Solved

Connecting to VPN router (1811w) behind ASA that terminates VPNS already

Posted on 2008-10-01
5
964 Views
Last Modified: 2012-05-05
Hi All,

i have a problem. I have setup my Cisco ASA 5520 as a VPN gateway for our users. We also have a Cisco 1811w in the internal network which connects our internal networks together. (192.168.1.x, 192.168.5.x and 10.0.1.x)

The asa's internal address is 192.168.1.89 so therefore when the users connect via vpn they can access everything on the 192.168.1.x network and nothing else.

Now i need IT to be able to access the 10.0.1.x and 192.168.5.0 networks via VPN, so i want top terminate IT's vpns on the 1811w (it has physicalc onnections to all three networks and routes between them)

the first config is the 1811w and the second config is the ASA

1811w:

Building configuration...

Current configuration : 5936 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-295350064
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-295350064
 revocation-check none
 rsakeypair TP-self-signed-295350064
!
!
crypto pki certificate chain TP-self-signed-295350064
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32393533 35303036 34301E17 0D303830 36313730 31353232
  345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3239 35333530
  30363430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  DA6FA8A8 D4095047 0917A8C6 12054F27 4D9B41CE C12D19BE C2D5ACE4 C1719D77
  7D689605 1515AA83 5FBB196F 1356267A C02C9841 9B740516 AFE6FCC5 AF46B8B2
  0CC67CA1 BEC59631 7719F556 55CCC795 8CB2488A 05D528EE 01FB724B 2A22880D
  46F33388 CD094B0D DFA36537 EED71F0B 2E8D29B4 00BA5666 C5154188 45BBE143
  02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
  11041B30 19821779 6F75726E 616D652E 796F7572 646F6D61 696E2E63 6F6D301F
  0603551D 23041830 1680140C CBC8DC56 286D55D8 D2C5C5C0 17D2643A 5ECF7B30
  1D060355 1D0E0416 04140CCB C8DC5628 6D55D8D2 C5C5C017 D2643A5E CF7B300D
  06092A86 4886F70D 01010405 00038181 005F5A9F 7093E988 A234C0D5 8A5666F5
  9F696312 2B8C15F6 CC5B5318 02195273 99A9F81A 9AB9C48F 658F197C DD4292ED
  0ED9BE51 00D5A0CF 4C94AD15 2739482B 3870ECDF DD031D2D 78A29CAC 9AB61B92
  22AD04D3 75A44964 FAB84548 2A7C8A71 97790233 22CF045D 5201B5F3 591E6A3F
  C8235CDD 09E11D16 AD1AD7C2 AABDE214 5B
  	quit
dot11 syslog
!
dot11 ssid Idstxtra
   authentication open
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
no ip domain lookup
ip domain name yourdomain.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$AsxG$u4y/R9CVETuNE2bmn2hUJ1
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group IT
 key <removed by RockMod 22 Sept 11 as requested by author>
 dns 192.168.1.3 192.168.1.6
 wins 192.168.1.3
 domain Milperra.lonsyd.com.au
 pool SDM_POOL_1
crypto isakmp profile sdm-ike-profile-1
   match identity group IT
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!
!
crypto ctcp port 10000
archive
 log config
  hidekeys
!
!
!
!
!
interface Loopback0
 ip address 61.88.220.38 255.255.255.0
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
 switchport access vlan 4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 shutdown
 !
 encryption key 1 size 40bit 0 0297836113 transmit-key
 encryption mode wep mandatory
 !
 ssid Idstxtra
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 shutdown
 !
 encryption key 1 size 40bit 0 0297836113 transmit-key
 encryption mode wep mandatory
 !
 ssid Idstxtra
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 description $ES_LAN$
 no ip address
!
interface Vlan2
 ip address 192.168.1.180 255.255.255.0
 ip nat outside
 ip virtual-reassembly
!
interface Vlan3
 ip address 192.168.5.60 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan4
 ip address 10.0.1.200 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool SDM_POOL_1 192.168.30.1 192.168.30.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.89 permanent
ip route 10.0.1.0 255.255.255.0 Vlan4 permanent
ip route 61.88.220.0 255.255.255.0 Vlan3 permanent
ip route 192.168.1.0 255.255.255.0 Vlan2 permanent
ip route 192.168.2.0 255.255.255.0 Vlan2 permanent
ip route 192.168.5.0 255.255.255.0 Vlan3 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
no cdp run
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 flowcontrol hardware
line aux 0
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
end


<edited by RockMod 22 Sept '11>
Result of the command: "sh run"
 
: Saved
:
ASA Version 8.0(2) 
!
hostname LonsydASA
domain-name x.x.x.x
enable password XXXXXXXXX encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif WAN
 security-level 0
 ip address x.x.x.x 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif Test
 security-level 100
 ip address 192.168.7.89 255.255.255.0 
!
interface GigabitEthernet0/2
 nameif Lonsyd
 security-level 100
 ip address 192.168.1.89 255.255.255.0 
!
interface GigabitEthernet0/3
 nameif IT
 security-level 100
 ip address 192.168.5.89 255.255.255.0 
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup WAN
dns server-group DefaultDNS
 name-server x.x.x.x
 domain-name x.x.x.x
same-security-traffic permit intra-interface
object-group network NZ
 network-object 192.168.2.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service RealVNC tcp
 port-object eq 5900
object-group service Sql tcp
 port-object range 1433 1434
object-group service Blackberry tcp-udp
 port-object eq 3101
object-group service RTP tcp-udp
 port-object eq 8000
object-group service PIUSI tcp
 port-object eq 7979
object-group service CiscoVPN tcp
 port-object eq 10000
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 61.88.220.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list WAN_access_in extended permit ip 192.168.20.0 255.255.255.0 any 
access-list WAN_access_in extended permit icmp any any 
access-list WAN_access_in extended permit object-group TCPUDP any any eq sip 
access-list WAN_access_in extended permit object-group TCPUDP any any object-group Blackberry 
access-list WAN_access_in extended permit object-group TCPUDP any any object-group RTP 
access-list WAN_access_in extended permit tcp any any eq pop3 
access-list WAN_access_in extended permit tcp any any eq ssh 
access-list WAN_access_in extended permit tcp any any object-group CiscoVPN 
access-list Lonsyd_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list Lonsyd_splitTunnelAcl extended permit ip 192.168.7.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list Lonsyd_splitTunnelAcl extended permit ip 192.168.5.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list Lonsyd_splitTunnelAcl extended permit ip 10.0.1.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list Lonsyd_splitTunnelAcl extended permit ip 192.168.20.0 255.255.255.0 any 
access-list Lonsyd_splitTunnelAcl extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list WAN_nat0_outbound extended permit ip any any 
access-list pingtraffic extended permit icmp any any echo-reply 
access-list Local_LAN_Access standard permit 192.168.7.0 255.255.255.0 
access-list Local_LAN_Access standard permit 192.168.1.0 255.255.255.0 
access-list Local_LAN_Access standard permit x.x.x.x 255.255.255.0 
access-list Local_LAN_Access standard permit 192.168.2.0 255.255.255.0 
access-list Local_LAN_Access standard permit 10.0.1.0 255.255.255.0 
access-list Local_LAN_Access standard permit 192.168.5.0 255.255.255.0 
access-list WAN_access_out extended permit ip any any 
access-list WAN_access_out_1 extended permit ip any 192.168.20.0 255.255.255.0 
access-list WAN_access_out_1 extended permit icmp any any 
access-list WAN_access_out_1 extended permit tcp any any eq ftp 
access-list WAN_access_out_1 extended permit tcp any any eq ftp-data 
access-list WAN_access_out_1 extended permit tcp any any eq https 
access-list WAN_access_out_1 extended permit object-group TCPUDP any any eq sip 
access-list WAN_access_out_1 extended permit tcp any any eq smtp 
access-list WAN_access_out_1 extended permit object-group TCPUDP any any eq www 
access-list WAN_access_out_1 extended permit object-group TCPUDP any any object-group Blackberry 
access-list WAN_access_out_1 extended permit object-group TCPUDP any any object-group RTP 
access-list WAN_access_out_1 extended permit tcp any any eq pop3 
access-list WAN_access_out_1 extended permit tcp any any object-group PIUSI 
access-list WAN_access_out_1 extended permit tcp any any object-group CiscoVPN 
access-list Lonsyd_access_in extended permit ip any any 
access-list Lonsyd_access_in_1 extended permit ip any any 
access-list Lonsyd_access_out extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu Test 1500
mtu Lonsyd 1500
mtu IT 1500
ip local pool Lonsyd 192.168.20.1-192.168.20.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WAN
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (WAN) 101 interface
nat (WAN) 0 access-list WAN_nat0_outbound
nat (WAN) 101 192.168.1.0 255.255.255.0
nat (WAN) 101 192.168.20.0 255.255.255.0
nat (Test) 0 access-list inside_nat0_outbound
nat (Lonsyd) 0 access-list inside_nat0_outbound
nat (Lonsyd) 101 10.0.1.0 255.255.255.0
nat (Lonsyd) 101 192.168.1.0 255.255.255.0
nat (Lonsyd) 101 192.168.5.0 255.255.255.0
nat (IT) 0 access-list inside_nat0_outbound
nat (IT) 101 61.88.220.0 255.255.255.0
static (Lonsyd,WAN) x.x.x.x 192.168.1.2 netmask 255.255.255.255 
access-group WAN_access_in in interface WAN
access-group WAN_access_out_1 out interface WAN
access-group Lonsyd_access_in_1 in interface Lonsyd
access-group Lonsyd_access_out out interface Lonsyd
route WAN 0.0.0.0 0.0.0.0 61.88.220.230 1
route Lonsyd 10.0.1.0 255.255.255.0 192.168.1.180 1
route Lonsyd 192.168.2.0 255.255.255.0 192.168.1.254 1
route Lonsyd 192.168.5.0 255.255.255.0 192.168.1.180 1
route Lonsyd 192.168.20.0 255.255.255.0 192.168.1.89 1
route Lonsyd 192.168.254.0 255.255.255.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.7.13 255.255.255.255 Test
http 192.168.7.69 255.255.255.255 Test
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map WAN_dyn_map 20 set pfs 
crypto dynamic-map WAN_dyn_map 20 set transform-set ESP-3DES-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map
crypto map WAN_map interface WAN
crypto isakmp identity hostname 
crypto isakmp enable WAN
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.1.69 255.255.255.255 Lonsyd
telnet timeout 5
ssh 192.168.7.69 255.255.255.255 Test
ssh 192.168.7.13 255.255.255.255 Test
ssh 192.168.1.69 255.255.255.255 Lonsyd
ssh timeout 5
console timeout 0
vpn load-balancing 
 interface lbpublic IT
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 20
 vpn-idle-timeout none
 split-tunnel-network-list value Lonsyd_splitTunnelAcl
group-policy Lonsyd internal
group-policy Lonsyd attributes
 wins-server value 192.168.1.3
 dns-server value x.x.x.x x.x.x.x
 split-tunnel-policy tunnelall
 split-tunnel-network-list value Lonsyd_splitTunnelAcl
 default-domain value x.x.x.x
group-policy IT internal
group-policy IT attributes
 wins-server value 192.168.1.3
 dns-server value 192.168.1.3 x.x.x.x
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Lonsyd_splitTunnelAcl
group-policy IDS internal
group-policy IDS attributes
 wins-server value 192.168.1.3
 dns-server value 192.168.1.3
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Lonsyd_splitTunnelAcl
 default-domain value x.x.x.x
 address-pools value Lonsyd
 
 
************
Vpn User info omitted
************
 
 
prompt hostname context 
Cryptochecksum:287f89d9ebd27f40b16f0734dc50d74f
: end

Open in new window

0
Comment
Question by:justin_smith
  • 2
5 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22612362
I'm sorry, this is not possible. What you need is incoming IPsec passthrough and IPsec terminates on the ASA already.
The only other option is to put the 1811 outside the ASA and configure it with a public IP address.
0
 
LVL 5

Expert Comment

by:NutrientMS
ID: 22612584
So your ASA is your gateway to the internet, and the 1811W is your gateway to your other internal subnets?

So since your have your route commands telling the ASA that to get to subnets 10.0.1.* etc to go to 192.168.1.180, all you should need is a NAT 0 command for traffic coming from your VPN Clients to your internal subnets and your ASA should route the data to the 1811W which should route it to where it needs to go from there.

Not sure if this is 100% but I have just done the same thing on my ASA 5510.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22614512
From an IPSEC perspective, given the posted configs you should already be able to access the 10.x.x.x networks from a VPN client. If you can't, then it must be either a routing issue, vlan issue, or acl issue. You would not need to terminate the VPN tunnel directly on the router.

Start by removing the "out" acls from the interfaces
no access-group WAN_access_out_1 out interface WAN
no access-group Lonsyd_access_out out interface Lonsyd

Also remove this acl from the interface. The acl is permit ip any any, which is the default, so no acl is required.
no access-group Lonsyd_access_in_1 in interface Lonsyd

Fix the routing issue. You use 192.168.20.0 for the VPN clients, yet you are routing it to yourself?
no route Lonsyd 192.168.20.0 255.255.255.0 192.168.1.89 1

also, 1921.68.5.0 network is connected to interface IT, yet you are trying to route it back to the 1811?
no route Lonsyd 192.168.5.0 255.255.255.0 192.168.1.180 1
Yet, you have vlan3 on the router with a 192.168.5.x ip address... so is vlan3 connected to the IT interface on the ASA?

Why are you natting at the router?
interface Vlan2
ip address 192.168.1.180 255.255.255.0
ip nat outside <== ?? There is no corresponding nat configuration??

Also, never, never, ever add static routes for directly connected networks. The router knows what networks are connected to itself based on the IP address/mask of the interfaces.

no ip route 10.0.1.0 255.255.255.0 Vlan4 permanent
no ip route 61.88.220.0 255.255.255.0 Vlan3 permanent
no ip route 192.168.1.0 255.255.255.0 Vlan2 permanent
no ip route 192.168.2.0 255.255.255.0 Vlan2 permanent
ip route 192.168.5.0 255.255.255.0 Vlan3 permanent
!

Both configs are a mess, but this might be enough to get you started.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22617371
lrmoore is right about the VPN remote access. BUT if you need the connection tunneled to the 1811 (so the traffic isn't inspected by the ASA or touchable by any other advices) you will need to place it outside the ASA.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now