• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 756
  • Last Modified:

Cisco VPN IPSEC Remote access

Hi Experts
I have setup a VPN to enable users to connect from home using the Cisco client.
The VPN works fine and users can connect to all devices on the LAN behind the cisco ASA 5510.
One problem i have found is users cannot connect to a seperate subnet which is another branch office that has a Site to site VPN link. I want to be able to access the network drives at this LAN/Subnet there's is 192.168.161.0 and the main site is 192.168.160.0

Do i need to add a route or alter the VPN settings etc

Thanks
0
flowit
Asked:
flowit
  • 6
  • 4
1 Solution
 
andrewisCommented:
Hi  flowit.

If you have a split tunnel configured you need to verify that 192.168.161.0 exists in your split tunnel ACL and will also need to verify that the remote VPN client pool exists in the site-to-site VPNs encryption domain. You will also need the command "same-security-traffic permit inter-interface" which will allow same security traffic to route in and out the same interface - in this case the outside interface.

Hope this helps.

Cheers
0
 
flowitAuthor Commented:
HI
Can you let me know a couple of things
I dont have command access to the box i am connected using ASDM
i created the VPN remote access using the wizard in the wizard i enable split DNS and showed the inside network. Where would i find that setting in the ASDM?
Also i ticked the box bypass access rules for users etc so i have no manual ACL to edit

Is this wrong to do this?

Thanks
0
 
andrewisCommented:
I don't have much experience with the ASDM and always remove it from the Firewalls I deploy, so can't help you with the ASDM unfortunately - perhaps someone else can help you with the ASDM.

If you post your config (remember to remove sensitive information) I should be able to take a look and let you know what is missing.
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
flowitAuthor Commented:
Hi Andrewis
Here is my config please help

: Saved
:
ASA Version 8.2(1)
!
hostname FSWE-ASA001
domain-name fl*******.local
enable password * encrypted
passwd *
name 10.6.40.206 swedvpngw
name 62.20.8.155 swedvpngw-public
name 10.6.40.0 insidenetwork description Inside_Lan
name 10.0.0.0 UK_Lan
name 192.168.161.0 Helsingborg_LAN description Helsingborg_LAN
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 1
 ip address 62.*.*.* 255.255.*.*
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.160.252 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
 timeout 30
 name-server 192.168.160.201
 name-server 192.168.161.203
 domain-name f*.local
dns server-group *
 timeout 30
 name-server 10.0.0.1
 name-server 10.0.0.2
 domain-name *
dns-group *
same-security-traffic permit inter-interface
object-group network VPN_Pool
 description VPN Pool
 network-object host 192.168.160.65
 network-object host 192.168.160.66
 network-object host 192.168.160.67
 network-object host 192.168.160.68
 network-object host 192.168.160.69
 network-object host 192.168.160.70
 network-object host 192.168.160.71
 network-object host 192.168.160.72
 network-object host 192.168.160.73
 network-object host 192.168.160.74
 network-object host 192.168.160.75
 network-object host 192.168.160.76
 network-object host 192.168.160.77
 network-object host 192.168.160.78
 network-object host 192.168.160.79
 network-object host 192.168.160.80
 network-object host 192.168.160.81
 network-object host 192.168.160.82
 network-object host 192.168.160.83
 network-object host 192.168.160.84
 network-object host 192.168.160.85
access-list outside_access_in extended permit tcp any host swedvpngw-public eq https
access-list outside_1_cryptomap extended permit ip 192.168.160.0 255.255.255.0 Helsingborg_LAN 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group VPN_Pool Helsingborg_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.160.0 255.255.255.0 Helsingborg_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.160.0 255.255.255.0 UK_Lan 255.0.0.0
access-list inside_nat0_outbound extended permit ip 192.168.160.0 255.255.255.0 192.168.160.64 255.255.255.224
access-list outside_2_cryptomap extended permit ip 192.168.160.0 255.255.255.0 UK_Lan 255.0.0.0
access-list flowvpnusers_splitTunnelAcl standard permit 192.168.160.0 255.255.255.0
access-list flowvpnusers_splitTunnelAcl standard permit Helsingborg_LAN 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DHCP_Pool 192.168.160.65-192.168.160.85 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 dns
static (inside,outside) swedvpngw-public swedvpngw netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.20.8.153 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_server_GRP protocol ldap
aaa-server LDAP_server_GRP (inside) host 192.168.160.201
 ldap-base-dn dc=*, dc=local
 ldap-scope subtree
 ldap-naming-attribute samAccountName
 ldap-login-password *
 ldap-login-dn *\administrator
 server-type microsoft
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 62.20.*.*
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 62.7.*.*
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy flowvpnusers internal
group-policy flowvpnusers attributes
 wins-server value 192.168.160.201
 dns-server value 192.168.160.201 192.168.161.203
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value flowvpnusers_splitTunnelAcl
 default-domain value *.local
username admin password * encrypted privilege 15
tunnel-group 62.*.8.* type ipsec-l2l
tunnel-group 62.*.8.* ipsec-attributes
 pre-shared-key *
tunnel-group 62.*.224.* type ipsec-l2l
tunnel-group 62.*.224.* ipsec-attributes
 pre-shared-key *
tunnel-group flowvpnusers type remote-access
tunnel-group flowvpnusers general-attributes
 address-pool DHCP_Pool
 authentication-server-group LDAP_server_GRP
 default-group-policy flowvpnusers
tunnel-group flowvpnusers ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1cd965d56bbbe3f5afdff3b877f7f4ae
: end
asdm image disk0:/asdm-621.bin
asdm location swedvpngw 255.255.255.255 inside
asdm location swedvpngw-public 255.255.255.255 inside
asdm location insidenetwork 255.255.255.0 inside
asdm location UK_Lan 255.0.0.0 inside
asdm location Helsingborg_LAN 255.255.255.0 inside
no asdm history enable

0
 
andrewisCommented:
Okay your Remote access VPN split tunnel includes the Helsingborg LAN range so if this is the site you are trying to connect to this is fine. I also see you have the Client VPN range included in your cryptomap so this is also good - you also have "same-security-traffic permit inter-interface"


I would say this config looks good - has the Client VPN range been added ino the encryption domain on the other end of the tunnel?
0
 
flowitAuthor Commented:
This has not been done
There is an ASA 5505 at the Helsingborg site
What do i need to do?

Also
Is it ok to have a route to the helsingborg LAN?

Thanks for your quick reply
0
 
andrewisCommented:
nope you won't need a route unless there is a router inside your network that needs to know about the Helsingborg LAN. You won't need anything on the Firewall unless you have an overlapping route pointing internally which you don't.

Your Helsingborg site encryption domain ACL should mirror what you have configured in HQ

For example

access-list outside_1_cryptomap extended permit ip Helsingborg_LAN 255.255.255.0
192.168.160.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip Helsingborg_LAN 255.255.255.0 object-group VPN_Pool

I would personally use 192.168.160.64 255.255.255.224 instead of the object-group on your encryption domain as it will simplify your config.
0
 
andrewisCommented:
I apologise.. I didn't realise your VPN Pool was on the same address range as your internal network so your encryption domain should be okay.

In fact you shouldn't even need this line

access-list outside_1_cryptomap extended permit ip object-group VPN_Pool Helsingborg_LAN 255.255.255.0

I think with what you trying to do and having your client VPN on the same address range as your internal network complicates things as your firewall now has to participate in proxy arp and can say I have never configured my client pools on the same range as any internal segments so I can't comment on how the Firewall will treat this..

I would personally change the VPN client range to a unique subnet and make sure it exists in both of the participating encryption domains.

Perhaps someone else reading can comment further?
0
 
flowitAuthor Commented:
Hi,
I removed this line

access-list outside_1_cryptomap extended permit ip object-group VPN_Pool Helsingborg_LAN 255.255.255.0

I have changed the DHCP pool to 192.168.5.1 -20 but now i cannot ping anything
How would my clients now get to 192.168.160 and 192.168.161.0

Can you use any range for the DHCP
do you need a route how does the client get to the network

Thanks

0
 
andrewisCommented:
Yep any range will do.

Have you also edited nat nat exempt rule

access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 Helsingborg_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 UK_Lan 255.0.0.0
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.160.0 255.255.255.0

Add those ACLs into your access-list and you should be okay.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now