Solved

VPN and split tunnel, cant access remote network via VPN

Posted on 2011-09-05
5
560 Views
Last Modified: 2012-08-03
All, I am trying to access the remote VPN network 10.130.0.0 from the VPN network 192.168.1.x.  How do you set the split tunnel up for this to work? Here is a copy of the config. .
: Saved
:
ASA Version 7.2(2) 
!
hostname ama5505
domain-name ama.local
enable password iDLL5Qy.myEdAhkc encrypted
names
name 7X.XX.XX.203 SBSSVR_EXT description WEBSERVER EXTERNALIP
name 10.10.11.2 SBSSVR_INT description WEBSERVER InternalIP
name 7X.XX.XX.204 IMAGE_EXT description WEBSERVER EXTERNALIP
name 10.10.11.8 IMAGE_INT description WEBSERVER InternalIP
name 7X.XX.XX.205 MYHOUSE_EXT description Myhousing EsternalIP
name 10.10.11.9 MYHOUSE_INT description Myhousing InternalIP
name 10.10.11.13 VISUALSVN_INT description SVN InternalIP
name 7X.XX.XX.206 VISUALSVN_EXT description SVN EsternalIP
name 10.10.11.62 Sammy_INT description RDP - 3389
name 7X.XX.XX.207 Sammy_EXT description for RDP
name 10.10.11.16 AMAWIN702_INT description RDP - 3389
name 10.130.0.12 AMADC02_INT description DNS At colocation
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.0.254 255.255.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 7X.XX.XX.202 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 switchport access vlan 12
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 speed 100
 duplex full
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server SBSSVR_INT
 name-server AMADC02_INT
 domain-name ama.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network INSIDE_NETWORK
 network-object 10.10.0.0 255.255.0.0
access-list Outside-Inbound extended permit tcp any host SBSSVR_EXT eq www 
access-list Outside-Inbound extended permit tcp any host SBSSVR_EXT eq https 
access-list Outside-Inbound extended permit tcp any host SBSSVR_EXT eq smtp 
access-list Outside-Inbound extended permit tcp any host SBSSVR_EXT eq 987 
access-list Outside-Inbound extended permit tcp any host SBSSVR_EXT eq 8080 
access-list Outside-Inbound extended permit tcp any host SBSSVR_EXT eq ftp 
access-list Outside-Inbound extended permit tcp any host SBSSVR_EXT eq 3389 
access-list Outside-Inbound extended deny tcp any host IMAGE_EXT eq www 
access-list Outside-Inbound extended permit tcp any host IMAGE_EXT eq https 
access-list Outside-Inbound extended permit tcp any host IMAGE_EXT eq 1433 
access-list Outside-Inbound extended permit tcp any host MYHOUSE_EXT eq www 
access-list Outside-Inbound extended permit tcp any host MYHOUSE_EXT eq https 
access-list Outside-Inbound extended permit tcp any host VISUALSVN_EXT eq https 
access-list Outside-Inbound extended permit tcp host SBSSVR_EXT eq ftp any 
access-list Outside-Inbound extended permit tcp 70.43.206.0 255.255.255.0 any eq ssh 
access-list Outside-Inbound extended permit tcp 70.43.206.0 255.255.255.0 any log 
access-list Outside-Inbound extended permit tcp 216.146.32.0 255.255.254.0 eq smtp any 
access-list Outside-Inbound extended permit tcp any host VISUALSVN_EXT eq 3389 
access-list AMA_VPN_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0 
access-list AMA_VPN_splitTunnelAcl standard permit 10.130.0.0 255.255.240.0 
access-list AMA_VPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.130.0.0 255.255.240.0 
access-list inside_access_in extended permit ip 10.10.0.0 255.255.0.0 any 
access-list inside_access_in extended permit tcp host SBSSVR_INT eq www any 
access-list inside_access_in extended permit tcp host SBSSVR_INT eq https any 
access-list inside_access_in extended permit tcp host SBSSVR_INT eq smtp any 
access-list inside_access_in extended permit tcp host SBSSVR_INT eq 987 any 
access-list inside_access_in extended permit tcp host SBSSVR_INT eq 8080 any 
access-list inside_access_in extended permit tcp host SBSSVR_INT eq ftp any 
access-list inside_access_in extended permit tcp host SBSSVR_INT eq ftp-data any 
access-list inside_access_in extended permit tcp host IMAGE_INT eq https any 
access-list inside_access_in extended permit tcp host IMAGE_INT eq smtp any 
access-list inside_access_in extended permit tcp host IMAGE_INT eq 987 any 
access-list inside_access_in extended permit tcp host IMAGE_INT eq 1433 any 
access-list inside_access_in extended deny tcp host IMAGE_INT eq www any eq www 
access-list inside_access_in extended permit tcp host MYHOUSE_INT eq www any 
access-list inside_access_in extended permit tcp host MYHOUSE_INT eq https any 
access-list inside_access_in extended permit tcp host VISUALSVN_INT eq https any 
access-list inside_access_in extended permit tcp host Sammy_INT eq 3389 any 
access-list inside_access_in extended permit tcp host VISUALSVN_INT eq 3389 any 
access-list inside_access_in extended permit tcp host AMAWIN702_INT eq 3389 any 
access-list outside_20_cryptomap remark **windstream VPN **
access-list outside_20_cryptomap extended permit ip 10.10.0.0 255.255.0.0 10.130.0.0 255.255.240.0 
pager lines 24
logging enable
logging history emergencies
logging asdm informational
logging class auth history emergencies 
logging class session history emergencies 
logging class vpn history emergencies 
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL2 192.168.1.1-192.168.1.19 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 2 SBSSVR_EXT-Sammy_EXT netmask 255.0.0.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp SBSSVR_EXT www SBSSVR_INT www netmask 255.255.255.255 
static (inside,outside) tcp SBSSVR_EXT 8080 SBSSVR_INT 8080 netmask 255.255.255.255 
static (inside,outside) tcp SBSSVR_EXT ftp SBSSVR_INT ftp netmask 255.255.255.255 
static (inside,outside) tcp SBSSVR_EXT 987 SBSSVR_INT 987 netmask 255.255.255.255 
static (inside,outside) tcp SBSSVR_EXT https SBSSVR_INT https netmask 255.255.255.255 
static (inside,outside) tcp SBSSVR_EXT smtp SBSSVR_INT smtp netmask 255.255.255.255 
static (inside,outside) tcp SBSSVR_EXT 3389 Sammy_INT 3389 netmask 255.255.255.255 
static (inside,outside) IMAGE_EXT IMAGE_INT netmask 255.255.255.255 
static (inside,outside) MYHOUSE_EXT MYHOUSE_INT netmask 255.255.255.255 
static (inside,outside) VISUALSVN_EXT VISUALSVN_INT netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group Outside-Inbound in interface outside
route outside 0.0.0.0 0.0.0.0 7X.XX.XX.201 1
timeout xlate 1:30:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value AMA_VPN_splitTunnelAcl
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy AMA_VPN internal
group-policy AMA_VPN attributes
 dns-server value 10.10.11.2 10.130.0.12
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value AMA_VPN_splitTunnelAcl
 default-domain value AMA.LOCAL
username sammy password PJ1HyaWWuYlkPIZ. encrypted privilege 0
username sammy attributes
 vpn-group-policy AMA_VPN
username stephanie password WRUVV7p5eF1E/7Ty encrypted privilege 0
username stephanie attributes
 vpn-group-policy AMA_VPN
username tcarr password XMxyGWL2Hbo5PB5f encrypted privilege 15
username stacie password x9bSv/mOB5P3QxM2 encrypted privilege 0
username stacie attributes
 vpn-group-policy AMA_VPN
username steven password nT3.0ClPbtxduHDY encrypted privilege 0
username steven attributes
 vpn-group-policy AMA_VPN
username isynergy password H8YI6pVz9DozHm.o encrypted privilege 0
username isynergy attributes
 vpn-group-policy AMA_VPN
username ryan password X9WRXoksaCsAEa1y encrypted privilege 0
username ryan attributes
 vpn-group-policy AMA_VPN
username amadmin password oXCxIQWlGme3U41. encrypted privilege 15
username annettie password KE6LNiRlkJWbZbMc encrypted privilege 0
username annettie attributes
 vpn-group-policy AMA_VPN
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
aaa authorization command LOCAL 
http server enable
http 10.10.0.0 255.255.0.0 inside
snmp-server host inside VISUALSVN_INT community public
snmp-server location AMA
snmp-server contact IT Department
snmp-server community Public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set chevelle esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map atlanta 10 set transform-set chevelle 3DES-MD5
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs 
crypto map outside_map 20 set peer 20X.XXX.XXX.XX2 
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group AMA_VPN type ipsec-ra
tunnel-group AMA_VPN general-attributes
 address-pool VPN_POOL2
 default-group-policy AMA_VPN
tunnel-group AMA_VPN ipsec-attributes
 pre-shared-key *
tunnel-group 20X.XXX.XXX.XX2 type ipsec-l2l
tunnel-group 20X.XXX.XXX.XX2 ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 10.10.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside

!
class-map sip-port
 match port tcp eq sip
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
policy-map sip_policy
 class sip-port
  inspect sip 
!
service-policy global_policy global
service-policy sip_policy interface outside
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context 
Cryptochecksum:343ee999eb9541f15396eabe0d7f56fd
: end
asdm image disk0:/asdm-522.bin
asdm location SBSSVR_INT 255.255.255.255 inside
asdm location SBSSVR_EXT 255.255.255.255 inside
asdm location IMAGE_INT 255.255.255.255 inside
asdm location IMAGE_EXT 255.255.255.255 inside
no asdm history enable

Open in new window

0
Comment
Question by:TreyCarr
5 Comments
 

Author Comment

by:TreyCarr
ID: 36486409
i tried adding these lines

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.0.0 255.255.0.0  
access-list inside_nat0_outbound extended permit ip 10.130.0.0 255.255.240.0 10.10.0.0 255.255.0.0  
access-list inside_nat0_outbound extended permit ip 10.130.0.0 255.255.240.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.130.0.0 255.255.240.0  

but still do not have access. I have a managed firewall on the other side. To test, I have to get them to setup split tunneling on their end as well
0
 
LVL 4

Expert Comment

by:Allvirtual
ID: 36486604
It would be nice to add a few more details what you are trying to do. Are you trying to build a site-to-site tunnel between two gateways (both Cisco ASA) or are you doing a Dialup-VPN from a client?
0
 

Author Comment

by:TreyCarr
ID: 36486794
Sorry about that.  I have already built a site to site vpn from our office to our colo.

Office is 10.10.0.0. and colo is 10.130.0.0.  

When we VPN we go into the office ASA and are given the address of 192.168.1.X.  That address can traverse the office network just fine, but cannot see the colo network.. This is what we are trying to fix.
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 63 total points
ID: 36487590
First of all make sure your colo has a route back to your VPN subnet 192.168.1.X

Also, you would need to change your crypto access list

access-list outside_20_cryptomap extended permit ip 10.10.0.0 255.255.0.0 10.130.0.0 255.255.240.0

You need to add a line here:

access-list outside_20_cryptomap extended permit ip 192.168.1.X 255.255.255.0 10.130.0.0 255.255.240.0

You would need to do the same on the other side, like this

access-list outside_20_cryptomap extended permit ip  10.130.0.0 255.255.240.0 192.168.1.X 255.255.255.0

Also, issue this command on you office ASA

same-security-traffic permit intra-interface



Can we see colo ASA config?

You would need to configure your colo ASA outside access list to permit traffic from 192.168.1.X as well as configure NO NAT and

0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 62 total points
ID: 36488134
So if I understand correctly, you want to be able to vpn into the office and then also be able to reach the colo through that vpn?

Then you need some hairpinning, have a look at: http://www.petenetlive.com/KB/Article/0000040.htm
0

Featured Post

ScreenConnect 6.0 Free Trial

Discover new time-saving features in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

Join & Write a Comment

Remote Desktop Shadowing often has a lot of benefits. When helping end users determine problems, it is much easier to see what is going on, what is being slecected and what is being clicked on. While the industry has many products to help with this,…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now