Solved

Cisco ASA 5505 remote VPN access to local network

Posted on 2010-09-12
3
513 Views
Last Modified: 2012-05-10
I have Two ASA 5505's setup in a site to site VPN which works perfectly.  Now I also need to have remote client VPN access with the Cisco VPN dialer to the 1st site.  I can get the VPN dialer to connect the the VPN and get a VPN IP address, but I have no access to the remote network.  can someone take a look and see what I am missing?  I have attached the ASA running config.
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 
passwd 
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.100.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_20_cryptomap extended permit ip 10.10.100.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.20.0 255.255.255.224
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 18082
access-list outside_access_in extended permit tcp any interface outside eq 18086
access-list Silegy-Remote_splitTunnelAcl standard permit 10.10.100.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 10.10.20.10-10.10.20.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 10.10.100.25 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.10.100.25 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.10.100.25 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 10.10.100.25 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.10.100.75 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 18082 10.10.100.25 18082 netmask 255.255.255.255
static (inside,outside) tcp interface 18086 10.10.100.25 18086 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.10.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 69.178.189.194
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.10.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd domain drsilegy.local
dhcpd auto_config outside
!
dhcpd address 10.10.100.100-10.10.100.149 inside
dhcpd dns 10.10.100.25 interface inside
dhcpd domain drsilegy.local interface inside
dhcpd enable inside
!

group-policy Silegy-Remote internal
group-policy Silegy-Remote attributes
 dns-server value 10.10.100.25
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Silegy-Remote_splitTunnelAcl
username username password password encrypted privilege 0
username username attributes
 vpn-group-policy Silegy-Remote
tunnel-group 69.178.189.194 type ipsec-l2l
tunnel-group 69.178.189.194 ipsec-attributes
 pre-shared-key *
tunnel-group Silegy-Remote type ipsec-ra
tunnel-group Silegy-Remote general-attributes
 address-pool VPNPool
 default-group-policy Silegy-Remote
tunnel-group Silegy-Remote ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context

Open in new window

0
Comment
Question by:ahdfx
3 Comments
 
LVL 5

Accepted Solution

by:
shubhanshu_jaiswal earned 250 total points
ID: 33660692
You have not performed NAT Exemption.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 33661430
This is default behaviour you need to set up a hairpin see my site here http://www.petenetlive.com/KB/Article/0000040.htm


Pete
www.petenetlive.com
0
 
LVL 6

Assisted Solution

by:ahdfx
ahdfx earned 0 total points
ID: 33872205
I had my access list backwards.  I was allowing the LAN to see the VPN, but not letting the VPN see the lan.

Reversed the IP's in the access list and all works perfectly.,
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now