Solved

cisco asa remote access vpn and lan to lan vpn

Posted on 2009-04-12
2
1,764 Views
Last Modified: 2012-05-06
Hello friends !
I have a problem with my cisco asa remote access. currently i have three lan to lan tunnels up and running, now i added remote access client vpn configuration but its not working. can anyone help me on this ???? configuration is attached.
: Saved

: Written by enable_15 at 17:49:53.336 GST Sat Apr 11 2009

!

ASA Version 7.2(4) 

!

hostname ciscoasa

domain-name xxxxxxx.local

enable password xxxxxxxxxx encrypted

passwd xxxxxxx encrypted

multicast-routing

names

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 195.xx.xx.98 255.255.255.240 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 10.99.0.254 255.255.255.0 

!

interface Ethernet0/2

 nameif Internet

 security-level 0

 ip address 10.99.20.1 255.255.255.0 

!

interface Ethernet0/3

 nameif dmz

 security-level 50

 ip address 10.99.30.1 255.255.255.0 

!

interface Management0/0

 nameif Management

 security-level 100

 ip address 10.99.10.1 255.255.255.0 

!

boot config disk0:/start-up

ftp mode passive

clock timezone GST 4

dns server-group DefaultDNS

 domain-name xxxxxxxx.local

same-security-traffic permit intra-interface

object-group network UK_NETWORKS

 network-object 10.229.104.0 255.255.255.0

 network-object 10.229.105.0 255.255.255.0

 network-object 10.229.16.0 255.255.255.0

 network-object 10.229.20.80 255.255.255.240

 network-object 10.229.4.0 255.255.255.0

 network-object 10.229.8.0 255.255.255.0

 network-object 10.229.9.0 255.255.255.0

 network-object 10.23.48.0 255.255.255.0

 network-object 192.168.180.0 255.255.255.0

access-list Mail_outside_in extended permit tcp any interface outside eq smtp 

access-list Mail_outside_in extended permit tcp any interface outside eq imap4 

access-list Mail_outside_in extended permit tcp any interface outside eq 2000 

access-list Mail_outside_in extended permit icmp any host 195.xx.xx.98 echo-reply 

access-list Mail_outside_in extended permit tcp any host 195.xx.xx.98 eq 50 

access-list Mail_outside_in extended permit tcp any host 195.xx.xx.98 eq 51 

access-list Mail_outside_in extended permit tcp any host 195.xx.xx.98 eq 500 

access-list Mail_outside_in extended permit udp any host 195.xx.xx.98 eq isakmp 

access-list outside_3_cryptomap extended permit ip 10.99.0.0 255.255.255.0 object-group UK_NETWORKS 

access-list outside_2_cryptomap extended permit ip 10.99.0.0 255.255.255.0 10.103.0.0 255.255.255.0 

access-list outside_1_cryptomap extended permit ip 10.99.0.0 255.255.255.0 10.160.188.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.99.0.0 255.255.255.0 10.160.188.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.99.0.0 255.255.255.0 10.103.0.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.99.0.0 255.255.255.0 object-group UK_NETWORKS 

access-list inside_nat0_outbound extended permit ip 10.99.0.0 255.255.255.0 10.99.40.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.99.40.0 255.255.255.0 object-group UK_NETWORKS 

access-list inside_nat0_outbound extended permit ip 10.99.40.0 255.255.255.0 10.103.0.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.99.40.0 255.255.255.0 10.160.188.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip any 10.99.40.0 255.255.255.0 

access-list inside_in extended permit ip any any 

access-list internet_in extended permit icmp any any echo-reply 

access-list internet_in extended permit icmp any any source-quench 

access-list internet_in extended permit icmp any any unreachable 

access-list internet_in extended permit icmp any any time-exceeded 

access-list gwvpn standard permit 10.99.0.0 255.255.255.0 

access-list gwvpn standard permit 10.103.0.0 255.255.255.0 

access-list gwvpn standard permit 10.160.188.0 255.255.255.0 

access-list gwvpn standard permit 10.229.104.0 255.255.255.0 

access-list gwvpn standard permit 10.229.105.0 255.255.255.0 

access-list gwvpn standard permit 10.229.16.0 255.255.255.0 

access-list gwvpn standard permit 10.229.20.80 255.255.255.240 

access-list gwvpn standard permit 10.229.4.0 255.255.255.0 

access-list gwvpn standard permit 10.229.8.0 255.255.255.0 

access-list gwvpn standard permit 10.229.9.0 255.255.255.0 

access-list gwvpn standard permit 10.23.48.0 255.255.255.0 

access-list gwvpn standard permit 192.168.180.0 255.255.255.0 

pager lines 24

logging enable

logging timestamp

logging console warnings

logging buffered critical

logging trap errors

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu Internet 1500

mtu dmz 1500

mtu Management 1500

ip local pool vpn_pool 10.99.40.10-10.99.40.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat-control

global (Internet) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.99.0.0 255.255.255.0

nat (Management) 0 0.0.0.0 0.0.0.0

static (inside,outside) interface 10.99.0.5 netmask 255.255.255.255 

access-group Mail_outside_in in interface outside

access-group inside_in in interface inside

access-group internet_in in interface Internet

route outside 0.0.0.0 0.0.0.0 195.xx.xx.97 2

route outside 10.23.48.0 255.255.255.0 195.xx.xx.98 1

route outside 10.99.40.0 255.255.255.0 195.xx.xx.98 1

route outside 10.103.0.0 255.255.255.0 195.xx.xx.98 1

route outside 10.160.188.0 255.255.255.0 195.xx.xx.98 1

route outside 10.229.4.0 255.255.255.0 195.xx.xx.98 1

route outside 10.229.9.0 255.255.255.0 195.xx.xx.98 1

route outside 10.229.16.0 255.255.255.0 195.xx.xx.98 1

route outside 10.229.20.80 255.255.255.255 195.xx.xx.98 1

route outside 10.229.104.0 255.255.255.0 195.xx.xx.98 1

route outside 10.229.105.0 255.255.255.0 195.xx.xx.98 1

route outside 192.168.180.0 255.255.255.0 195.xx.xx.98 1

route outside 194.64.7.0 255.255.255.0 195.xx.xx.97 1

route outside 195.229.96.0 255.255.255.0 195.xx.xx.97 1

route outside 195.229.241.222 255.255.255.255 195.xx.xx.97 1

route outside 212.77.209.0 255.255.255.0 195.xx.xx.97 1

route outside 213.42.20.20 255.255.255.255 195.xx.xx.97 1

route outside 216.82.241.0 255.255.255.0 195.xx.xx.97 1

route outside 216.82.249.0 255.255.255.0 195.xx.xx.97 1

route outside 216.82.254.0 255.255.255.0 195.xx.xx.97 1

route Internet 0.0.0.0 0.0.0.0 10.99.20.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 10.99.0.250 255.255.255.255 inside

http 10.99.10.99 255.255.255.255 Management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set gw-set esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 99 set transform-set gw-set

crypto dynamic-map outside_dyn_map 99 set reverse-route

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 212.xx.xx.138 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 86400

crypto map outside_map 1 set security-association lifetime kilobytes 32000

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 195.xx.xx.114 

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 2 set security-association lifetime seconds 86400

crypto map outside_map 2 set security-association lifetime kilobytes 10000

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set peer 194.xx.xx.16 

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map 3 set security-association lifetime seconds 7200

crypto map outside_map 3 set security-association lifetime kilobytes 10000

crypto map outside_map 99 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 99

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 28000

crypto isakmp nat-traversal  20

telnet 10.99.0.250 255.255.255.255 inside

telnet 10.99.0.5 255.255.255.255 inside

telnet 10.99.10.99 255.255.255.255 Management

telnet timeout 5

ssh timeout 5

console timeout 0

group-policy gwrvpn internal

group-policy gwrvpn attributes

 dns-server value 10.99.0.5

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value gwvpn

username cisco password 3USUcOPFUiMCO4Jk encrypted

tunnel-group DefaultL2LGroup ipsec-attributes

 isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup ipsec-attributes

 isakmp keepalive threshold 15 retry 2

tunnel-group 194.xx.xx.16 type ipsec-l2l

tunnel-group 194.xx.xx.16 ipsec-attributes

 pre-shared-key *

 isakmp keepalive threshold 15 retry 10

tunnel-group 212.xx.xx.138 type ipsec-l2l

tunnel-group 212.xx.xx.138 ipsec-attributes

 pre-shared-key *

 isakmp keepalive threshold 15 retry 10

tunnel-group 195.xx.xx.114 type ipsec-l2l

tunnel-group 195.xx.xx.114 ipsec-attributes

 pre-shared-key *

 isakmp keepalive threshold 15 retry 10

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:ea9e011356c552d78d3166bfedc8d5ea

: end

Open in new window

Config.txt
0
Comment
Question by:senmohan
2 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24125203
Here's the problem.  The remote access VPN return traffic will use the Internet interface to reach the client because of the default gateway.  You'll need to apply the same or new (remote access VPN only) crypto map to the "Internet" interface and use the public IP that is mapped to 10.99.20.1 as the server/peer in the remote access client configuration.  If you know the public IP's that are connecting and they are static, you can add routes to them via the "outside" interface and the VPN should work but that is probably unlikely.
0
 
LVL 1

Author Comment

by:senmohan
ID: 24130882
thanks a lot JFrederick, my second isp connection is  ADSL so i think i will connect this ADSL directly to my internet router and have a policy based routing so that i can route all my traffic to outside. give me some time i will come back to you. once again thank u for your valuable n kind information.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now