Solved

Allowing VPN clients access IP group via site-site tunnel

Posted on 2008-11-01
2
732 Views
Last Modified: 2012-08-14
I need to force dial-in VPN clients dialing in to site1 to access a certain range of IP addresses (external addresses, part of a DMZ on site2) via the site-site VPN tunnel to site2 rather than via the Internet.  Local users on site1 can do this but users connected to site1 via a dial-in VPN connection cannot.

I tried to add the rule:

access-list test_acl extended permit ip KFC-VPN-Clients 255.255.255.0 object-group KFC-hk-vlans

This doesn't seem to have worked.  Full config is attached below.


: Saved

: Written by enable_15 at 20:31:36.677 UTC Fri Oct 31 2008

!

ASA Version 7.1(2) 

!

hostname KFC-KST-ASA-001

domain-name kfc.local

enable password xxx encrypted

names

name 172.16.11.252 INT_KFC-KST-ASA-001

name 79.111.222.333 EXT_KFC-KST-ASA-001

name 193.111.222.333 EXT_KFC-CRO-ASA-001

name 85.111.222.333 EXT_SUP-Remote

name 172.16.10.0 INT_Server-VLAN

name 2.2.10.0 WAP-DMZ-Net

name 79.111.222.331 EXT_KFC-KST-VCC-001

name 172.16.11.110 INT_KFC-KST-VCC-001

name 211.127.166.330 EXT_KFC-HKO-VCC-001

name 193.111.222.334 EXT_KFC-CRO-VCC-001

name 208.111.222.333 EXT_KFC-USA-FW

name 10.21.0.0 EXT_KFC-USA-Servers

name 79.111.222.332 webmail.domain1.com

name 79.111.222.334 webmail.domain2.com

name 192.168.10.249 INT_KFC-CRO-BAR-001

name 79.111.222.335 EXT_KFC-CRO-BAR-001

name 193.111.222.333 EXT_KFC_CRO-ASA-001

name 1.1.10.0 KFC-VPN-Clients

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address EXT_KFC-KST-ASA-001 255.255.255.248 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address INT_KFC-KST-ASA-001 255.255.254.0 

!

interface Ethernet0/2

 nameif WAP_DMZ

 security-level 4

 ip address 2.2.10.254 255.255.255.0 

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

 management-only

!

passwd xxx.xxx encrypted

banner login  ----------------------------------------------

banner login !   THIS DEVICE IS PART OF A PRIVATE NETWORK   !

banner login !----------------------------------------------!

banner login ! Unauthorised access or use of this equipment !

banner login !   is prohibited and constitutes an offence   !

banner login !     under the Computer Misuse Act 1990.      !

banner login !    If you are not authorised to use this     !

banner login !     system, terminate this session now.      !

banner login !----------------------------------------------!

banner login !   All Access to this system is logged for    !

banner login !              Security purposes               !

banner login !----------------------------------------------!

ftp mode passive

dns server-group DefaultDNS

 domain-name kfc.local

object-group network KFC-kst-vlans

 network-object INT_Server-VLAN 255.255.254.0

 network-object 172.16.12.0 255.255.254.0

 network-object 172.16.14.0 255.255.254.0

 network-object 192.168.10.0 255.255.255.0

 network-object 172.16.0.0 255.255.254.0

 network-object 172.16.2.0 255.255.254.0

object-group network KFC-cro-vlans

 network-object 172.16.4.0 255.255.254.0

 network-object 192.168.2.0 255.255.255.0

object-group network KFC-hk-vlans

 network-object 10.0.167.0 255.255.255.0

 network-object 211.127.166.145 255.255.255.255

 network-object 211.127.166.146 255.255.255.255

 network-object 211.127.166.147 255.255.255.255

 network-object 211.127.166.148 255.255.255.255

 network-object 211.127.166.149 255.255.255.255

 network-object 211.127.166.150 255.255.255.255

 network-object 211.127.166.152 255.255.255.255

 network-object 211.127.166.153 255.255.255.255

 network-object 211.127.166.155 255.255.255.255

 network-object 211.127.166.156 255.255.255.255

 network-object 211.127.166.157 255.255.255.255

 network-object 211.127.166.158 255.255.255.255

object-group service KFC-vcc-services tcp

 port-object range 3230 3235

 port-object eq h323

object-group service KFC-vcc-services_udp udp

 port-object range 3230 3258

object-group network webmail_servers

 network-object webmail.domain2.com 255.255.255.255

 network-object webmail.domain1.com 255.255.255.255

object-group service webmail_services_tcp tcp

 port-object eq https

object-group service rdp_services_tcp tcp

 port-object range 65001 65010

object-group network webmail_servers_real

 network-object 172.16.0.103 255.255.255.255

 network-object 172.16.0.108 255.255.255.255

access-list inside_out_acl extended permit ip object-group KFC-kst-vlans any 

access-list nonat_acl extended permit ip object-group KFC-kst-vlans object-group KFC-cro-vlans 

access-list nonat_acl extended permit ip object-group KFC-kst-vlans object-group KFC-hk-vlans 

access-list nonat_acl extended permit ip object-group KFC-kst-vlans WAP-DMZ-Net 255.255.255.0 

access-list nonat_acl extended permit ip object-group KFC-kst-vlans EXT_KFC-USA-Servers 255.255.0.0 

access-list nonat_acl extended permit ip object-group KFC-kst-vlans KFC-VPN-Clients 255.255.255.0 

access-list outside_in_acl extended permit icmp any 79.111.222.333 255.255.255.128 echo-reply 

access-list outside_in_acl extended permit icmp any 79.111.222.333 255.255.255.128 traceroute 

access-list outside_in_acl extended permit icmp any 79.111.222.333 255.255.255.128 unreachable 

access-list outside_in_acl extended permit tcp host EXT_KFC-HKO-VCC-001 host EXT_KFC-KST-VCC-001 object-group KFC-vcc-services 

access-list outside_in_acl extended permit udp host EXT_KFC-HKO-VCC-001 host EXT_KFC-KST-VCC-001 object-group KFC-vcc-services_udp 

access-list outside_in_acl extended permit tcp host EXT_KFC-CRO-VCC-001 host EXT_KFC-KST-VCC-001 object-group KFC-vcc-services 

access-list outside_in_acl extended permit udp host EXT_KFC-CRO-VCC-001 host EXT_KFC-KST-VCC-001 object-group KFC-vcc-services_udp 

access-list outside_in_acl extended permit tcp any object-group webmail_servers object-group webmail_services_tcp 

access-list outside_in_acl extended permit tcp any host EXT_KFC-CRO-BAR-001 eq smtp 

access-list outside_in_acl extended permit tcp host EXT_SUP-Remote host EXT_KFC-KST-ASA-001 object-group rdp_services_tcp 

access-list outside_in_acl extended permit tcp any host EXT_KFC-CRO-BAR-001 eq https 

access-list kst_cro_vpn_acl extended permit ip object-group KFC-kst-vlans object-group KFC-cro-vlans 

access-list kst_hk_vpn_acl extended permit ip object-group KFC-kst-vlans object-group KFC-hk-vlans 

access-list wap_dmz_out_acl extended permit udp WAP-DMZ-Net 255.255.255.0 host 172.16.10.101 eq domain 

access-list wap_dmz_out_acl extended permit tcp WAP-DMZ-Net 255.255.255.0 host 172.16.0.108 eq https 

access-list wap_dmz_out_acl extended permit tcp WAP-DMZ-Net 255.255.255.0 host 172.16.0.103 eq https 

access-list wap_dmz_out_acl extended deny ip WAP-DMZ-Net 255.255.255.0 object-group KFC-kst-vlans 

access-list wap_dmz_out_acl extended permit ip WAP-DMZ-Net 255.255.255.0 any 

access-list wap_dmz_nonat_acl extended permit ip WAP-DMZ-Net 255.255.255.0 object-group KFC-kst-vlans 

access-list vpn_split_tunnel_acl extended permit ip object-group KFC-kst-vlans KFC-VPN-Clients 255.255.255.0 

access-list kst-usa_acl extended permit ip object-group KFC-kst-vlans EXT_KFC-USA-Servers 255.255.0.0 

pager lines 24

logging enable

logging console warnings

logging trap debugging

logging asdm warnings

logging host inside 172.16.10.101

logging message 100000 level debugging

mtu outside 1500

mtu inside 1500

mtu WAP_DMZ 1500

mtu management 1500

ip local pool VPN-DHCPPool 1.1.10.1-1.1.10.254 mask 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

icmp permit any outside

asdm image disk0:/asdm-512.bin

asdm location EXT_KFC-USA-Servers 255.255.0.0 outside

asdm group KFC-kst-vlans inside

asdm group KFC-cro-vlans outside

asdm group KFC-hk-vlans outside

asdm group webmail_servers_real inside

asdm group webmail_servers outside reference webmail_servers_real

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat_acl

nat (inside) 1 0.0.0.0 0.0.0.0

nat (WAP_DMZ) 0 access-list wap_dmz_nonat_acl

nat (WAP_DMZ) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp EXT_KFC-KST-ASA-001 65001 172.16.0.101 3389 netmask 255.255.255.255 

static (inside,outside) tcp EXT_KFC-KST-ASA-001 65002 172.16.0.102 3389 netmask 255.255.255.255 

static (inside,outside) tcp EXT_KFC-KST-ASA-001 65004 172.16.0.104 3389 netmask 255.255.255.255 

static (inside,outside) tcp EXT_KFC-KST-ASA-001 65005 172.16.0.105 3389 netmask 255.255.255.255 

static (inside,outside) tcp EXT_KFC-KST-ASA-001 65006 172.16.0.106 3389 netmask 255.255.255.255 

static (inside,outside) tcp EXT_KFC-KST-ASA-001 65007 172.16.0.107 3389 netmask 255.255.255.255 

static (inside,outside) tcp EXT_KFC-KST-ASA-001 65009 172.16.10.101 3389 netmask 255.255.255.255 

static (inside,outside) EXT_KFC-KST-VCC-001 INT_KFC-KST-VCC-001 netmask 255.255.255.255 

static (inside,outside) webmail.domain1.com 172.16.0.108 netmask 255.255.255.255 

static (inside,outside) webmail.domain2.com 172.16.0.103 netmask 255.255.255.255 

static (inside,outside) EXT_KFC-CRO-BAR-001 INT_KFC-CRO-BAR-001 netmask 255.255.255.255 

access-group outside_in_acl in interface outside

access-group inside_out_acl in interface inside

access-group wap_dmz_out_acl in interface WAP_DMZ

route outside 0.0.0.0 0.0.0.0 79.173.146.129 1

route inside 192.168.10.0 255.255.255.0 172.16.11.254 1

route inside 172.16.2.0 255.255.254.0 172.16.11.254 1

route inside 172.16.0.0 255.255.254.0 172.16.11.254 1

route inside 172.16.12.0 255.255.254.0 172.16.11.254 1

route inside 172.16.14.0 255.255.254.0 172.16.11.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server SDI protocol sdi

aaa-server SDI host 192.168.10.250

 retry-interval 3

 timeout 13

group-policy VPN-Client internal

group-policy VPN-Client attributes

 dns-server value 172.16.0.101 172.16.0.102

 vpn-idle-timeout none

 vpn-session-timeout none

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value vpn_split_tunnel_acl

 default-domain value KFC.local

 split-dns value KFC.local 

username Admin password xxx encrypted

username VPNUser password xxx encrypted privilege 1

aaa authentication serial console LOCAL 

aaa authentication http console LOCAL 

aaa authentication ssh console LOCAL 

aaa authentication telnet console LOCAL 

http server enable

http INT_Server-VLAN 255.255.254.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac 

crypto dynamic-map VPN-DYNMap 10 set transform-set AES-128-MD5

crypto map VPNMap 10 match address kst_cro_vpn_acl

crypto map VPNMap 10 set peer EXT_KFC_CRO-ASA-001 

crypto map VPNMap 10 set transform-set AES-128-MD5

crypto map VPNMap 20 match address kst-usa_acl

crypto map VPNMap 20 set peer EXT_KFC-USA-FW 

crypto map VPNMap 20 set transform-set 3DES-MD5

crypto map VPNMap 30 match address kst_hk_vpn_acl

crypto map VPNMap 30 set peer 211.111.222.333 

crypto map VPNMap 30 set transform-set 3DES-MD5

crypto map VPNMap 65535 ipsec-isakmp dynamic VPN-DYNMap

crypto map VPNMap interface outside

crypto ca trustpoint CA1

 enrollment self

 fqdn vpn.domain2.com

 subject-name CN=KFC-KST-ASA-001

 crl configure

crypto ca certificate chain CA1

 certificate 31

    xxx

  quit

isakmp identity address 

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

isakmp nat-traversal  20

tunnel-group 193.111.222.333 type ipsec-l2l

tunnel-group 193.111.222.333 ipsec-attributes

 pre-shared-key croxxx

tunnel-group 211.111.222.333 type ipsec-l2l

tunnel-group 211.111.222.333 ipsec-attributes

 pre-shared-key hkxxx

tunnel-group VPN-Client type ipsec-ra

tunnel-group VPN-Client general-attributes

 address-pool VPN-DHCPPool

 authentication-server-group SDI

 default-group-policy VPN-Client

tunnel-group VPN-Client ipsec-attributes

 pre-shared-key xxx

tunnel-group 208.111.222.333 type ipsec-l2l

tunnel-group 208.111.222.333 ipsec-attributes

 pre-shared-key xxx

telnet timeout 5

ssh EXT_SUP-Remote 255.255.255.255 outside

ssh EXT_KFC_CRO-ASA-001 255.255.255.255 outside

ssh INT_Server-VLAN 255.255.254.0 inside

ssh 172.16.12.0 255.255.254.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

priority-queue inside

  tx-ring-limit 256

!

class-map inside-class

 match dscp ef 

 match tunnel-group 193.111.222.333

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512 

  inspect ftp 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

  inspect h323 ras 

  inspect h323 h225 

policy-map inside-QoS

 class inside-class

  priority

!

service-policy global_policy global

service-policy inside-QoS interface inside

Cryptochecksum:xxx

: end

Open in new window

0
Comment
Question by:justin-fielding
2 Comments
 
LVL 2

Accepted Solution

by:
vivek283 earned 500 total points
ID: 22887936
Hi,

You will need the following configuration on ASA :

1. same-security-traffic permit intra-interface
2. change the site-to-site crypto ACL to allow the Remote Access VPN pool to go through the tunnel to Site-2 on both the ends.

HTH

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now