Solved

VPN to WAN Routing with Cisco ASA

Posted on 2008-10-15
5
1,657 Views
Last Modified: 2012-05-05
We have multiple sites connected via an MPLS Connection.  My Main site has an ASA 5520, but the MPLS is connected to a Layer 3 switch which is then connected to the inside interface of the ASA.

If i static a pc on my lan with 10.1.1.111 (layer 3 switch) as the gateway, i can route traffic over the MPLS as seen below:
C:\Documents and Settings\ms>tracert company-dc1

Tracing route to company-dc1.ses.int [10.1.32.25]
over a maximum of 30 hops:

  1    11 ms     1 ms     1 ms  10.1.1.111  (Layer 3 switch)
  2     2 ms     2 ms     2 ms  10.1.1.252  (MPLS Router)
  3    53 ms    62 ms    60 ms  172.20.0.1
  4    83 ms    81 ms    72 ms  172.20.0.17
  5    93 ms    90 ms   134 ms  172.20.0.18  (ASA at destination)
  6    96 ms    91 ms    88 ms  company-dc1.ses.int [10.1.32.25]

I havent figured out how to route the VPN traffic over the MPLS.  Tracert goes nowhere.
ASA Version 8.0(3) 

!

names

dns-guard

!

interface GigabitEthernet0/0

 description Outside Interface - Internet

 nameif outside

 security-level 0

 ip address xx.xx.xx.xx 255.255.255.224 

 ospf cost 10

!

interface GigabitEthernet0/1

 description Inside interface -

 nameif inside

 security-level 100

 ip address 10.1.1.10 255.255.252.0 

 ospf cost 10

!

interface GigabitEthernet0/2

 description Subnetted Network for Internet Applications (DMZ)

 nameif intf2

 security-level 4

 ip address 10.1.4.1 255.255.255.0 

 ospf cost 10

!

interface GigabitEthernet0/3

 description VOIP to PBX w/ No Nat

 nameif PBX_VOIP

 security-level 1

 ip address xx.xx.xx.xx 255.255.255.248 

 ospf cost 10

!

interface Management0/0

 no nameif

 no security-level

 ip address 192.168.1.1 255.255.255.0 

 management-only

!

 

boot system disk0:/asa803_01112008.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name xxx.xxx

object-group service Platts tcp

 description Platts Internal Access 

 port-object eq 1838

 port-object range pptp 1726

 port-object eq 700

object-group service GlobalView tcp

 port-object eq 700

 port-object range pptp 1727

object-group service Polycom tcp-udp

 description Polycom Video Conferencing

 port-object range 1503 1503

 port-object range 1720 1720

 port-object range 3230 3237

 port-object range sip sip

object-group service SC_PEM tcp

 description SurfControl_PEM Ports

 port-object range 8282 8282

 port-object range 8663 8663

object-group service SC_PEM_TCP-UDP tcp-udp

 description SC_PEM_TCP-UDP

 port-object range 8282 8282

 port-object range 8663 8663

object-group service 8282 tcp-udp

 description 8282

 port-object range 8281 8283

object-group service 8663 tcp-udp

 description 8663

 port-object range 8662 8664

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group service Polycom_HDX

 description Polycom_HDX

 service-object tcp-udp range 1024 65535 

 service-object tcp-udp range 161 162 

 service-object tcp-udp eq 389 

 service-object tcp-udp eq 5001 

 service-object tcp-udp eq www 

 service-object tcp-udp eq sip 

 service-object tcp eq 1503 

 service-object tcp eq 1718 

 service-object tcp eq 1719 

 service-object tcp eq 1731 

 service-object tcp eq 24 

 service-object tcp eq 3601 

 service-object tcp eq 8080 

 service-object tcp eq h323 

 service-object tcp eq https 

 service-object tcp eq ldaps 

 service-object tcp eq telnet 

 service-object udp eq ntp 

 service-object udp eq syslog 

 service-object udp 

access-list deny-flow-max 143

access-list intf2 extended permit icmp 10.1.4.0 255.255.255.0 any 

access-list intf2 extended permit ip 10.1.4.0 255.255.255.0 any 

access-list no-nat extended permit ip 10.1.4.0 255.255.255.0 10.1.0.0 255.255.252.0 

access-list no-nat extended permit ip 10.1.4.0 255.255.255.0 172.21.246.0 255.255.255.0 

access-list no-nat-inside extended permit ip any 10.1.4.0 255.255.255.0 

access-list no-nat-inside extended permit ip any 172.21.246.0 255.255.255.0 

access-list no-nat-inside extended permit ip interface inside 172.21.246.0 255.255.255.0 

access-list no-nat-inside extended permit ip any xx.xx.xx.xx 255.255.255.248 

access-list 120 extended permit ip 10.1.0.0 255.255.248.0 172.21.246.0 255.255.255.0 

access-list 120 extended permit ip 172.21.246.0 255.255.255.0 10.1.0.0 255.255.248.0 

access-list inbound extended permit icmp any any 

access-list inbound extended permit udp host xx.xx.xx.xx host 0.0.0.0 inactive 

access-list inbound remark Dameware to Test Web Server

access-list inbound extended permit tcp any eq 6129 host xx.xx.xx.xx 

access-list inbound remark FTP to Test Web Server

access-list inbound extended permit tcp any eq ftp host xx.xx.xx.xx 

access-list inbound remark Dameware to Test Web Server

access-list inbound extended permit tcp any eq 6129 host xx.xx.xx.xx 

access-list inbound remark NeaxIPS2000 IP Phone Traffic

access-list inbound extended permit udp any host xx.xx.xx.xx eq 3456 

access-list inbound remark NeaxIPS2000 IP Phone Traffic

access-list inbound extended permit tcp any host xx.xx.xx.xx eq 3456 

access-list inbound remark NeaxIPS2000 IP Phone Traffic

access-list inbound extended permit tcp any host xx.xx.xx.xx range 60256 60511 

access-list inbound remark NeaxIPS2000 IP Phone Traffic

access-list inbound extended permit udp any host xx.xx.xx.xx range 60000 60254 

access-list inbound remark Production FTP Server

access-list inbound extended permit tcp any host xx.xx.xx.xx eq ftp 

access-list inbound remark Metering Solution

access-list inbound extended permit tcp any host xx.xx.xx.xx eq telnet 

access-list inbound remark Metering Solution

access-list inbound extended permit tcp any host xx.xx.xx.xx eq 6544 

access-list inbound remark Metering Solution

access-list inbound extended permit tcp any host xx.xx.xx.xx eq 7437 

access-list inbound remark Metering Solution

access-list inbound extended permit tcp any host xx.xx.xx.xx eq 2020 

access-list inbound remark Metering Solution

access-list inbound extended permit udp any host xx.xx.xx.xx eq 7437 

access-list inbound remark Metering Solution

access-list inbound extended permit udp any host xx.xx.xx.xx eq 2020 

access-list inbound remark Public .Net Application Server HTTP (Public Web, DV)

access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 

access-list inbound remark Public .Net Application Server HTTP (Public Web Beta)

access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 

access-list inbound remark Waterman Redirect HTTP

access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 

access-list inbound remark Waterman Redirect HTTPS

access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 

access-list inbound remark Test Web Server HTTP

access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 

access-list inbound remark Rockwell Server HTTP

access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 

access-list inbound remark Rockwell HTTPS

access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 

access-list inbound remark Test Web Server HTTPS

access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 

access-list inbound remark UAT Web Server HTTP

access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 

access-list inbound remark Polycom_HDX_Acess

access-list inbound extended permit object-group Polycom_HDX any host xx.xx.xx.xx log debugging 

access-list inbound remark UAT Web Server HTTPS

access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 

access-list inbound remark RMDV Server HTTP

access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 

access-list inbound remark RMDV Server HTTPS

access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 

access-list inbound remark RMDV Server RDP

access-list inbound extended permit tcp any host xx.xx.xx.xx eq 3389 

access-list inbound remark Test Web Server FTP allow Ground Zero Network

access-list inbound extended permit tcp any host xx.xx.xx.xx eq ftp 

access-list inbound remark Test Web Server RDP

access-list inbound extended permit tcp any host xx.xx.xx.xx eq 3389 

access-list inbound remark Public .Net Application Server HTTPS (Public Web, DV)

access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 

access-list inbound remark Public .Net Application Server HTTP (SV)

access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 

access-list inbound remark Public .Net Application Server HTTP (SV)

access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 

access-list inbound remark Temporary  Public .Net Application Server HTTP (Sourceview) - Maintenance Page

access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 

access-list inbound remark Secondary Public .Net Application Server Secure HTTP Access (Sourceviewbeta)

access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 

access-list inbound remark Secondary Public .Net Application Server Secure HTTPS Access (Sourceviewbeta)

access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 

access-list inbound remark Public Java Application Server HTTP Access (RMDV)

access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 

access-list inbound remark Polycom 8000

access-list inbound extended permit object-group TCPUDP any host xx.xx.xx.xx object-group Polycom 

access-list inbound remark Live Meeting Portal (Unsecure for Redirect to SSL)

access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 

access-list inbound remark Live Meeting Portal

access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 

access-list inbound remark Kimball Public Web

access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 

access-list inbound remark Kimball Public Web (Secure)

access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 

access-list inbound remark Kimball FTP

access-list inbound extended permit tcp any host xx.xx.xx.xx eq ftp 

access-list inbound remark Front End Exchange Email Traffic

access-list inbound extended permit tcp any host xx.xx.xx.xx eq smtp 

access-list inbound remark Front End Exchange Web Email Traffic

access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 

access-list inbound remark Front End Exchange Secure Email Traffic

access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 

access-list inbound remark Surf Control 8282

access-list inbound extended permit tcp any host xx.xx.xx.xx eq 8282 

access-list inbound remark Surf Control 8663

access-list inbound extended permit tcp any host xx.xx.xx.xx eq 8663 

access-list inbound remark Xodiax Access for monitoring Exchange Web

access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq www 

access-list inbound remark Xodiax Access for monitoring Secure Exchange Web

access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq https 

access-list inbound remark Xodiax Access for monitoring Exchange

access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq smtp 

access-list inbound remark Xodiax Access for monitoring Exchange SMTP Anti-Virus Service

access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq 26 

access-list inbound remark Xodiax Access for monitoring Exchange SMTP Spam Filtering Service

access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq 27 

access-list inbound remark Xodiax Access for monitoring Secure Exchange Web

access-list inbound remark Xodiax Access for monitoring Exchange

access-list inbound remark Xodiax Access for monitoring Application (RMDV)

access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq www 

access-list inbound remark Allow all traffic from internet to PBX Network Only

access-list inbound extended permit ip any xx.xx.xx.xx 255.255.255.248 

access-list inbound remark Test WebServer 2

access-list inbound extended permit ip any host 10.1.1.241 

access-list ips extended permit ip any any 

access-list outside_cryptomap_dyn_30 extended permit ip interface inside 172.21.246.0 255.255.255.0 

access-list outside_nat0_inbound extended permit ip any xx.xx.xx.xx 255.255.255.248 

access-list 100 extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq https 

access-list 100 extended permit tcp host xx.xx.xx.xx eq https host xx.xx.xx.xx

access-list test extended permit ip host 10.1.2.29 any 

access-list test extended permit ip host xx.xx.xx.xx host 10.1.2.29 

access-list test extended permit ip host xx.xx.xx.xx host 10.1.2.29 

access-list test extended permit ip host xx.xx.xx.xx host 10.1.2.29 

access-list outside_cryptomap_dyn_50 extended permit ip any 172.21.246.0 255.255.255.0 

access-list outside_cryptomap_dyn_70 extended permit ip any 172.21.246.0 255.255.255.0 

access-list 101 extended permit tcp 10.0.0.0 255.0.0.0 host xx.xx.xx.xx eq https 

access-list 101 extended permit tcp host 63.227.188.23 eq https 10.0.0.0 255.0.0.0 

access-list PBX_VOIP_access_in remark Allow all incoming VOIP Traffic

access-list PBX_VOIP_access_in extended permit ip any any 

access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 

access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 

access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 

access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 

access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 

access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 

access-list capture extended permit tcp any eq www host xx.xx.xx.xx 

access-list capture extended permit tcp host 10.1.31.222 any eq www 

access-list capout extended permit tcp host xx.xx.xx.xx any 

access-list capout extended permit tcp any host xx.xx.xx.xx 

access-list capout extended permit tcp any host xx.xx.xx.xx eq www 

access-list capout extended permit tcp host xx.xx.xx.xx eq www any 

pager lines 24

logging enable

logging timestamp

logging asdm-buffer-size 512

logging monitor debugging

logging buffered debugging

logging trap informational

logging asdm informational

logging host inside 10.1.1.54

logging permit-hostdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu PBX_VOIP 1500

ip local pool companyvpn 172.21.246.1-172.21.246.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm603.bin

asdm history enable

arp timeout 14400

global (outside) 1 xx.xx.xx.xx

nat (outside) 0 access-list outside_nat0_inbound outside

nat (inside) 0 access-list no-nat-inside

nat (inside) 1 10.0.0.0 255.0.0.0

nat (intf2) 0 access-list no-nat

nat (intf2) 1 10.1.4.0 255.255.255.0

static (inside,outside) xx.xx.xx.xx 10.1.1.77 netmask 255.255.255.255 tcp 0 224 

static (intf2,outside) xx.xx.xx.xx 10.1.4.155 netmask 255.255.255.255 

static (intf2,outside) xx.xx.xx.xx 10.1.4.149 netmask 255.255.255.255 

static (intf2,outside) xx.xx.xx.xx 10.1.0.110 netmask 255.255.255.255 

static (inside,outside) xx.xx.xx.xx 10.1.3.230 netmask 255.255.255.255 

static (inside,outside) xx.xx.xx.xx 10.1.1.241 netmask 255.255.255.255 

static (intf2,outside) xx.xx.xx.xx 10.1.4.250 netmask 255.255.255.255 

static (intf2,outside) xx.xx.xx.xx 10.1.4.100 netmask 255.255.255.255 

static (intf2,outside) xx.xx.xx.xx 10.1.4.150 netmask 255.255.255.255 

static (intf2,outside) xx.xx.xx.xx 10.1.4.152 netmask 255.255.255.255 

static (intf2,outside) xx.xx.xx.xx 10.1.4.153 netmask 255.255.255.255 

static (intf2,outside) xx.xx.xx.xx 10.1.4.200 netmask 255.255.255.255 

static (intf2,outside) xx.xx.xx.xx 10.1.4.102 netmask 255.255.255.255 

static (inside,outside) xx.xx.xx.xx 10.1.1.222 netmask 255.255.255.255 

static (inside,outside) xx.xx.xx.xx 10.1.1.37 netmask 255.255.255.255 tcp 0 224 

static (inside,outside) xx.xx.xx.xx 10.1.1.195 netmask 255.255.255.255 

static (inside,outside) xx.xx.xx.xx 10.1.1.43 netmask 255.255.255.255 

static (inside,outside) xx.xx.xx.xx 10.1.1.17 netmask 255.255.255.255 

static (inside,outside) xx.xx.xx.xx 10.1.1.65 netmask 255.255.255.255 

static (inside,outside) xx.xx.xx.xx 10.1.1.239 netmask 255.255.255.255 

static (inside,outside) xx.xx.xx.xx 10.1.1.60 netmask 255.255.255.255 

static (intf2,outside) xx.xx.xx.xx 10.1.4.103 netmask 255.255.255.255 

access-group inbound in interface outside

access-group intf2 in interface intf2

access-group PBX_VOIP_access_in in interface PBX_VOIP

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

route inside 10.1.0.0 255.255.0.0 10.1.1.252 1

route inside 10.1.16.0 255.255.248.0 10.1.1.252 1

route inside 10.1.24.0 255.255.248.0 10.1.1.252 1

route inside 10.1.32.0 255.255.248.0 10.1.1.111 1

route inside 172.22.0.0 255.255.255.0 10.1.1.252 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server SDI protocol sdi

aaa-server SDI host 10.1.1.253

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

 reval-period 36000

 sq-period 300

aaa authentication ssh console LOCAL 

aaa local authentication attempts max-fail 10

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

http redirect inside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 1460

crypto ipsec transform-set myset esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map dynmap 10 set transform-set myset

crypto dynamic-map dynmap 30 match address outside_cryptomap_dyn_30

crypto dynamic-map dynmap 30 set transform-set ESP-3DES-SHA

crypto dynamic-map dynmap 50 match address outside_cryptomap_dyn_50

crypto dynamic-map dynmap 50 set transform-set ESP-3DES-SHA

crypto dynamic-map dynmap 70 match address outside_cryptomap_dyn_70

crypto dynamic-map dynmap 70 set transform-set ESP-3DES-SHA

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp policy 65535

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

client-update type Windows url http://xx.xx.xx.xx/updates/CiscoVPN/4.8.00.0440/setup.exe rev-nums vpnclient-win-is-4[1].7.00.0533-k9.exe

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh xx.xx.xx.xx 255.255.255.255 outside

ssh xx.xx.xx.xx 255.255.255.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh 10.1.4.0 255.255.255.0 intf2

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics

wccp web-cache password 1CISCO

wccp interface inside web-cache redirect in

ntp server xx.xx.xx.xx source outside

ntp server xx.xx.xx.xx source outside

webvpn

 enable outside

 svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1

 svc enable

group-policy DfltGrpPolicy attributes

 vpn-simultaneous-logins 300

 vpn-idle-timeout 60

 vpn-tunnel-protocol IPSec svc webvpn

 password-storage enable

 nac-settings value DfltGrpPolicy-nac-framework-create

 webvpn

  svc keepalive none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc ask enable

  customization value DfltCustomization

group-policy companyssl internal

group-policy companyssl attributes

 dns-server value 10.1.1.25

 vpn-tunnel-protocol svc 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value 120

 default-domain value ses.int

 split-dns value ses.int 

group-policy companypix internal

group-policy companypix attributes

 dns-server value 10.1.1.72

 vpn-simultaneous-logins 300

 vpn-idle-timeout 30

 password-storage enable

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value 120

 default-domain value ses.int

 split-dns value ses.int 

group-policy companyrsa internal

group-policy companyrsa attributes

 dns-server value 10.1.1.72

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value 120

 default-domain value ses.int

 split-dns value ses.int 

group-policy ctepl internal

group-policy ctepl attributes

 dns-server value 10.1.1.72

 vpn-simultaneous-logins 300

 vpn-idle-timeout 30

 password-storage enable

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value 120

 default-domain value ses.int

 split-dns value ses.int 

 

 

 vpn-group-policy companyrsa

 

 vpn-group-policy ctepl

 

 address-pool xxvpn

 authentication-server-group SDI

 default-group-policy xxssl

tunnel-group xxpix type remote-access

tunnel-group xxpix general-attributes

 address-pool xxvpn

 default-group-policy xxrsa

tunnel-group companypix ipsec-attributes

 pre-shared-key *

tunnel-group companyrsa type remote-access

tunnel-group companyrsa general-attributes

 address-pool companyvpn

 authentication-server-group SDI

 default-group-policy companyrsa

tunnel-group companyrsa ipsec-attributes

 pre-shared-key *

tunnel-group ctepl type remote-access

tunnel-group ctepl general-attributes

 address-pool companyvpn

 default-group-policy ctepl

tunnel-group ctepl ipsec-attributes

 pre-shared-key *

tunnel-group iPhone type remote-access

tunnel-group iPhone general-attributes

 address-pool companyvpn

tunnel-group iPhone ipsec-attributes

 pre-shared-key *

!

class-map ips

 match access-list ips

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect ftp 

 class ips

  ips inline fail-open

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:96eac25b09b117063bec2294cc9faa5c

: end

Open in new window

0
Comment
Question by:Summit-IT
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
The L3 switch should have the ASA inside IP as the default route
Your PC's should point to the L3 switch interface for their default gateway

>how to route the VPN traffic over the MPLS.
Can you explain this a little better? I don't see any VPN tunnels configured on the ASA, only dynamic configuration, which looks all screwed up..

0
 

Author Comment

by:Summit-IT
Comment Utility
Thanks for the reply!  
For any LAN clients that need to route over the MPLS, we have the Layer 3 switch configured as their gateway.  The layer 3 switch's default route is to the asa (10.1.1.10)
For lan clients that dont go over the MPLS (most users) we have DHCP giving them the ASA as the gateway

When users log into Remote Access VPN (via Cisco VPN Client 4.8 or Cisco Anyconnect), they recieve a 172.21.246.x address and can access all resources at the main site (not via MPLS link).  I am trying to grant them access to the other locations when using VPN.

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
OK. Suggest changing acl 120 (split tunnel) to a standard acl

access-list 120 standard permit 10.1.0.0 255.255.0.0

Remove all of these
>crypto dynamic-map dynmap 30 match address outside_cryptomap_dyn_30
>crypto dynamic-map dynmap 50 match address outside_cryptomap_dyn_50
>crypto dynamic-map dynmap 50 match address outside_cryptomap_dyn_70

And add:
 crypto isakmp nat-traversal 25

Check routes on the L3 switch and make sure 172.21.246.x won't get routed somewhere else and will only default to the default route to the ASA.


0
 

Author Comment

by:Summit-IT
Comment Utility
Playing around with that now!  

Thanks for the suggestion.  I will post the outcome.
0
 

Author Comment

by:Summit-IT
Comment Utility
Going to add another 4 interfaces in our ASA and use one for the MPLS.  I think this will simplify this.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Proper Cisco 819 LTE 4G configuration for DynDNS 1 49
Route summarization 9 42
Network Connection 5 31
ESXi VLAN Lab 2 32
Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now