Solved

VPN to WAN Routing with Cisco ASA

Posted on 2008-10-15
5
1,712 Views
Last Modified: 2012-05-05
We have multiple sites connected via an MPLS Connection.  My Main site has an ASA 5520, but the MPLS is connected to a Layer 3 switch which is then connected to the inside interface of the ASA.

If i static a pc on my lan with 10.1.1.111 (layer 3 switch) as the gateway, i can route traffic over the MPLS as seen below:
C:\Documents and Settings\ms>tracert company-dc1

Tracing route to company-dc1.ses.int [10.1.32.25]
over a maximum of 30 hops:

  1    11 ms     1 ms     1 ms  10.1.1.111  (Layer 3 switch)
  2     2 ms     2 ms     2 ms  10.1.1.252  (MPLS Router)
  3    53 ms    62 ms    60 ms  172.20.0.1
  4    83 ms    81 ms    72 ms  172.20.0.17
  5    93 ms    90 ms   134 ms  172.20.0.18  (ASA at destination)
  6    96 ms    91 ms    88 ms  company-dc1.ses.int [10.1.32.25]

I havent figured out how to route the VPN traffic over the MPLS.  Tracert goes nowhere.
ASA Version 8.0(3) 
!
names
dns-guard
!
interface GigabitEthernet0/0
 description Outside Interface - Internet
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.224 
 ospf cost 10
!
interface GigabitEthernet0/1
 description Inside interface -
 nameif inside
 security-level 100
 ip address 10.1.1.10 255.255.252.0 
 ospf cost 10
!
interface GigabitEthernet0/2
 description Subnetted Network for Internet Applications (DMZ)
 nameif intf2
 security-level 4
 ip address 10.1.4.1 255.255.255.0 
 ospf cost 10
!
interface GigabitEthernet0/3
 description VOIP to PBX w/ No Nat
 nameif PBX_VOIP
 security-level 1
 ip address xx.xx.xx.xx 255.255.255.248 
 ospf cost 10
!
interface Management0/0
 no nameif
 no security-level
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
 
boot system disk0:/asa803_01112008.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name xxx.xxx
object-group service Platts tcp
 description Platts Internal Access 
 port-object eq 1838
 port-object range pptp 1726
 port-object eq 700
object-group service GlobalView tcp
 port-object eq 700
 port-object range pptp 1727
object-group service Polycom tcp-udp
 description Polycom Video Conferencing
 port-object range 1503 1503
 port-object range 1720 1720
 port-object range 3230 3237
 port-object range sip sip
object-group service SC_PEM tcp
 description SurfControl_PEM Ports
 port-object range 8282 8282
 port-object range 8663 8663
object-group service SC_PEM_TCP-UDP tcp-udp
 description SC_PEM_TCP-UDP
 port-object range 8282 8282
 port-object range 8663 8663
object-group service 8282 tcp-udp
 description 8282
 port-object range 8281 8283
object-group service 8663 tcp-udp
 description 8663
 port-object range 8662 8664
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service Polycom_HDX
 description Polycom_HDX
 service-object tcp-udp range 1024 65535 
 service-object tcp-udp range 161 162 
 service-object tcp-udp eq 389 
 service-object tcp-udp eq 5001 
 service-object tcp-udp eq www 
 service-object tcp-udp eq sip 
 service-object tcp eq 1503 
 service-object tcp eq 1718 
 service-object tcp eq 1719 
 service-object tcp eq 1731 
 service-object tcp eq 24 
 service-object tcp eq 3601 
 service-object tcp eq 8080 
 service-object tcp eq h323 
 service-object tcp eq https 
 service-object tcp eq ldaps 
 service-object tcp eq telnet 
 service-object udp eq ntp 
 service-object udp eq syslog 
 service-object udp 
access-list deny-flow-max 143
access-list intf2 extended permit icmp 10.1.4.0 255.255.255.0 any 
access-list intf2 extended permit ip 10.1.4.0 255.255.255.0 any 
access-list no-nat extended permit ip 10.1.4.0 255.255.255.0 10.1.0.0 255.255.252.0 
access-list no-nat extended permit ip 10.1.4.0 255.255.255.0 172.21.246.0 255.255.255.0 
access-list no-nat-inside extended permit ip any 10.1.4.0 255.255.255.0 
access-list no-nat-inside extended permit ip any 172.21.246.0 255.255.255.0 
access-list no-nat-inside extended permit ip interface inside 172.21.246.0 255.255.255.0 
access-list no-nat-inside extended permit ip any xx.xx.xx.xx 255.255.255.248 
access-list 120 extended permit ip 10.1.0.0 255.255.248.0 172.21.246.0 255.255.255.0 
access-list 120 extended permit ip 172.21.246.0 255.255.255.0 10.1.0.0 255.255.248.0 
access-list inbound extended permit icmp any any 
access-list inbound extended permit udp host xx.xx.xx.xx host 0.0.0.0 inactive 
access-list inbound remark Dameware to Test Web Server
access-list inbound extended permit tcp any eq 6129 host xx.xx.xx.xx 
access-list inbound remark FTP to Test Web Server
access-list inbound extended permit tcp any eq ftp host xx.xx.xx.xx 
access-list inbound remark Dameware to Test Web Server
access-list inbound extended permit tcp any eq 6129 host xx.xx.xx.xx 
access-list inbound remark NeaxIPS2000 IP Phone Traffic
access-list inbound extended permit udp any host xx.xx.xx.xx eq 3456 
access-list inbound remark NeaxIPS2000 IP Phone Traffic
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 3456 
access-list inbound remark NeaxIPS2000 IP Phone Traffic
access-list inbound extended permit tcp any host xx.xx.xx.xx range 60256 60511 
access-list inbound remark NeaxIPS2000 IP Phone Traffic
access-list inbound extended permit udp any host xx.xx.xx.xx range 60000 60254 
access-list inbound remark Production FTP Server
access-list inbound extended permit tcp any host xx.xx.xx.xx eq ftp 
access-list inbound remark Metering Solution
access-list inbound extended permit tcp any host xx.xx.xx.xx eq telnet 
access-list inbound remark Metering Solution
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 6544 
access-list inbound remark Metering Solution
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 7437 
access-list inbound remark Metering Solution
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 2020 
access-list inbound remark Metering Solution
access-list inbound extended permit udp any host xx.xx.xx.xx eq 7437 
access-list inbound remark Metering Solution
access-list inbound extended permit udp any host xx.xx.xx.xx eq 2020 
access-list inbound remark Public .Net Application Server HTTP (Public Web, DV)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Public .Net Application Server HTTP (Public Web Beta)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Waterman Redirect HTTP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Waterman Redirect HTTPS
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Test Web Server HTTP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Rockwell Server HTTP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Rockwell HTTPS
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Test Web Server HTTPS
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark UAT Web Server HTTP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Polycom_HDX_Acess
access-list inbound extended permit object-group Polycom_HDX any host xx.xx.xx.xx log debugging 
access-list inbound remark UAT Web Server HTTPS
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark RMDV Server HTTP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark RMDV Server HTTPS
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark RMDV Server RDP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 3389 
access-list inbound remark Test Web Server FTP allow Ground Zero Network
access-list inbound extended permit tcp any host xx.xx.xx.xx eq ftp 
access-list inbound remark Test Web Server RDP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 3389 
access-list inbound remark Public .Net Application Server HTTPS (Public Web, DV)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Public .Net Application Server HTTP (SV)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Public .Net Application Server HTTP (SV)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Temporary  Public .Net Application Server HTTP (Sourceview) - Maintenance Page
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Secondary Public .Net Application Server Secure HTTP Access (Sourceviewbeta)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Secondary Public .Net Application Server Secure HTTPS Access (Sourceviewbeta)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Public Java Application Server HTTP Access (RMDV)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Polycom 8000
access-list inbound extended permit object-group TCPUDP any host xx.xx.xx.xx object-group Polycom 
access-list inbound remark Live Meeting Portal (Unsecure for Redirect to SSL)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Live Meeting Portal
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Kimball Public Web
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Kimball Public Web (Secure)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Kimball FTP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq ftp 
access-list inbound remark Front End Exchange Email Traffic
access-list inbound extended permit tcp any host xx.xx.xx.xx eq smtp 
access-list inbound remark Front End Exchange Web Email Traffic
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Front End Exchange Secure Email Traffic
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Surf Control 8282
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 8282 
access-list inbound remark Surf Control 8663
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 8663 
access-list inbound remark Xodiax Access for monitoring Exchange Web
access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq www 
access-list inbound remark Xodiax Access for monitoring Secure Exchange Web
access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq https 
access-list inbound remark Xodiax Access for monitoring Exchange
access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq smtp 
access-list inbound remark Xodiax Access for monitoring Exchange SMTP Anti-Virus Service
access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq 26 
access-list inbound remark Xodiax Access for monitoring Exchange SMTP Spam Filtering Service
access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq 27 
access-list inbound remark Xodiax Access for monitoring Secure Exchange Web
access-list inbound remark Xodiax Access for monitoring Exchange
access-list inbound remark Xodiax Access for monitoring Application (RMDV)
access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq www 
access-list inbound remark Allow all traffic from internet to PBX Network Only
access-list inbound extended permit ip any xx.xx.xx.xx 255.255.255.248 
access-list inbound remark Test WebServer 2
access-list inbound extended permit ip any host 10.1.1.241 
access-list ips extended permit ip any any 
access-list outside_cryptomap_dyn_30 extended permit ip interface inside 172.21.246.0 255.255.255.0 
access-list outside_nat0_inbound extended permit ip any xx.xx.xx.xx 255.255.255.248 
access-list 100 extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq https 
access-list 100 extended permit tcp host xx.xx.xx.xx eq https host xx.xx.xx.xx
access-list test extended permit ip host 10.1.2.29 any 
access-list test extended permit ip host xx.xx.xx.xx host 10.1.2.29 
access-list test extended permit ip host xx.xx.xx.xx host 10.1.2.29 
access-list test extended permit ip host xx.xx.xx.xx host 10.1.2.29 
access-list outside_cryptomap_dyn_50 extended permit ip any 172.21.246.0 255.255.255.0 
access-list outside_cryptomap_dyn_70 extended permit ip any 172.21.246.0 255.255.255.0 
access-list 101 extended permit tcp 10.0.0.0 255.0.0.0 host xx.xx.xx.xx eq https 
access-list 101 extended permit tcp host 63.227.188.23 eq https 10.0.0.0 255.0.0.0 
access-list PBX_VOIP_access_in remark Allow all incoming VOIP Traffic
access-list PBX_VOIP_access_in extended permit ip any any 
access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 
access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 
access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 
access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 
access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 
access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 
access-list capture extended permit tcp any eq www host xx.xx.xx.xx 
access-list capture extended permit tcp host 10.1.31.222 any eq www 
access-list capout extended permit tcp host xx.xx.xx.xx any 
access-list capout extended permit tcp any host xx.xx.xx.xx 
access-list capout extended permit tcp any host xx.xx.xx.xx eq www 
access-list capout extended permit tcp host xx.xx.xx.xx eq www any 
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging monitor debugging
logging buffered debugging
logging trap informational
logging asdm informational
logging host inside 10.1.1.54
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu PBX_VOIP 1500
ip local pool companyvpn 172.21.246.1-172.21.246.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm603.bin
asdm history enable
arp timeout 14400
global (outside) 1 xx.xx.xx.xx
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list no-nat-inside
nat (inside) 1 10.0.0.0 255.0.0.0
nat (intf2) 0 access-list no-nat
nat (intf2) 1 10.1.4.0 255.255.255.0
static (inside,outside) xx.xx.xx.xx 10.1.1.77 netmask 255.255.255.255 tcp 0 224 
static (intf2,outside) xx.xx.xx.xx 10.1.4.155 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.149 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.0.110 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.3.230 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.241 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.250 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.100 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.150 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.152 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.153 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.200 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.102 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.222 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.37 netmask 255.255.255.255 tcp 0 224 
static (inside,outside) xx.xx.xx.xx 10.1.1.195 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.43 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.17 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.65 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.239 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.60 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.103 netmask 255.255.255.255 
access-group inbound in interface outside
access-group intf2 in interface intf2
access-group PBX_VOIP_access_in in interface PBX_VOIP
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route inside 10.1.0.0 255.255.0.0 10.1.1.252 1
route inside 10.1.16.0 255.255.248.0 10.1.1.252 1
route inside 10.1.24.0 255.255.248.0 10.1.1.252 1
route inside 10.1.32.0 255.255.248.0 10.1.1.111 1
route inside 172.22.0.0 255.255.255.0 10.1.1.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server SDI protocol sdi
aaa-server SDI host 10.1.1.253
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL 
aaa local authentication attempts max-fail 10
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1460
crypto ipsec transform-set myset esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 30 match address outside_cryptomap_dyn_30
crypto dynamic-map dynmap 30 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 50 match address outside_cryptomap_dyn_50
crypto dynamic-map dynmap 50 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 70 match address outside_cryptomap_dyn_70
crypto dynamic-map dynmap 70 set transform-set ESP-3DES-SHA
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
client-update type Windows url http://xx.xx.xx.xx/updates/CiscoVPN/4.8.00.0440/setup.exe rev-nums vpnclient-win-is-4[1].7.00.0533-k9.exe
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh xx.xx.xx.xx 255.255.255.255 outside
ssh xx.xx.xx.xx 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 10.1.4.0 255.255.255.0 intf2
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
wccp web-cache password 1CISCO
wccp interface inside web-cache redirect in
ntp server xx.xx.xx.xx source outside
ntp server xx.xx.xx.xx source outside
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 300
 vpn-idle-timeout 60
 vpn-tunnel-protocol IPSec svc webvpn
 password-storage enable
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc ask enable
  customization value DfltCustomization
group-policy companyssl internal
group-policy companyssl attributes
 dns-server value 10.1.1.25
 vpn-tunnel-protocol svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 120
 default-domain value ses.int
 split-dns value ses.int 
group-policy companypix internal
group-policy companypix attributes
 dns-server value 10.1.1.72
 vpn-simultaneous-logins 300
 vpn-idle-timeout 30
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 120
 default-domain value ses.int
 split-dns value ses.int 
group-policy companyrsa internal
group-policy companyrsa attributes
 dns-server value 10.1.1.72
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 120
 default-domain value ses.int
 split-dns value ses.int 
group-policy ctepl internal
group-policy ctepl attributes
 dns-server value 10.1.1.72
 vpn-simultaneous-logins 300
 vpn-idle-timeout 30
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 120
 default-domain value ses.int
 split-dns value ses.int 
 
 
 vpn-group-policy companyrsa
 
 vpn-group-policy ctepl
 
 address-pool xxvpn
 authentication-server-group SDI
 default-group-policy xxssl
tunnel-group xxpix type remote-access
tunnel-group xxpix general-attributes
 address-pool xxvpn
 default-group-policy xxrsa
tunnel-group companypix ipsec-attributes
 pre-shared-key *
tunnel-group companyrsa type remote-access
tunnel-group companyrsa general-attributes
 address-pool companyvpn
 authentication-server-group SDI
 default-group-policy companyrsa
tunnel-group companyrsa ipsec-attributes
 pre-shared-key *
tunnel-group ctepl type remote-access
tunnel-group ctepl general-attributes
 address-pool companyvpn
 default-group-policy ctepl
tunnel-group ctepl ipsec-attributes
 pre-shared-key *
tunnel-group iPhone type remote-access
tunnel-group iPhone general-attributes
 address-pool companyvpn
tunnel-group iPhone ipsec-attributes
 pre-shared-key *
!
class-map ips
 match access-list ips
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
 class ips
  ips inline fail-open
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:96eac25b09b117063bec2294cc9faa5c
: end

Open in new window

0
Comment
Question by:Summit-IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22726023
The L3 switch should have the ASA inside IP as the default route
Your PC's should point to the L3 switch interface for their default gateway

>how to route the VPN traffic over the MPLS.
Can you explain this a little better? I don't see any VPN tunnels configured on the ASA, only dynamic configuration, which looks all screwed up..

0
 

Author Comment

by:Summit-IT
ID: 22726346
Thanks for the reply!  
For any LAN clients that need to route over the MPLS, we have the Layer 3 switch configured as their gateway.  The layer 3 switch's default route is to the asa (10.1.1.10)
For lan clients that dont go over the MPLS (most users) we have DHCP giving them the ASA as the gateway

When users log into Remote Access VPN (via Cisco VPN Client 4.8 or Cisco Anyconnect), they recieve a 172.21.246.x address and can access all resources at the main site (not via MPLS link).  I am trying to grant them access to the other locations when using VPN.

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22726435
OK. Suggest changing acl 120 (split tunnel) to a standard acl

access-list 120 standard permit 10.1.0.0 255.255.0.0

Remove all of these
>crypto dynamic-map dynmap 30 match address outside_cryptomap_dyn_30
>crypto dynamic-map dynmap 50 match address outside_cryptomap_dyn_50
>crypto dynamic-map dynmap 50 match address outside_cryptomap_dyn_70

And add:
 crypto isakmp nat-traversal 25

Check routes on the L3 switch and make sure 172.21.246.x won't get routed somewhere else and will only default to the default route to the ASA.


0
 

Author Comment

by:Summit-IT
ID: 22743376
Playing around with that now!  

Thanks for the suggestion.  I will post the outcome.
0
 

Author Comment

by:Summit-IT
ID: 22821330
Going to add another 4 interfaces in our ASA and use one for the MPLS.  I think this will simplify this.
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question