Solved

Cant route between Cisco VPN client and IPSec Tunnel.

Posted on 2010-09-08
2
696 Views
Last Modified: 2012-05-10
We have clients that VPN to a Cisco ASA 5520 (HQ Office), this same ASA also has an ipsec tunnel to a remote office.  Routing works fine between the ASA and each endpoint.  But traffic does not route from VPN clients to the remote office.

What are we missing?

Below is my config, Orem2HQ is the ipsec tunnel from HQ to branch office.
Remote office internal IP is 10.5.133.0
Remote office External IP is 1.1.1.1
Remote VPN is 172.16.5.0


ASA Version 7.2(3)
!
hostname MMASA
domain-name **********
enable password ********* encrypted
names
name 172.16.2.18 Barracuda
name ********* AA_Sabre
name 172.16.2.61 Austin
name 172.16.2.62 BartLowry
name 172.16.2.15 Philter
name 172.18.0.0 MMI_Internal
name 172.18.0.253 MMI_SBS2008_Internal
name 172.16.2.29 MMMAIL2
name 172.18.8.0 MMI_Voice
name 172.16.254.0 MMT_Routing1
name 172.16.255.1 MMT-Core-Dell6024
name 172.15.254.2 MMT-ATMRouter
name ********* SabreVPN
name ********* MMI_SBS2008_External
name ********* PhilterExternal
name ********* *********
name 172.16.2.22 MMMAIL
name 172.16.2.17 MMMAIL3
name ********* Homeport
name ********* Trams
name ********* Trams_External
name 172.16.2.27 mmremote
name ********* mmremote_external
name ********* Hacker1
name ********* AustinExt
name 172.16.2.7 BeastInt
name ********* BeastExt
name ********* xampp
name 192.168.1.0 AustinHomeNet
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address ********* 255.255.255.192
 ospf cost 10
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.16.255.254 255.255.255.0
 ospf cost 10
!
interface GigabitEthernet0/2
 nameif dmz
 security-level 100
 ip address 172.16.60.254 255.255.255.0
 ospf cost 10
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.2.254 255.255.255.0
 ospf cost 10
 management-only
!
passwd ********* encrypted

ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name mm.com
same-security-traffic permit intra-interface
object-group service UDP_135-139 udp
 port-object range 135 139
object-group service UDP_DTS_DTSWEB udp
 port-object eq 50001
object-group service Spamassassin tcp
 description Access for Spamassassin
 port-object eq smtp
object-group service web tcp
 description Access Protocols for web servers
 port-object eq www
 port-object eq https
object-group service WebMail tcp
 description Access Protocols for Email
 port-object eq www
 port-object eq https
 port-object range 4125 4125
 port-object range 987 987
 port-object eq smtp
 port-object eq 135
 port-object range 6000 6001
 port-object range 3389 3389
object-group service mmweb tcp
 description Web server ports
 port-object eq www
 port-object eq https
 port-object eq smtp
object-group service PassiveFTP tcp
 port-object eq ftp
 port-object range 5500 5510
access-list outside_access_in extended permit tcp any host ********* eq ftp
access-list outside_access_in extended permit tcp any host *********eq www
access-list outside_access_in extended permit tcp any host *********eq https
access-list outside_access_in extended permit tcp any host *********eq 10000
access-list outside_access_in extended permit tcp any host xampp eq 3389
access-list outside_access_in extended permit tcp any host *********eq 5900
access-list outside_access_in extended permit tcp any host *********eq 5500
access-list outside_access_in extended permit tcp any host *********eq www
access-list outside_access_in extended permit tcp any host *********eq https
access-list outside_access_in extended permit udp any host *********eq 1194
access-list outside_access_in extended permit tcp any host *********eq smtp
access-list outside_access_in extended permit tcp any host *********eq imap4
access-list outside_access_in extended permit tcp any host *********eq www
access-list outside_access_in extended permit tcp any host *********eq ftp
access-list outside_access_in extended permit tcp any host xampp eq ftp
access-list outside_access_in extended permit tcp any host xampp eq www
access-list outside_access_in extended permit tcp any host BeastExt eq www
access-list outside_access_in extended deny tcp any host MMI_SBS2008_External eq smtp
access-list outside_access_in extended permit tcp any host SabreVPN
access-list outside_access_in extended permit tcp any host SabreVPN eq https
access-list outside_access_in extended permit udp any host *********
access-list outside_access_in extended permit tcp any host *********
access-list outside_access_in extended deny tcp any host AustinExt eq ftp
access-list outside_access_in extended deny tcp host AustinExt eq ftp any
access-list outside_access_in extended deny tcp any any eq 445
access-list outside_access_in extended deny tcp any any eq 5554
access-list outside_access_in extended deny tcp any any eq 9996
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any host PhilterExternal eq 990
access-list outside_access_in extended permit tcp any host PhilterExternal eq ssh
access-list outside_access_in extended permit tcp any host PhilterExternal eq 3389
access-list outside_access_in extended permit tcp any host PhilterExternal eq 3000
access-list outside_access_in extended permit udp any host PhilterExternal eq 3000
access-list outside_access_in extended permit tcp any host *********eq 3000
access-list outside_access_in extended permit udp any host *********eq 3000
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any host MMI_SBS2008_External eq pptp
access-list outside_access_in extended permit tcp any host MMI_SBS2008_External object-group WebMail
access-list outside_access_in extended permit tcp any host MMI_SBS2008_External eq ftp
access-list outside_access_in extended permit tcp any host *********object-group WebMail
access-list outside_access_in extended permit tcp any host *********eq smtp
access-list outside_access_in extended permit tcp any host MMI_SBS2008_External eq netbios-ssn
access-list outside_access_in extended permit tcp any host *********eq ftp
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp any host *********eq 3389
access-list outside_access_in extended permit tcp any host *********eq 3389
access-list outside_access_in extended permit tcp any host *********eq 3389
access-list outside_access_in extended permit tcp any host Trams_External eq www
access-list outside_access_in extended permit tcp any host mmremote_external eq 3389
access-list outside_access_in extended permit tcp any host PhilterExternal eq ftp
access-list outside_access_in extended deny ip host Hacker1 any
access-list outside_access_in extended permit tcp any host *********eq 6881
access-list outside_access_in extended permit udp any host *********eq 4444
access-list outside_access_in extended permit gre any host *********
access-list outside_access_in extended permit tcp any host *********pptp
access-list outside_access_in extended deny tcp any host *********eq 5900
access-list inside_access_out extended deny udp any any object-group UDP_135-139
access-list inside_access_out extended permit tcp host SabreVPN eq https any
access-list inside_access_out extended deny udp any any eq 554
access-list inside_access_out extended deny udp any any range 6970 6999
access-list inside_access_out extended deny udp any any eq 7070
access-list inside_access_out extended deny udp any any eq 8080
access-list inside_access_out extended deny tcp any any eq 5554
access-list inside_access_out extended deny tcp any any eq 9996
access-list inside_access_out extended deny tcp any any eq 445
access-list inside_access_out extended permit ip host Barracuda any
access-list inside_access_out extended permit ip host MMI_SBS2008_Internal any
access-list inside_access_out extended permit tcp any host *********eq 8504
access-list inside_access_out extended permit ip host MMMAIL any
access-list inside_access_out extended permit ip host MMMAIL2 any
access-list inside_access_out extended permit ip host MMMAIL3 any
access-list inside_access_out extended permit tcp host *********any
access-list inside_access_out extended permit udp host *********eq 3000 any eq 3000
access-list inside_access_out extended permit tcp host *********eq 3000 any eq 3000
access-list inside_access_out extended permit udp host *********eq 3000 any eq 3000
access-list inside_access_out extended permit tcp host *********eq 3000 any eq 3000
access-list inside_access_out extended permit tcp host *********eq www any eq www
access-list inside_access_out extended deny tcp any any eq smtp
access-list inside_access_out extended permit tcp any eq pptp any eq pptp
access-list inside_access_out extended permit tcp any any eq ftp
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit gre any any
access-list inside_access_out extended permit ip any any
access-list AdminVPN_splitTunnelAcl extended permit ip 172.16.0.0 255.255.0.0 any
access-list AdminVPN_splitTunnelAcl extended permit ip 10.0.0.0 255.0.0.0 any
access-list AdminVPN_splitTunnelAcl extended permit ip 192.168.0.0 255.255.0.0 any
access-list AdminVPN_splitTunnelAcl extended permit ip 172.17.0.0 255.255.255.0 any
access-list AdminVPN_splitTunnelAcl extended permit ip MMI_Internal 255.255.255.0 any
access-list AdminVPN_splitTunnelAcl extended permit ip MMI_Voice 255.255.255.0 any
access-list AdminVPN_splitTunnelAcl extended permit ip MMT_Routing1 255.255.254.0 any
access-list MMT_splitTunnelAcl extended permit ip 10.0.0.0 255.0.0.0 any
access-list MMT_splitTunnelAcl extended permit ip 192.168.0.0 255.255.0.0 any
access-list MMT_splitTunnelAcl extended permit ip 172.16.0.0 255.255.0.0 any
access-list MMT_splitTunnelAcl extended permit ip 172.17.0.0 255.255.255.0 any
access-list MMT_splitTunnelAcl extended permit ip MMI_Internal 255.255.255.0 any
access-list MMT_splitTunnelAcl extended permit ip MMI_Voice 255.255.255.0 any
access-list MMT_splitTunnelAcl extended permit ip MMT_Routing1 255.255.254.0 any
access-list TicketBank_splitTunnelAcl extended permit ip host 172.16.2.11 any
access-list outside_cryptomap extended permit ip any 172.16.5.0 255.255.255.0
access-list MorrisMurdock_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
access-list MorrisMurdock_splitTunnelAcl standard permit host *********
access-list MorrisMurdock_splitTunnelAcl standard permit 10.5.0.0 255.255.0.0
access-list MorrisMurdock_splitTunnelAcl standard permit 172.27.47.0 255.255.255.0
access-list MorrisMurdock_splitTunnelAcl standard permit host *********

access-list MorrisMurdock_splitTunnelAcl standard permit host *********
access-list MorrisMurdock_splitTunnelAcl standard permit 172.17.0.0 255.255.255.0

access-list MorrisMurdock_splitTunnelAcl standard permit MMI_Internal 255.255.255.0
access-list MorrisMurdock_splitTunnelAcl standard permit MMI_Voice 255.255.255.0
access-list MorrisMurdock_splitTunnelAcl standard permit MMT_Routing1 255.255.254.0
access-list MorrisMurdock_splitTunnelAcl standard permit host *********
access-list MorrisMurdock_splitTunnelAcl standard permit host *********

access-list outside_cryptomap_1 extended permit ip any 172.16.5.0 255.255.255.0
access-list NONAT extended permit ip 172.16.0.0 255.254.0.0 172.16.5.0 255.255.255.0
access-list NONAT extended permit ip 10.0.0.0 255.0.0.0 172.16.5.0 255.255.255.0
access-list NONAT extended permit ip 172.27.47.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list NONAT extended permit ip *********255.255.255.0 172.16.5.0 255.255.255.0
access-list NONAT extended permit ip MMI_Internal 255.255.255.0 172.16.5.0 255.255.255.0
access-list NONAT extended permit ip MMI_Internal 255.255.255.0 host 172.27.47.110
access-list NONAT extended permit ip MMI_Internal 255.255.0.0 host 172.27.47.110
access-list NONAT extended permit ip 172.17.0.0 255.255.0.0 host 172.27.47.110
access-list NONAT extended permit ip MMI_Voice 255.255.255.0 172.16.5.0 255.255.255.0
access-list NONAT extended permit ip MMT_Routing1 255.255.254.0 172.16.5.0 255.255.255.0
access-list NONAT extended permit ip MMI_Voice 255.255.255.0 host 172.27.47.110
access-list NONAT extended permit ip MMT_Routing1 255.255.254.0 host 172.27.47.110
access-list NONAT extended permit ip 172.16.2.0 255.255.254.0 109.5.133.0 255.255.255.0
access-list NONAT extended permit ip 172.0.0.0 255.0.0.0 10.5.133.0 255.255.255.0
access-list oes_tunnel extended permit ip MMI_Internal 255.255.0.0 host 172.27.47.110
access-list outside_access_dmz extended permit tcp any host Homeport object-group mmweb
access-list outside_access_dmz extended permit icmp any any
access-list outside_access_dmz extended permit tcp any any eq https
access-list outside_access_dmz extended permit tcp any any eq www
access-list outside_access_dmz extended permit tcp any host *********object-group web
access-list outside_access_dmz extended permit tcp any host *********object-group web
access-list outside_access_dmz extended permit tcp any host *********object-group web
access-list outside_access_dmz extended permit tcp any host Homeport object-group web
access-list outside_access_dmz extended permit tcp any host *********object-group web
access-list outside_access_dmz extended permit tcp any host *********object-group web
access-list outside_access_dmz extended permit tcp any host *********object-group web
access-list outside_access_dmz extended permit tcp any host *********object-group web
access-list Orem2HQ extended permit ip 172.0.0.0 255.0.0.0 10.5.133.0 255.255.255.0
pager lines 24
logging asdm-buffer-size 200
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool VPN_Pool 172.16.5.1-172.16.5.254
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo outside
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image disk0:/asdm521.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 200 interface
global (outside) 1 *********netmask 255.255.255.255
global (dmz) 200 172.16.60.20-172.16.60.80
nat (outside) 1 172.16.5.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 200 Philter 255.255.255.255
nat (inside) 200 172.16.255.254 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
access-group outside_access_dmz in interface dmz
route outside AA_Sabre 255.255.255.0 SabreVPN 1
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
route outside 172.27.47.110 255.255.255.255 2.2.2.2 1
route inside 192.168.0.0 255.255.0.0 172.16.2.2 1
route inside MMI_Internal 255.255.255.0 MMT-Core-Dell6024 1
route inside MMI_Voice 255.255.255.0 MMT-Core-Dell6024 1
route inside 10.5.130.0 255.255.255.0 MMT-Core-Dell6024 1
route inside 10.5.128.0 255.255.255.0 MMT-Core-Dell6024 1
route inside 10.5.132.0 255.255.255.0 MMT-Core-Dell6024 1
route inside 10.5.134.0 255.255.255.0 MMT-Core-Dell6024 1
!
router rip
 network 10.0.0.0
 network 172.16.0.0
 network 172.17.0.0
 network MMI_Internal
 version 2
 no auto-summary
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.17.0.10 255.255.255.255 inside
http AustinExt 255.255.255.255 outside
http Philter 255.255.255.255 inside
http MMMAIL3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 30 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map dynmap 50 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map oes 30 match address Orem2HQ
crypto map oes 30 set peer 1.1.1.1
crypto map oes 30 set transform-set myset
crypto map oes 80 match address oes_tunnel
crypto map oes 80 set pfs
crypto map oes 80 set peer **********
crypto map oes 80 set transform-set myset
crypto map oes 80 set security-association lifetime seconds 3600
crypto map oes 65000 ipsec-isakmp dynamic dynmap
crypto map oes interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash md5
 group 7
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp nat-traversal  80
crypto isakmp ipsec-over-tcp port 10000
telnet AustinExt 255.255.255.255 outside
telnet Philter 255.255.255.255 inside
telnet 172.16.2.130 255.255.255.255 inside
telnet 172.16.5.60 255.255.255.255 inside
telnet timeout 30
ssh AustinExt 255.255.255.255 outside
ssh MMMAIL3 255.255.255.255 inside
ssh 192.168.1.3 255.255.255.255 inside
ssh timeout 60
console timeout 0
vpdn group PPTPVPN ppp authentication mschap
!
class-map class_sip_tcp
 match port tcp eq sip
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 1024
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect http
  inspect ils
  inspect dns preset_dns_map
 class class_sip_tcp
  inspect sip
!
service-policy global_policy global
tftp-server outside ********** MMASA.cfg
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 172.16.2.21 172.16.2.22
 dns-server value 172.16.2.21 172.16.2.22
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value mm
group-policy MorrisMurdock internal
group-policy MorrisMurdock attributes
 wins-server value 172.16.2.21 172.16.2.28
 dns-server value 172.16.2.21 172.16.2.28
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value MorrisMurdock_splitTunnelAcl
 default-domain value mm.com

tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 30 retry 2
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_Pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 30 retry 2
tunnel-group *********type ipsec-l2l
tunnel-group *********ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 30 retry 2
tunnel-group MorrisMurdock type ipsec-ra
tunnel-group MorrisMurdock general-attributes
 address-pool VPN_Pool
 default-group-policy MorrisMurdock
tunnel-group MorrisMurdock ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 30 retry 2
tunnel-group ********* type ipsec-l2l
tunnel-group *********ipsec-attributes
 pre-shared-key *
tunnel-group **********  type ipsec-l2l
tunnel-group AustinExt type ipsec-l2l
tunnel-group AustinExt ipsec-attributes
 pre-shared-key *
tunnel-group OremVPN type ipsec-l2l
tunnel-group OremVPN ipsec-attributes
 pre-shared-key *
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *
prompt hostname context
: end
0
Comment
Question by:Poopis9
2 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 250 total points
ID: 33634388
This is default behaviour you need to enable spoke2spoke or hairpinning see http://www.petenetlive.com/KB/Article/0000040.htm

Pete
0
 
LVL 4

Assisted Solution

by:ullas_unni
ullas_unni earned 250 total points
ID: 33637168
you should permit traffic from your vpn ip pool to the remote network in your crypto acl for site to site vpn on the ASA. and the mirrored change on the remote device too.

and

ASA(config)#same-security-traffic permit intra-interface

regards.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now