Solved

Cisco VPN Clients Access to Other Offices

Posted on 2009-06-29
1
493 Views
Last Modified: 2013-11-16
I have two Cisco ASA 5505s in two offices with a site-to-site VPN between them. The main office has a client access VPN setup to allow remote clients to dial in with the Cisco VPN client. I want people who connect to the main office to be able to access the other office over their VPN connection without needing to connect to the other office directly.

I've attached my config for the client access site, can you help?
: Saved

:

ASA Version 8.0(2) 

!

hostname lake-asa

domain-name millsconsulting.local

enable password /HDQp0ws06zJk3F4 encrypted

names

name 1.1.1.1 lake_static

name 192.168.2.100 galadriel

name 192.168.2.101 gandalf

name 192.168.2.102 minas-tirith

name 192.168.2.103 Ra

name 192.168.2.104 Ra-WiFi

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.2.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address lake_static 255.255.255.252 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol DM_INLINE_PROTOCOL_1

 protocol-object ip

 protocol-object icmp

 protocol-object udp

 protocol-object tcp

object-group service ms-rdp tcp

 port-object eq 3389

object-group network grove_subnet

 network-object 192.168.1.0 255.255.255.0

object-group network lake_subnet

 network-object 192.168.2.0 255.255.255.0

object-group service DM_INLINE_TCP_1 tcp

 port-object eq www

 port-object eq https

 port-object eq imap4

 port-object eq pop3

 port-object eq smtp

object-group service http-81 tcp

 port-object eq 81

object-group service DM_INLINE_TCP_2 tcp

 port-object range www 81

 port-object eq ssh

object-group service BT tcp

 port-object eq 10245

object-group service BT2 tcp

 port-object eq 10246

object-group network VPN_Clients

 network-object 192.168.10.0 255.255.255.0

object-group network cboe_subnet

 network-object 192.168.11.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_2

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_3

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_4

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_5

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_6

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_7

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_8

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_9

 protocol-object ip

 protocol-object icmp

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any log disable inactive 

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_9 any 1.1.1.0 255.255.255.252 log disable 

access-list outside_access_in remark Galadriel services

access-list outside_access_in extended permit tcp any host lake_static object-group ms-rdp log disable 

access-list outside_access_in remark Gandalf services

access-list outside_access_in extended permit tcp any host lake_static object-group DM_INLINE_TCP_1 log disable 

access-list outside_access_in remark Minas-Tirith services

access-list outside_access_in extended permit tcp any host lake_static object-group DM_INLINE_TCP_2 log disable 

access-list outside_access_in extended permit icmp any host lake_static log disable 

access-list outside_access_in extended permit tcp any host lake_static object-group BT log disable 

access-list outside_access_in extended permit tcp any host lake_static object-group BT2 log disable 

access-list outside_1_cryptomap extended permit object-group DM_INLINE_PROTOCOL_8 object-group lake_subnet object-group grove_subnet 

access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_2 object-group lake_subnet object-group grove_subnet 

access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_3 any object-group VPN_Clients log disable 

access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_4 object-group lake_subnet object-group cboe_subnet 

access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_5 any object-group cboe_subnet 

access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_7 any any log disable 

access-list RemoteUsers_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 

access-list outside_2_cryptomap extended permit object-group DM_INLINE_PROTOCOL_6 object-group lake_subnet object-group cboe_subnet 

pager lines 24

logging enable

logging asdm errors

mtu inside 1500

mtu outside 1500

ip local pool VPN 192.168.10.1-192.168.10.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 galadriel 3389 netmask 255.255.255.255 

static (inside,outside) tcp interface www gandalf www netmask 255.255.255.255 

static (inside,outside) tcp interface 81 minas-tirith 81 netmask 255.255.255.255 

static (inside,outside) tcp interface https gandalf https netmask 255.255.255.255 

static (inside,outside) tcp interface 10245 Ra 10245 netmask 255.255.255.255 

static (inside,outside) tcp interface 10246 Ra-WiFi 10246 netmask 255.255.255.255 

access-group inside_access_in_1 in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.2 255

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server MCG-AD protocol radius

http server enable

http 192.168.2.0 255.255.255.0 inside

auth-prompt prompt Enter Your Domain User And Password 

auth-prompt accept Login Successful 

auth-prompt reject Login Failed 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 2.2.2.2 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 3.3.3.3 

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 3600

crypto isakmp policy 10

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 3600

crypto isakmp policy 30

 authentication pre-share

 encryption aes-256

 hash sha

 group 5

 lifetime 3600

crypto isakmp policy 50

 authentication rsa-sig

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 70

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.2.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.2.2-192.168.2.33 inside

!

dhcprelay server galadriel inside

 

threat-detection basic-threat

threat-detection statistics

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

ssl trust-point ASDM_TrustPoint0 outside

webvpn

 svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1

 svc enable

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy RemoteUsers internal

group-policy RemoteUsers attributes

 wins-server value 192.168.2.100 192.168.2.101

 dns-server value 192.168.2.100 192.168.2.101

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value RemoteUsers_splitTunnelAcl

tunnel-group DefaultRAGroup general-attributes

 address-pool VPN

 authentication-server-group MCG-AD

 authorization-server-group MCG-AD

 accounting-server-group MCG-AD

 default-group-policy RemoteUsers

 dhcp-server galadriel

 authorization-required

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

 no authentication chap

 authentication ms-chap-v2

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

 pre-shared-key *

tunnel-group RemoteUsers type remote-access

tunnel-group RemoteUsers general-attributes

 address-pool VPN

 authentication-server-group MCG-AD

 authorization-server-group MCG-AD

 accounting-server-group MCG-AD

 default-group-policy RemoteUsers

 dhcp-server galadriel

tunnel-group RemoteUsers ipsec-attributes

 pre-shared-key *

tunnel-group RemoteUsers ppp-attributes

 authentication ms-chap-v2

tunnel-group 3.3.3.3 type ipsec-l2l

tunnel-group 3.3.3.3 ipsec-attributes

 pre-shared-key *

prompt hostname context 

: end

asdm image disk0:/asdm-602.bin

no asdm history enable

Open in new window

0
Comment
Question by:drbill1
1 Comment
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 24748861
Hello drbill1,
    Following should help
access-list RemoteUsers_splitTunnelAcl standard permit remotesitenetwork remotesitenetmask
access-list Pnat permit ip 192.168.10.0 255.255.255.0 remoteistenetwork remotesitenetmask
nat (outside) 0 access-list Pnat outside
no same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

    Also add the necessary ACE into interesting traffic ACL to desired remote site for VPN pool
Regards
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now