eagle341
asked on
VPN network access
Hello, I have established a peer to peer VPN from an ASA 5510 to remote 1812, I can ping the inside addresses of both, but I can't ping any other addresses inside each network.
Any help appreciated!
Any help appreciated!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry, just prior to sending you the config, I updated the 1812 DHCP default gateway, now I can see inside the 172.16.0.0 network, but not the other way around.
ASKER
Got it, I had not updated the DC to new gateway, can see both sides, thanks for the tip!
ASKER
Here is the config for both.
ASA Version 7.2(2)
!
names
name 192.168.10.20 ESSDNS1
name 217.xxx.xx.xxKTCDNS1
name 217.xxx.xx.xx KTCDNS2
!
interface Ethernet0/0
nameif Inside
security-level 100
ip address 192.168.10.201 255.255.255.0
ospf cost 10
!
interface Ethernet0/1
nameif Outside
security-level 0
ip address 77.xxx.xx.xx255.255.255.24
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone AQTST 5
clock summer-time AQTDT recurring last Sun Mar 0:00 last Sun Oct 0:00
dns domain-lookup Inside
dns domain-lookup Outside
dns server-group DefaultDNS
name-server ESSDNS1
domain-name ERSS.KZ
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list management_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 any
access-list Outside_20_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any any
access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip interface Inside 192.168.0.0 255.255.255.0
access-list Outside_access_in extended permit ip 217.196.23.0 255.255.255.252 interface Outside
access-list Outside_access_in extended permit ip 192.168.0.0 255.255.255.0 interface Outside
access-list Inside_access_in extended permit ip 192.168.0.0 255.255.255.0 interface Inside
access-list Inside_access_in extended permit ip 217.196.23.0 255.255.255.252 interface Inside
access-list Outside_access_out extended permit ip interface Outside any
access-list Inside_access_out extended permit ip interface Inside any
access-list Outside_nat0_outbound extended permit ip any any
access-list Inside_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list Outside_20_cryptomap_1 extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Outside_nat0_outbound_1 extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Inside_nat0_outbound_1 extended permit ip 192.168.10.0 255.255.255.0 any
access-list Outside_access_in_1 extended permit ip any interface Outside
access-list Outside_cryptomap_1 extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list remote1_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list mysplit standard permit 192.168.10.0 255.255.255.0
access-list 202 extended permit ip any any
access-list 202 extended permit ip host 82.71.226.0 any
access-list Inside_nat0_outbound_2 extended permit ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.255.0
pager lines 24
logging monitor debugging
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
ip local pool pool10 10.10.100.10-10.10.100.20 mask 255.255.255.0
no failover
monitor-interface Inside
monitor-interface Outside
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound_2
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
access-group 202 in interface Outside
route Outside 0.0.0.0 0.0.0.0 77.xxx.xx.xx1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value ERSS.KZ
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy remote1 internal
group-policy remote1 attributes
vpn-tunnel-protocol IPSec
password-storage enable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value mysplit
nem enable
username remote1 password PUqTNNpL6kSLDz6F encrypted privilege 1
username remote1 attributes
vpn-group-policy remote1
username ciscouser password 23tv7l4KjzJreKTg encrypted privilege 15
url-server (Inside) vendor websense host 192.168.10.29 timeout 30 protocol TCP version 1 connections 5
aaa authentication ssh console LOCAL
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 192.168.10.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
http redirect Inside 80
http redirect Outside 80
http redirect management 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear-df Inside
crypto ipsec df-bit clear-df Outside
crypto ipsec df-bit clear-df management
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group remote1 type ipsec-ra
tunnel-group remote1 general-attributes
address-pool pool10
default-group-policy remote1
tunnel-group remote1 ipsec-attributes
pre-shared-key *
telnet 192.168.10.175 255.255.255.255 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
http-proxy 192.168.10.29 80
prompt hostname context
Cryptochecksum:bbb4c3a66a3
: end
1812
Building configuration...
Current configuration : 8546 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ESS_E11
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$Jgeo$5DaArp6x1btjm4DNQI
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 5
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool sdm-pool1
import all
network 172.16.0.0 255.255.255.0
default-router 172.16.0.1
dns-server 217.xxx.xx.xxx217.xxx.xx.x
domain-name erss.kz
netbios-name-server 192.168.10.20
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name erss.kz
ip name-server 217.xxx.xx.xxx
ip name-server 217.xxx.xx.xxx
ip ssh time-out 60
ip ssh authentication-retries 2
ip ddns update method sdm_ddns1
DDNS both
!
!
!
crypto pki trustpoint TP-self-signed-96517047
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-96517047
!
!
crypto pki certificate chain TP-self-signed-96517047
certificate self-signed 01
30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39363531 37303437 301E170D 30383035 30373133 31343031
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D393635 31373034
3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100997A
F234DA03 142F709B C66E6B63 DB149485 EA4A0070 FBAE8E3D A02BF014 8796666D
90BBA3E3 C756230B 5BA8C510 A8635E86 90AC38C0 E94822E0 D8DFD82B 01E69A17
DFBC8622 A9AEF997 3EB91789 9F809219 47E8369F 9641EF75 F6EA6022 773DC92B
DAFC9238 626CEBB1 79CEC30C C7B8E04B 3994441A 3A265C50 DADFD2AE 1F190203
010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603 551D1104
13301182 0F455353 5F453131 2E657273 732E6B7A 301F0603 551D2304 18301680
1465AF36 C7F05281 A6C689E5 E44A9F0D 8E9C648E 46301D06 03551D0E 04160414
65AF36C7 F05281A6 C689E5E4 4A9F0D8E 9C648E46 300D0609 2A864886 F70D0101
04050003 81810042 DA3827A6 465C504F CE7719AC 609E5CCD B4927C20 22D32AA0
50485F3B 13989868 B93E0E6B 819B0AAD C877B5A8 CF66EB3C 6E36544D 27DE9FF9
C64CAB6C BA1378EA 23055AF1 6894D9CE 2E251760 F065D852 92AF9CCF F201F6C0
10CBD99D 2AFCEE9A 1A513E02 FA05171E E88AA46E 07C1439B 3CAF6025 9605E104
57033305 5E297A
quit
username administrator privilege 15 secret 5 $1$Ny.6$zxFRJ7lv/vW05/hqZO
username monitor view SDM_Monitor secret 5 $1$wcQt$oU9ZS.7Z1C9a0fMRVl
username temp_access privilege 0 secret 5 $1$J939$MLaxAT2ERC2SQ4jq7j
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
!
!
crypto ipsec client ezvpn 77.xxx.xx.xxx
connect auto
group remote1 key 01remote007
mode network-extension
peer 77.xxx.xx.xxx
username remote1 password 01remote007
xauth userid mode local
!
!
bridge irb
!
!
!
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
description $ES_WAN$$FW_OUTSIDE$$ETH-W
ip ddns update hostname ESS_E11.erss.kz
ip ddns update sdm_ddns1
ip address 217.196.23.138 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto ipsec client ezvpn 77.xxx.xx.xxx
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 40bit 7 028B93741B05 transmit-key
encryption mode wep mandatory
!
ssid ESS_E11
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption key 1 size 40bit 7 6E8F57543705 transmit-key
encryption mode wep mandatory
!
ssid ESS_E11
authentication open
guest-mode
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet1
tunnel mode ipsec ipv4
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
crypto ipsec client ezvpn 77.xxx.xx.xxx inside
!
ip route 0.0.0.0 0.0.0.0 217.xxx.xx.xxx2
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
ip access-list extended mynat
deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 217.xxx.xx.xxx0.0.0.3 77.xxx.xx.00.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.16.0.0 0.0.0.255 77.xxx.xx.xx0.0.0.7
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.16.0.0 0.0.0.255 77.xxx.xx.xx0.0.0.7
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 105 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 106 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 172.16.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 permit ip host 172.16.0.0 192.168.10.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 14
privilege level 15
login local
transport input telnet ssh
line vty 15
privilege level 15
login local
transport input telnet ssh
parser view SDM_Monitor
secret 5 $1$3l7I$w5zB5bvnMzvz9qRp88
commands configure include end
commands configure include all interface
commands exec include dir all-filesystems
commands exec include dir
commands exec include all crypto ipsec client ezvpn
commands exec include crypto ipsec client
commands exec include crypto ipsec
commands exec include crypto
commands exec include all ping ip
commands exec include ping
commands exec include configure terminal
commands exec include configure
commands exec include all show
commands exec include all debug appfw
commands exec include all debug ip inspect
commands exec include debug ip
commands exec include debug
commands exec include all clear
!
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end