• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1536
  • Last Modified:

CISCO ASA Communication between VPN clients & VPN peers accssing internet through ASA

I am setting up a vpn connection for some road based employees (inspectors).  They are connecting to our CISCO ASA 5510 via mobile AirCards.  I would like 1) all internet requests funneled through the vpn connection and out the ASA 2) to be able to remotely connect to vpn clients when I myself am connected through a vpn (NetTechs).
I enabled same-security permit intra-interface & same-security permit inter-interface, I was not able to connect to vpn clients or to the internet via vpn connection.  I ran packet-tracer and it looks like and ACL is blocking my connection.  Can you please tell me what I need to do to meet my requirments?

ASA Version 8.0(4)
!
hostname TownhallASA
domain-name Middletown
enable password 1yFYzpCfFeDvXC83 encrypted
passwd 1yFYzpCfFeDvXC83 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 71.xxx.xxx.34 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.100.100.1 255.255.255.0
!
interface Ethernet0/2
 description dsl connection
 nameif dsl
 security-level 0
 ip address 71.xxx.xxx.208 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
!
time-range Harris
 periodic Monday 7:00 to Friday 20:00
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.100.100.16
 domain-name Middletown
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq smtp
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq pop3
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq www
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq https
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 6001
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 6002
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 6004
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any source-quench
access-list OUTSIDE extended permit icmp any any unreachable
access-list OUTSIDE extended permit icmp any any time-exceeded
access-list inside_nat0_outbound extended permit ip any 10.100.90.0 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 10.100.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.100.102.0 255.255.255.0
access-list vendors_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list wwtp_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq smtp
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq pop3
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq www
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq https
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq 6001
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq 6002
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq 6004
access-list DSLOUTSIDE extended permit icmp any any echo-reply
access-list DSLOUTSIDE extended permit icmp any any source-quench
access-list DSLOUTSIDE extended permit icmp any any unreachable
access-list DSLOUTSIDE extended permit icmp any any time-exceeded
access-list NetTechs_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging list Events level informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dsl 1500
mtu management 1500
ip local pool vendors 10.100.90.1-10.100.90.5 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dsl) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 10.100.100.19 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.100.100.19 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255
static (inside,outside) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255
static (inside,outside) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255
static (inside,dsl) tcp interface www 10.100.100.19 www netmask 255.255.255.255
static (inside,dsl) tcp interface https 10.100.100.19 https netmask 255.255.255.255
static (inside,dsl) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255
static (inside,dsl) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255
static (inside,dsl) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255
static (inside,dsl) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255
static (inside,dsl) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255
static (inside,outside) tcp interface 3101 10.100.100.19 3101 netmask 255.255.255.255
access-group OUTSIDE in interface outside
access-group DSLOUTSIDE in interface dsl
route outside 0.0.0.0 0.0.0.0 71.xxx.xxx.34 1
route dsl 0.0.0.0 0.0.0.0 71.xxx.xxx.208 2
route dsl 10.100.90.0 255.255.255.0 10.100.100.1 1
route dsl 209.xxx.xxx.178 255.255.255.255 10.100.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server middletownvpn protocol nt
 reactivation-mode timed
 max-failed-attempts 4
aaa-server middletownvpn (inside) host 10.100.100.16
http server enable
http 10.100.102.0 255.255.255.0 inside
http 10.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds28800
crypto dynamic-map outside_dyn_map 80 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 100 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 120 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 140 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 160 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 180 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 200 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 220 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 220 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 240 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 240 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 240 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 260 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 260 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 260 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 280 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 280 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 280 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 300 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 300 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 300 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 320 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 320 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 320 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 340 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 340 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 340 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 360 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 360 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 360 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map outside_map interface dsl
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable dsl
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
client-update enable
telnet 10.100.100.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 20
console timeout 0
management-access inside
dhcpd dns 10.100.100.16
dhcpd domain Middletown
dhcpd update dns both
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
e-rate 200
ntp server 192.35.82.50 source outside
group-policy vendors internal
group-policy vendors attributes
 wins-server none
 dns-server value 10.100.100.16
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vendors_splitTunnelAcl
 default-domain value Middletown
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
 dns-server value 10.100.100.16
 dhcp-network-scope 10.100.101.0
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value wwtp_splitTunnelAcl
 default-domain value Middletown
 webvpn
  sso-server none
group-policy Inspectors internal
group-policy Inspectors attributes
 dns-server value 10.100.100.16
 dhcp-network-scope 10.100.101.0
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec
 default-domain value Middletown
group-policy NetTechs internal
group-policy NetTechs attributes
 dns-server value 10.100.100.16
 dhcp-network-scope 10.100.102.0
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value NetTechs_splitTunnelAcl
 default-domain value Middletown
 vlan none
username WWTP password lx3.l4eQ.1fCqOuw encrypted privilege 0
username WWTP attributes
 vpn-group-policy WasteWaterTreamentPlant
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 password-storage enable
username Harris password gmHstA/kmUiRBnN7 encrypted privilege 0
username Harris attributes
 vpn-group-policy vendors
 password-storage enable
tunnel-group vendors type remote-access
tunnel-group vendors general-attributes
 address-pool vendors
 default-group-policy vendors
tunnel-group vendors ipsec-attributes
 pre-shared-key *
tunnel-group WasteWaterTreamentPlant type remote-access
tunnel-group WasteWaterTreamentPlant general-attributes
 default-group-policy WasteWaterTreamentPlant
 dhcp-server 10.100.100.16
tunnel-group WasteWaterTreamentPlant ipsec-attributes
 pre-shared-key *
tunnel-group NetTechs type remote-access
tunnel-group NetTechs general-attributes
 authentication-server-group middletownvpn
 default-group-policy NetTechs
 dhcp-server 10.100.100.16
 password-management password-expire-in-days 10
tunnel-group NetTechs ipsec-attributes
 pre-shared-key *
tunnel-group Inspectors type remote-access
tunnel-group Inspectors general-attributes
 authentication-server-group middletownvpn
 default-group-policy Inspectors
 dhcp-server 10.100.100.16
 password-management password-expire-in-days 10
tunnel-group Inspectors ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match any
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map global-policy
 class global-class
  csc fail-open
 class class-default
  csc fail-close
!
service-policy global-policy global
smtp-server 10.100.100.19
prompt hostname context
Cryptochecksum:731219e99914452e7869238685c323fc

Open in new window

0
Zorniac
Asked:
Zorniac
  • 2
1 Solution
 
lrmooreCommented:
This document will help you provide Internet access to the mobile users, without using split-tunneling.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml
0
 
ZorniacAuthor Commented:
lrmoore,
thanks for the link.  I was able to get the internet traffic for vpn clients tunneled through my headend using
nat (outside) 1 10.100.101.0 255.255.255.0

Now to just get communication between the vpn peers
0
 
ZorniacAuthor Commented:
well I never figured out how to get communication between the VPN peers.  But I think this question has gotten stale.  
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now