?
Solved

ASA 5510 access L2L VPN from VPN client connection

Posted on 2010-09-21
5
Medium Priority
?
818 Views
Last Modified: 2012-06-27
I have a 5510 with an L2L VPN to a remote site (10.1.100.0/24).  I am also using the 5510 for VPN client access.  Both are connecting on the same interface (outside).  I would like be able to to access the remote site via the VPN client connection.  Is this possible?

If not, can I move the VPN client connections to another interface (alt-wan) in order to make this work?  The alt-wan interface is on different public subnet than the outside interface.
: Saved
:
ASA Version 8.2(1) 
!
hostname ma-asa5510-01
domain-name MA.local
no names
name 10.20.1.91 HQ-S01 description
name 10.1.100.0 TN description
name 10.20.1.0 ma-inside-subnet description
name 192.168.75.0 ma-train-ctr-subnet description
name 42.7.40.0 A-42.7.40.0 description ASA 5510 <> Cisco 3560
name 10.40.1.0 VPN-Clients-5510 description Subnet for 5510 VPN Client Pool
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address w.x.y.z 255.255.255.248 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.20.1.3 255.255.255.0 
!
interface Ethernet0/2
 description
 nameif alt-wan
 security-level 0
 ip address a.b.c.d 255.255.255.248 
!
interface Ethernet0/3
 description
 nameif train-ctr
 security-level 50
 ip address 192.168.75.2 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.42.2 255.255.255.0 
 management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.20.1.91
 name-server 10.20.1.93
 domain-name MA.local
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list inside_nat0_outbound extended permit ip 10.20.1.0 255.255.255.0 10.20.1.224 255.255.255.224 
access-list inside_nat0_outbound extended permit ip 10.20.1.0 255.255.255.0 10.100.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.20.1.0 255.255.255.0 10.40.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.20.1.0 255.255.255.0 192.168.75.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.40.1.0 255.255.255.0 10.1.100.0 255.255.255.0 
access-list SPLIT standard permit 192.168.75.0 255.255.255.0 
access-list SPLIT standard permit 10.20.1.0 255.255.255.0 
access-list SPLIT standard permit 10.1.100.0 255.255.255.0 
access-list TN_VPN_Tunnel extended permit ip 10.20.1.0 10.1.100.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1492
mtu inside 1500
mtu alt-wan 1500
mtu train-ctr 1500
mtu management 1500
ip local pool VPN-Client-Pool 10.40.1.2-10.40.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 1 interface
global (alt-wan) 20 interface
global (train-ctr) 30 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
nat (train-ctr) 10 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 w.x.y.z 1
route alt-wan 0.0.0.0 0.0.0.0 a.b.c.d 5
route inside 42.7.20.0 255.255.255.252 10.20.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WinNTAuth protocol nt
aaa-server WinNTAuth (inside) host 10.20.1.94
 timeout 5
 nt-auth-domain-controller 10.20.1.94
aaa-server 2K8-RADIUS protocol radius
aaa-server 2K8-RADIUS (inside) host 10.20.1.93
 key xxx
 radius-common-pw xxx
http server enable
http 10.20.1.0 255.255.255.0 inside
http 192.168.42.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 

ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 match address TN_VPN_Tunnel
crypto map outside_map 3 set pfs 
crypto map outside_map 3 set peer [TN Public IP] 
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca certificate map DefaultCertificateMap 10
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.20.1.0 255.255.255.0 inside
telnet 192.168.42.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 2
 svc enable
 tunnel-group-list enable
 certificate-group-map DefaultCertificateMap 10 MARemote
group-policy DfltGrpPolicy attributes
 dns-server value 10.20.1.91 10.20.1.93
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 default-domain value MA.local
 webvpn
  url-list value MA-Internal
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc ask enable default webvpn timeout 7
group-policy MARemote internal
group-policy MARemote attributes
 banner value Welcome to MA.
 banner value 
 banner value Access is permitted by authorized users only.
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT
 default-domain value MA.local
 webvpn
  url-list value MA-Internal
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask enable default webvpn timeout 7
  customization value DfltCustomization
  hidden-shares visible
  file-entry enable
  file-browsing enable
group-policy L2L-Group-Policy internal
group-policy L2L-Group-Policy attributes
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec 
username bob password xxx encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group 2K8-RADIUS
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group 2K8-RADIUS
tunnel-group MARemote type remote-access
tunnel-group MARemote general-attributes
 address-pool VPN-Client-Pool
 authentication-server-group 2K8-RADIUS
 default-group-policy MARemote
 password-management password-expire-in-days 10
tunnel-group MARemote webvpn-attributes
 radius-reject-message
 group-alias AnyConnect enable
tunnel-group MARemote ipsec-attributes
 pre-shared-key *
tunnel-group [TN Public IP] type ipsec-l2l
tunnel-group [TN Public IP] ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
: end

Open in new window

0
Comment
Question by:LimeRidge29
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 1

Expert Comment

by:tobyhansen
ID: 33727619
Yes it is. I just went through this.

I can tell you how to do it from the ASDM side.. I didn't record the actual commands that were sent to the ASA but can try to peel those out for you as well. Give me a few to put this together for you.
0
 
LVL 1

Accepted Solution

by:
tobyhansen earned 2000 total points
ID: 33727704
1. Enable traffic between two or more interfaces which are configured with the same security levels. this enables router on a stick which is necessery for tunnel hopping.
Command - same-security-traffic permit inter-interface

2. On the profile you use for the VPN client - make sure you add the remote site's network as one of the 'split tunnel destinguished networks' but adding it to the same ACL as your current Remote VPN ACL list -
Command - access-list YourVPNProf_splitTunnelAcl standard permit x.x.x.x m.m.m.m

Hope this helps.
0
 

Author Closing Comment

by:LimeRidge29
ID: 33727817
Problem solved.
0
 

Author Comment

by:LimeRidge29
ID: 33727870
tobyhansen, your CLI same-security-traffic permit inter-interface was not exactly right, but it led me to the answer:  same-security-traffic permit INTRA-interface

In the ASDM, it's the "Enable traffic between two or more hosts connected to the same interface" check box.  Thanks for the help.
0
 
LVL 1

Expert Comment

by:tobyhansen
ID: 33727944
I have them both checked off. one of them didn't work. I thought I had tried the 'intra' first. Thank youfor correcting me.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month12 days, 20 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question