk password  encrypted
username timk attributes
 vpn-group-policy tmaclient
 webvpn
username jeff password  encrypted
username jeff attributes
 vpn-group-policy tmaclient
 webvpn
username claudia password encrypted
username claudia attributes
 vpn-group-policy tmaclient
 webvpn
username cliguori password  encrypted
username cliguori attributes
 vpn-group-policy tmaclient
 webvpn
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set aes esp-aes-256 esp-md5-hmac
crypto ipsec transform-set aes2 esp-aes esp-md5-hmac
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set aes
crypto map TMAmap 10 match address 100
crypto map TMAmap 10 set peer 201.97.172.24
crypto map TMAmap 10 set transform-set 3des
crypto map TMAmap 20 set peer 64.66.219.40
crypto map TMAmap 20 set transform-set aes
crypto map TMAmap 30 set peer 62.13.119.178
crypto map TMAmap 30 set transform-set aes
crypto map TMAmap 65535 ipsec-isakmp dynamic dynmap
crypto map TMAmap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal  20
tunnel-group 62.13.119.178 type ipsec-l2l
tunnel-group 62.13.119.178 ipsec-attributes
 pre-shared-key *
tunnel-group 64.66.219.40 type ipsec-l2l
tunnel-group 64.66.219.40 ipsec-attributes
 pre-shared-key *
tunnel-group vpnclient type ipsec-ra
tunnel-group vpnclient general-attributes
 address-pool remote
tunnel-group vpnclient ipsec-attributes
 pre-shared-key *
tunnel-group 201.97.172.24 type ipsec-l2l
tunnel-group 201.97.172.24 ipsec-attributes
 pre-shared-key *
tunnel-group vpn3 type ipsec-ra
tunnel-group vpn3 general-attributes
 address-pool remote
tunnel-group tma3 ipsec-attributes
 pre-shared-key *
telnet 192.168.100.0 255.255.255.0 inside
telnet 192.168.120.0 255.255.255.0 inside
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
[+][-]07/02/08 11:30 AM, ID: 21919225Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07/02/08 11:31 AM, ID: 21919242Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07/02/08 11:44 AM, ID: 21919362Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07/02/08 12:14 PM, ID: 21919652Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07/02/08 12:19 PM, ID: 21919706Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07/02/08 04:17 PM, ID: 21921644Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Virtual Private Networking (VPN), Cisco PIX Firewall
Tags: cisco, asa5510, asa5510
Sign Up Now!
Solution Provided By: arnold
Participating Experts: 3
Solution Grade: A
 
[+][-]07/02/08 05:03 PM, ID: 21921834Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07/02/08 08:34 PM, ID: 21922520Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07/02/08 08:48 PM, ID: 21922566Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07/02/08 08:58 PM, ID: 21922589Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03/31/09 06:30 AM, ID: 24028678Administrative Comment

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 30-day free trial to view this Administrative Comment or ask the Experts your question.

 
[+][-]04/04/09 03:52 AM, ID: 24066820Administrative Comment

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 30-day free trial to view this Administrative Comment or ask the Experts your question.

 
[+][-]04/15/09 03:37 AM, ID: 24146403Administrative Comment

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 30-day free trial to view this Administrative Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-89 / EE_QW_2_20070628