SneakyJones
asked on
Can this be done? - Remote Access VPN routing question
Have an ASA 5510 with three interfaces in use
Outside - public ip
Inside - 172.16.42.x /24
Third Interface - 172.16.52.x /24
Remote VPN Clients - 172.16.45.x /24
Both Inside and Third Interface have a security setting of 100 and routing between them works fine.
The problem is that when users connect to the ASA via the cisco vpn client, they are assigned an address from the 172.16.45.x /24 subnet. From this subnet they are able to communicate with the 172.16.42.x (Inside) subnet without any problem but can't connect to the 172.16.52.x (Third Interface) subnet.
I have these in the config -
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
and access lists that explicity allow traffic between 172.16.45.x and 172.16.52.x but traffic is being dropped.
Is it possible to have my Remote Access VPN users communicate with the Third Interface network?
Outside - public ip
Inside - 172.16.42.x /24
Third Interface - 172.16.52.x /24
Remote VPN Clients - 172.16.45.x /24
Both Inside and Third Interface have a security setting of 100 and routing between them works fine.
The problem is that when users connect to the ASA via the cisco vpn client, they are assigned an address from the 172.16.45.x /24 subnet. From this subnet they are able to communicate with the 172.16.42.x (Inside) subnet without any problem but can't connect to the 172.16.52.x (Third Interface) subnet.
I have these in the config -
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
and access lists that explicity allow traffic between 172.16.45.x and 172.16.52.x but traffic is being dropped.
Is it possible to have my Remote Access VPN users communicate with the Third Interface network?
Yes. Make sure you include traffic to your Remote VPN subnet from your Third interface network in the NO NAT or NAT exempt statements. Please post your CLI config if you need more assistance in configuring this.
I usually like to make the IP LOCAL POOL a different subnet. That way it can be easily referenced in the configs and is very recognizable. Its not a requirement, just a habit of mine. EyeNoVoip is correct that to get the IP LOCAL POOL (no matter what it is) to communicate with the interfaces, you need to have the IP ranges in a NONAT and have the destination range as part of the crypto map match or split tunnel ACL as well.
ASKER
hey guys, thanks for the response and sorry for the delay.
I rechecked my config to make sure that I had the NoNat statements as well as a separate IP Local Pool subnet, but it is still not working.
When users connect using Remote Access VPN they are assigned a 172.16.45.x address and can access the 172.16.42.x subnet but not the 172.16.52.x subnet.
this NoNat access list is applied to the inside interface
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.45.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.31.1.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.25.1.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.52.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.42.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.52.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.172.0 255.255.255.0
this NoNat access list is applied to the ThirdInterface
access-list NoNat-ThirdInterface-Insid e extended permit ip 172.16.52.0 255.255.255.0 172.16.42.0 255.255.255.0
access-list NoNat-ThirdInterface-Insid e extended permit ip 172.16.52.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list NoNat-ThirdInterface-Insid e extended permit ip 172.16.52.0 255.255.255.0 172.16.45.0 255.255.255.0
I'm pretty certain my logic in applying these access lists are off.
thanks for any help
I rechecked my config to make sure that I had the NoNat statements as well as a separate IP Local Pool subnet, but it is still not working.
When users connect using Remote Access VPN they are assigned a 172.16.45.x address and can access the 172.16.42.x subnet but not the 172.16.52.x subnet.
this NoNat access list is applied to the inside interface
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.45.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.31.1.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.25.1.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.52.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.42.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.52.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.172.0 255.255.255.0
this NoNat access list is applied to the ThirdInterface
access-list NoNat-ThirdInterface-Insid
access-list NoNat-ThirdInterface-Insid
access-list NoNat-ThirdInterface-Insid
I'm pretty certain my logic in applying these access lists are off.
thanks for any help
ASKER
oh, and here is my config. thanks.
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name company.office
names
dns-guard
!
interface Ethernet0/0
description outside Internet Interface
nameif outside
security-level 0
ip address x.x.x.x
!
interface Ethernet0/1
description Company's Internal Network
nameif inside
security-level 100
ip address 172.16.42.1 255.255.255.0
!
interface Ethernet0/2
description Company's DMZ Network
nameif dmz
security-level 50
ip address 172.31.1.1 255.255.255.0
!
interface Ethernet0/3
description Company's ThirdInterface Network
nameif ThirdInterface
security-level 100
ip address 172.16.52.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.1.1 255.255.255.0
management-only
!
banner motd $ ********** Unauthorized Access is Prohibited ********** $
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name company.office
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Outside_Access_In extended permit tcp any host x.x.x.179 eq www
access-list Outside_Access_In extended permit tcp any host x.x.x.179 eq https
access-list Outside_Access_In extended permit tcp any host x.x.x.180 eq www
access-list Outside_Access_In extended permit tcp any host x.x.x.181 eq www
access-list Outside_Access_In extended permit tcp any host x.x.x.182 eq www
access-list Outside_Access_In extended permit tcp any host x.x.x.183 eq ftp
access-list Outside_Access_In extended permit tcp x.x.x.0 255.255.240.0 host x.x.x.179 eq smtp
access-list Outside_Access_In extended permit gre any host x.x.x.184
access-list Outside_Access_In extended permit tcp any host x.x.x.184 eq pptp
access-list Outside_Access_In extended permit tcp any host x.x.x.184 eq 8080
access-list Outside_Access_In extended permit tcp any host x.x.x.185 eq ssh
access-list Outside_Access_In extended permit tcp any host x.x.x.185 eq www
access-list Outside_Access_In extended permit tcp any host x.x.x.186 eq www
access-list L2L-Colo extended permit ip 172.16.42.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list L2L-Colo extended permit ip 172.16.52.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.45.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.31.1.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.25.1.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.52.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.42.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.52.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list SplitTunnel standard permit 172.16.42.0 255.255.255.0
access-list Inside_Access_In extended permit tcp host 172.16.42.14 any eq smtp
access-list Inside_Access_In extended permit tcp host 172.16.42.12 any eq smtp
access-list Inside_Access_In extended permit tcp host 172.16.42.98 any eq smtp
access-list Inside_Access_In extended permit ip any any
access-list ThirdInterface_Access_In extended permit ip any any
access-list ThirdInterface_Access_In extended permit ip 172.16.52.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list ThirdInterface_Access_In extended permit ip 172.16.52.0 255.255.255.0 172.16.45.0 255.255.255.0
access-list NoNat-ThirdInterface-Insid e extended permit ip 172.16.52.0 255.255.255.0 172.16.42.0 255.255.255.0
access-list NoNat-ThirdInterface-Insid e extended permit ip 172.16.52.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list NoNat-ThirdInterface-Insid e extended permit ip 172.16.52.0 255.255.255.0 172.16.45.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu dmz 1500
mtu ThirdInterface 1500
ip local pool RasVPNPool 172.16.45.101-172.16.45.20 0 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNat-Colo-Tunnel
nat (inside) 1 172.16.42.0 255.255.255.0
nat (dmz) 1 172.31.1.0 255.255.255.0
nat (ThirdInterface) 0 access-list NoNat-ThirdInterface-Insid e
nat (ThirdInterface) 1 172.16.52.0 255.255.255.0
static (inside,outside) tcp x.x.x.180 www 172.16.42.38 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.181 www 172.16.42.26 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.182 www 172.16.42.27 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.183 ftp 172.16.42.11 ftp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.184 pptp 172.16.42.10 pptp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.184 8080 172.16.42.38 8080 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.185 ssh 172.16.42.55 ssh netmask 255.255.255.255
static (inside,outside) tcp x.x.x.185 www 172.16.42.55 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.186 www 172.16.42.73 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.179 smtp 172.16.42.98 smtp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.179 www 172.16.42.98 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.179 https 172.16.42.98 https netmask 255.255.255.255
access-group Outside_Access_In in interface outside
access-group Inside_Access_In in interface inside
access-group ThirdInterface_Access_In in interface ThirdInterface
route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
aaa-server RadiusVPN protocol radius
aaa-server RadiusVPN (inside) host 172.16.42.10
key *****
aaa authentication ssh console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 management
http 172.16.42.0 255.255.255.0 inside
http 172.16.52.0 255.255.255.0 ThirdInterface
snmp-server host inside 172.16.42.48 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server listen-port 162
crypto ipsec transform-set TripleDesSha esp-3des esp-sha-hmac
crypto ipsec transform-set AesSha esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynamicvpnmap 10 set transform-set AesSha
crypto dynamic-map dynamicvpnmap 10 set reverse-route
crypto map VPNTUNNELS 10 match address L2L-Colo
crypto map VPNTUNNELS 10 set peer x.x.x.215
crypto map VPNTUNNELS 10 set transform-set TripleDesSha
crypto map VPNTUNNELS 10 set security-association lifetime seconds 28800
crypto map VPNTUNNELS 999 ipsec-isakmp dynamic dynamicvpnmap
crypto map VPNTUNNELS interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 ThirdInterface
ssh timeout 60
console timeout 0
dhcpd address 172.16.1.2-172.16.1.254 management
dhcpd enable management
!
dhcpd address 172.16.52.25-172.16.52.250 ThirdInterface
dhcpd dns 172.16.42.50 172.16.42.10 interface ThirdInterface
dhcpd domain company.office interface ThirdInterface
dhcpd option 3 ip 172.16.52.1 interface ThirdInterface
dhcpd enable ThirdInterface
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics host number-of-rate 3
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy RemoteAccessUsersPolicy internal
group-policy RemoteAccessUsersPolicy attributes
dns-server value 172.16.42.50 172.16.42.10
vpn-idle-timeout 240
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnel
default-domain value company.office
tunnel-group x.x.x.40 type ipsec-l2l
tunnel-group x.x.x.40 ipsec-attributes
pre-shared-key *****
tunnel-group insidevpnclients type remote-access
tunnel-group insidevpnclients general-attributes
address-pool rasvpnpool
authentication-server-grou p RadiusVPN
default-group-policy RemoteAccessUsersPolicy
tunnel-group insidevpnclients ipsec-attributes
pre-shared-key *****
tunnel-group localauthentication type remote-access
tunnel-group localauthentication general-attributes
address-pool RasVPNPool
default-group-policy RemoteAccessUsersPolicy
tunnel-group localauthentication ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.215 type ipsec-l2l
tunnel-group x.x.x.215 ipsec-attributes
pre-shared-key *****.145 ipsec-attributes
pre-shared-key *****
!
class-map inspecton_default
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
inspect ils
inspect snmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f0 0b204e9800 998ecf8427 e
: end
ciscoasa#
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name company.office
names
dns-guard
!
interface Ethernet0/0
description outside Internet Interface
nameif outside
security-level 0
ip address x.x.x.x
!
interface Ethernet0/1
description Company's Internal Network
nameif inside
security-level 100
ip address 172.16.42.1 255.255.255.0
!
interface Ethernet0/2
description Company's DMZ Network
nameif dmz
security-level 50
ip address 172.31.1.1 255.255.255.0
!
interface Ethernet0/3
description Company's ThirdInterface Network
nameif ThirdInterface
security-level 100
ip address 172.16.52.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.1.1 255.255.255.0
management-only
!
banner motd $ ********** Unauthorized Access is Prohibited ********** $
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name company.office
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Outside_Access_In extended permit tcp any host x.x.x.179 eq www
access-list Outside_Access_In extended permit tcp any host x.x.x.179 eq https
access-list Outside_Access_In extended permit tcp any host x.x.x.180 eq www
access-list Outside_Access_In extended permit tcp any host x.x.x.181 eq www
access-list Outside_Access_In extended permit tcp any host x.x.x.182 eq www
access-list Outside_Access_In extended permit tcp any host x.x.x.183 eq ftp
access-list Outside_Access_In extended permit tcp x.x.x.0 255.255.240.0 host x.x.x.179 eq smtp
access-list Outside_Access_In extended permit gre any host x.x.x.184
access-list Outside_Access_In extended permit tcp any host x.x.x.184 eq pptp
access-list Outside_Access_In extended permit tcp any host x.x.x.184 eq 8080
access-list Outside_Access_In extended permit tcp any host x.x.x.185 eq ssh
access-list Outside_Access_In extended permit tcp any host x.x.x.185 eq www
access-list Outside_Access_In extended permit tcp any host x.x.x.186 eq www
access-list L2L-Colo extended permit ip 172.16.42.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list L2L-Colo extended permit ip 172.16.52.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.45.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.31.1.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.25.1.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.42.0 255.255.255.0 172.16.52.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.42.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.52.0 255.255.255.0
access-list NoNat-Colo-Tunnel extended permit ip 172.16.45.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list SplitTunnel standard permit 172.16.42.0 255.255.255.0
access-list Inside_Access_In extended permit tcp host 172.16.42.14 any eq smtp
access-list Inside_Access_In extended permit tcp host 172.16.42.12 any eq smtp
access-list Inside_Access_In extended permit tcp host 172.16.42.98 any eq smtp
access-list Inside_Access_In extended permit ip any any
access-list ThirdInterface_Access_In extended permit ip any any
access-list ThirdInterface_Access_In extended permit ip 172.16.52.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list ThirdInterface_Access_In extended permit ip 172.16.52.0 255.255.255.0 172.16.45.0 255.255.255.0
access-list NoNat-ThirdInterface-Insid
access-list NoNat-ThirdInterface-Insid
access-list NoNat-ThirdInterface-Insid
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu dmz 1500
mtu ThirdInterface 1500
ip local pool RasVPNPool 172.16.45.101-172.16.45.20
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNat-Colo-Tunnel
nat (inside) 1 172.16.42.0 255.255.255.0
nat (dmz) 1 172.31.1.0 255.255.255.0
nat (ThirdInterface) 0 access-list NoNat-ThirdInterface-Insid
nat (ThirdInterface) 1 172.16.52.0 255.255.255.0
static (inside,outside) tcp x.x.x.180 www 172.16.42.38 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.181 www 172.16.42.26 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.182 www 172.16.42.27 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.183 ftp 172.16.42.11 ftp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.184 pptp 172.16.42.10 pptp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.184 8080 172.16.42.38 8080 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.185 ssh 172.16.42.55 ssh netmask 255.255.255.255
static (inside,outside) tcp x.x.x.185 www 172.16.42.55 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.186 www 172.16.42.73 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.179 smtp 172.16.42.98 smtp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.179 www 172.16.42.98 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.179 https 172.16.42.98 https netmask 255.255.255.255
access-group Outside_Access_In in interface outside
access-group Inside_Access_In in interface inside
access-group ThirdInterface_Access_In in interface ThirdInterface
route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa-server RadiusVPN protocol radius
aaa-server RadiusVPN (inside) host 172.16.42.10
key *****
aaa authentication ssh console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 management
http 172.16.42.0 255.255.255.0 inside
http 172.16.52.0 255.255.255.0 ThirdInterface
snmp-server host inside 172.16.42.48 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server listen-port 162
crypto ipsec transform-set TripleDesSha esp-3des esp-sha-hmac
crypto ipsec transform-set AesSha esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynamicvpnmap 10 set transform-set AesSha
crypto dynamic-map dynamicvpnmap 10 set reverse-route
crypto map VPNTUNNELS 10 match address L2L-Colo
crypto map VPNTUNNELS 10 set peer x.x.x.215
crypto map VPNTUNNELS 10 set transform-set TripleDesSha
crypto map VPNTUNNELS 10 set security-association lifetime seconds 28800
crypto map VPNTUNNELS 999 ipsec-isakmp dynamic dynamicvpnmap
crypto map VPNTUNNELS interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 ThirdInterface
ssh timeout 60
console timeout 0
dhcpd address 172.16.1.2-172.16.1.254 management
dhcpd enable management
!
dhcpd address 172.16.52.25-172.16.52.250
dhcpd dns 172.16.42.50 172.16.42.10 interface ThirdInterface
dhcpd domain company.office interface ThirdInterface
dhcpd option 3 ip 172.16.52.1 interface ThirdInterface
dhcpd enable ThirdInterface
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics host number-of-rate 3
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy RemoteAccessUsersPolicy internal
group-policy RemoteAccessUsersPolicy attributes
dns-server value 172.16.42.50 172.16.42.10
vpn-idle-timeout 240
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnel
default-domain value company.office
tunnel-group x.x.x.40 type ipsec-l2l
tunnel-group x.x.x.40 ipsec-attributes
pre-shared-key *****
tunnel-group insidevpnclients type remote-access
tunnel-group insidevpnclients general-attributes
address-pool rasvpnpool
authentication-server-grou
default-group-policy RemoteAccessUsersPolicy
tunnel-group insidevpnclients ipsec-attributes
pre-shared-key *****
tunnel-group localauthentication type remote-access
tunnel-group localauthentication general-attributes
address-pool RasVPNPool
default-group-policy RemoteAccessUsersPolicy
tunnel-group localauthentication ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.215 type ipsec-l2l
tunnel-group x.x.x.215 ipsec-attributes
pre-shared-key *****.145 ipsec-attributes
pre-shared-key *****
!
class-map inspecton_default
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
inspect ils
inspect snmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f0
: end
ciscoasa#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hey EyeNoVoIP,
I added the second entry that you wrote above and it didn't work, but figured why don't I add a third entry to the ACL - access-list SplitTunnel standard permit 172.16.52.0 255.255.255.0 and it now works!
so thanks for pointing me in the right direction!
I added the second entry that you wrote above and it didn't work, but figured why don't I add a third entry to the ACL - access-list SplitTunnel standard permit 172.16.52.0 255.255.255.0 and it now works!
so thanks for pointing me in the right direction!