Solved

Allowing VPN clients access IP group via site-site tunnel

Posted on 2008-11-01
2
737 Views
Last Modified: 2012-08-14
I need to force dial-in VPN clients dialing in to site1 to access a certain range of IP addresses (external addresses, part of a DMZ on site2) via the site-site VPN tunnel to site2 rather than via the Internet.  Local users on site1 can do this but users connected to site1 via a dial-in VPN connection cannot.

I tried to add the rule:

access-list test_acl extended permit ip KFC-VPN-Clients 255.255.255.0 object-group KFC-hk-vlans

This doesn't seem to have worked.  Full config is attached below.


: Saved
: Written by enable_15 at 20:31:36.677 UTC Fri Oct 31 2008
!
ASA Version 7.1(2) 
!
hostname KFC-KST-ASA-001
domain-name kfc.local
enable password xxx encrypted
names
name 172.16.11.252 INT_KFC-KST-ASA-001
name 79.111.222.333 EXT_KFC-KST-ASA-001
name 193.111.222.333 EXT_KFC-CRO-ASA-001
name 85.111.222.333 EXT_SUP-Remote
name 172.16.10.0 INT_Server-VLAN
name 2.2.10.0 WAP-DMZ-Net
name 79.111.222.331 EXT_KFC-KST-VCC-001
name 172.16.11.110 INT_KFC-KST-VCC-001
name 211.127.166.330 EXT_KFC-HKO-VCC-001
name 193.111.222.334 EXT_KFC-CRO-VCC-001
name 208.111.222.333 EXT_KFC-USA-FW
name 10.21.0.0 EXT_KFC-USA-Servers
name 79.111.222.332 webmail.domain1.com
name 79.111.222.334 webmail.domain2.com
name 192.168.10.249 INT_KFC-CRO-BAR-001
name 79.111.222.335 EXT_KFC-CRO-BAR-001
name 193.111.222.333 EXT_KFC_CRO-ASA-001
name 1.1.10.0 KFC-VPN-Clients
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address EXT_KFC-KST-ASA-001 255.255.255.248 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address INT_KFC-KST-ASA-001 255.255.254.0 
!
interface Ethernet0/2
 nameif WAP_DMZ
 security-level 4
 ip address 2.2.10.254 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd xxx.xxx encrypted
banner login  ----------------------------------------------
banner login !   THIS DEVICE IS PART OF A PRIVATE NETWORK   !
banner login !----------------------------------------------!
banner login ! Unauthorised access or use of this equipment !
banner login !   is prohibited and constitutes an offence   !
banner login !     under the Computer Misuse Act 1990.      !
banner login !    If you are not authorised to use this     !
banner login !     system, terminate this session now.      !
banner login !----------------------------------------------!
banner login !   All Access to this system is logged for    !
banner login !              Security purposes               !
banner login !----------------------------------------------!
ftp mode passive
dns server-group DefaultDNS
 domain-name kfc.local
object-group network KFC-kst-vlans
 network-object INT_Server-VLAN 255.255.254.0
 network-object 172.16.12.0 255.255.254.0
 network-object 172.16.14.0 255.255.254.0
 network-object 192.168.10.0 255.255.255.0
 network-object 172.16.0.0 255.255.254.0
 network-object 172.16.2.0 255.255.254.0
object-group network KFC-cro-vlans
 network-object 172.16.4.0 255.255.254.0
 network-object 192.168.2.0 255.255.255.0
object-group network KFC-hk-vlans
 network-object 10.0.167.0 255.255.255.0
 network-object 211.127.166.145 255.255.255.255
 network-object 211.127.166.146 255.255.255.255
 network-object 211.127.166.147 255.255.255.255
 network-object 211.127.166.148 255.255.255.255
 network-object 211.127.166.149 255.255.255.255
 network-object 211.127.166.150 255.255.255.255
 network-object 211.127.166.152 255.255.255.255
 network-object 211.127.166.153 255.255.255.255
 network-object 211.127.166.155 255.255.255.255
 network-object 211.127.166.156 255.255.255.255
 network-object 211.127.166.157 255.255.255.255
 network-object 211.127.166.158 255.255.255.255
object-group service KFC-vcc-services tcp
 port-object range 3230 3235
 port-object eq h323
object-group service KFC-vcc-services_udp udp
 port-object range 3230 3258
object-group network webmail_servers
 network-object webmail.domain2.com 255.255.255.255
 network-object webmail.domain1.com 255.255.255.255
object-group service webmail_services_tcp tcp
 port-object eq https
object-group service rdp_services_tcp tcp
 port-object range 65001 65010
object-group network webmail_servers_real
 network-object 172.16.0.103 255.255.255.255
 network-object 172.16.0.108 255.255.255.255
access-list inside_out_acl extended permit ip object-group KFC-kst-vlans any 
access-list nonat_acl extended permit ip object-group KFC-kst-vlans object-group KFC-cro-vlans 
access-list nonat_acl extended permit ip object-group KFC-kst-vlans object-group KFC-hk-vlans 
access-list nonat_acl extended permit ip object-group KFC-kst-vlans WAP-DMZ-Net 255.255.255.0 
access-list nonat_acl extended permit ip object-group KFC-kst-vlans EXT_KFC-USA-Servers 255.255.0.0 
access-list nonat_acl extended permit ip object-group KFC-kst-vlans KFC-VPN-Clients 255.255.255.0 
access-list outside_in_acl extended permit icmp any 79.111.222.333 255.255.255.128 echo-reply 
access-list outside_in_acl extended permit icmp any 79.111.222.333 255.255.255.128 traceroute 
access-list outside_in_acl extended permit icmp any 79.111.222.333 255.255.255.128 unreachable 
access-list outside_in_acl extended permit tcp host EXT_KFC-HKO-VCC-001 host EXT_KFC-KST-VCC-001 object-group KFC-vcc-services 
access-list outside_in_acl extended permit udp host EXT_KFC-HKO-VCC-001 host EXT_KFC-KST-VCC-001 object-group KFC-vcc-services_udp 
access-list outside_in_acl extended permit tcp host EXT_KFC-CRO-VCC-001 host EXT_KFC-KST-VCC-001 object-group KFC-vcc-services 
access-list outside_in_acl extended permit udp host EXT_KFC-CRO-VCC-001 host EXT_KFC-KST-VCC-001 object-group KFC-vcc-services_udp 
access-list outside_in_acl extended permit tcp any object-group webmail_servers object-group webmail_services_tcp 
access-list outside_in_acl extended permit tcp any host EXT_KFC-CRO-BAR-001 eq smtp 
access-list outside_in_acl extended permit tcp host EXT_SUP-Remote host EXT_KFC-KST-ASA-001 object-group rdp_services_tcp 
access-list outside_in_acl extended permit tcp any host EXT_KFC-CRO-BAR-001 eq https 
access-list kst_cro_vpn_acl extended permit ip object-group KFC-kst-vlans object-group KFC-cro-vlans 
access-list kst_hk_vpn_acl extended permit ip object-group KFC-kst-vlans object-group KFC-hk-vlans 
access-list wap_dmz_out_acl extended permit udp WAP-DMZ-Net 255.255.255.0 host 172.16.10.101 eq domain 
access-list wap_dmz_out_acl extended permit tcp WAP-DMZ-Net 255.255.255.0 host 172.16.0.108 eq https 
access-list wap_dmz_out_acl extended permit tcp WAP-DMZ-Net 255.255.255.0 host 172.16.0.103 eq https 
access-list wap_dmz_out_acl extended deny ip WAP-DMZ-Net 255.255.255.0 object-group KFC-kst-vlans 
access-list wap_dmz_out_acl extended permit ip WAP-DMZ-Net 255.255.255.0 any 
access-list wap_dmz_nonat_acl extended permit ip WAP-DMZ-Net 255.255.255.0 object-group KFC-kst-vlans 
access-list vpn_split_tunnel_acl extended permit ip object-group KFC-kst-vlans KFC-VPN-Clients 255.255.255.0 
access-list kst-usa_acl extended permit ip object-group KFC-kst-vlans EXT_KFC-USA-Servers 255.255.0.0 
pager lines 24
logging enable
logging console warnings
logging trap debugging
logging asdm warnings
logging host inside 172.16.10.101
logging message 100000 level debugging
mtu outside 1500
mtu inside 1500
mtu WAP_DMZ 1500
mtu management 1500
ip local pool VPN-DHCPPool 1.1.10.1-1.1.10.254 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp permit any outside
asdm image disk0:/asdm-512.bin
asdm location EXT_KFC-USA-Servers 255.255.0.0 outside
asdm group KFC-kst-vlans inside
asdm group KFC-cro-vlans outside
asdm group KFC-hk-vlans outside
asdm group webmail_servers_real inside
asdm group webmail_servers outside reference webmail_servers_real
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat_acl
nat (inside) 1 0.0.0.0 0.0.0.0
nat (WAP_DMZ) 0 access-list wap_dmz_nonat_acl
nat (WAP_DMZ) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp EXT_KFC-KST-ASA-001 65001 172.16.0.101 3389 netmask 255.255.255.255 
static (inside,outside) tcp EXT_KFC-KST-ASA-001 65002 172.16.0.102 3389 netmask 255.255.255.255 
static (inside,outside) tcp EXT_KFC-KST-ASA-001 65004 172.16.0.104 3389 netmask 255.255.255.255 
static (inside,outside) tcp EXT_KFC-KST-ASA-001 65005 172.16.0.105 3389 netmask 255.255.255.255 
static (inside,outside) tcp EXT_KFC-KST-ASA-001 65006 172.16.0.106 3389 netmask 255.255.255.255 
static (inside,outside) tcp EXT_KFC-KST-ASA-001 65007 172.16.0.107 3389 netmask 255.255.255.255 
static (inside,outside) tcp EXT_KFC-KST-ASA-001 65009 172.16.10.101 3389 netmask 255.255.255.255 
static (inside,outside) EXT_KFC-KST-VCC-001 INT_KFC-KST-VCC-001 netmask 255.255.255.255 
static (inside,outside) webmail.domain1.com 172.16.0.108 netmask 255.255.255.255 
static (inside,outside) webmail.domain2.com 172.16.0.103 netmask 255.255.255.255 
static (inside,outside) EXT_KFC-CRO-BAR-001 INT_KFC-CRO-BAR-001 netmask 255.255.255.255 
access-group outside_in_acl in interface outside
access-group inside_out_acl in interface inside
access-group wap_dmz_out_acl in interface WAP_DMZ
route outside 0.0.0.0 0.0.0.0 79.173.146.129 1
route inside 192.168.10.0 255.255.255.0 172.16.11.254 1
route inside 172.16.2.0 255.255.254.0 172.16.11.254 1
route inside 172.16.0.0 255.255.254.0 172.16.11.254 1
route inside 172.16.12.0 255.255.254.0 172.16.11.254 1
route inside 172.16.14.0 255.255.254.0 172.16.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server SDI protocol sdi
aaa-server SDI host 192.168.10.250
 retry-interval 3
 timeout 13
group-policy VPN-Client internal
group-policy VPN-Client attributes
 dns-server value 172.16.0.101 172.16.0.102
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_split_tunnel_acl
 default-domain value KFC.local
 split-dns value KFC.local 
username Admin password xxx encrypted
username VPNUser password xxx encrypted privilege 1
aaa authentication serial console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http INT_Server-VLAN 255.255.254.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac 
crypto dynamic-map VPN-DYNMap 10 set transform-set AES-128-MD5
crypto map VPNMap 10 match address kst_cro_vpn_acl
crypto map VPNMap 10 set peer EXT_KFC_CRO-ASA-001 
crypto map VPNMap 10 set transform-set AES-128-MD5
crypto map VPNMap 20 match address kst-usa_acl
crypto map VPNMap 20 set peer EXT_KFC-USA-FW 
crypto map VPNMap 20 set transform-set 3DES-MD5
crypto map VPNMap 30 match address kst_hk_vpn_acl
crypto map VPNMap 30 set peer 211.111.222.333 
crypto map VPNMap 30 set transform-set 3DES-MD5
crypto map VPNMap 65535 ipsec-isakmp dynamic VPN-DYNMap
crypto map VPNMap interface outside
crypto ca trustpoint CA1
 enrollment self
 fqdn vpn.domain2.com
 subject-name CN=KFC-KST-ASA-001
 crl configure
crypto ca certificate chain CA1
 certificate 31
    xxx
  quit
isakmp identity address 
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal  20
tunnel-group 193.111.222.333 type ipsec-l2l
tunnel-group 193.111.222.333 ipsec-attributes
 pre-shared-key croxxx
tunnel-group 211.111.222.333 type ipsec-l2l
tunnel-group 211.111.222.333 ipsec-attributes
 pre-shared-key hkxxx
tunnel-group VPN-Client type ipsec-ra
tunnel-group VPN-Client general-attributes
 address-pool VPN-DHCPPool
 authentication-server-group SDI
 default-group-policy VPN-Client
tunnel-group VPN-Client ipsec-attributes
 pre-shared-key xxx
tunnel-group 208.111.222.333 type ipsec-l2l
tunnel-group 208.111.222.333 ipsec-attributes
 pre-shared-key xxx
telnet timeout 5
ssh EXT_SUP-Remote 255.255.255.255 outside
ssh EXT_KFC_CRO-ASA-001 255.255.255.255 outside
ssh INT_Server-VLAN 255.255.254.0 inside
ssh 172.16.12.0 255.255.254.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
priority-queue inside
  tx-ring-limit 256
!
class-map inside-class
 match dscp ef 
 match tunnel-group 193.111.222.333
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect h323 ras 
  inspect h323 h225 
policy-map inside-QoS
 class inside-class
  priority
!
service-policy global_policy global
service-policy inside-QoS interface inside
Cryptochecksum:xxx
: end

Open in new window

0
Comment
Question by:justin-fielding
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 2

Accepted Solution

by:
vivek283 earned 500 total points
ID: 22887936
Hi,

You will need the following configuration on ASA :

1. same-security-traffic permit intra-interface
2. change the site-to-site crypto ACL to allow the Remote Access VPN pool to go through the tunnel to Site-2 on both the ends.

HTH

0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question