Solved

asa 5505 vlan

Posted on 2011-09-06
18
571 Views
Last Modified: 2012-05-12
hi all,

how can i allow traffic from one site to another site, which is already connected via VPN, but to equipment on another Vlan on that site?

example,
site 1 = 10.0.0.0 connects vpn to site 2 which is 10.1.1.0
site 2 = (main vlan)10.1.1.0, 10.5.5.0 (secondary vlan that connects to VPN to another company)

so i need the data to be able to go from 10.0.0.0 to a server on the 10.5.5.0 vlan.  no idea how to get this done. any ideas?
0
Comment
Question by:Comptx
  • 11
  • 6
18 Comments
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36489961
You would need to add routes, edit cryptomap access lists and outside access lists, if you post your configs, we could be more specific
0
 

Author Comment

by:Comptx
ID: 36490365

ok here is the config for the destination site with the 2 Vlans (10.1.1.0 and 10.5.5.0)

: Saved
:
ASA Version 8.2(2) 
!
hostname ciscoasa
domain-name communicare
enable password XFy9CjYNnphRv1bP encrypted
passwd udxi8XKHJKW0Yggp encrypted
names
*
*
*

!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.*.*.115 255.255.255.0 
!
interface Vlan12
 nameif telemed
 security-level 100
 ip address 10.5.5.1 255.255.255.0 
!
interface Vlan22
 nameif AdtranT1
 security-level 0
 ip address 208.*.*.163 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 22
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 12
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup telemed
dns server-group DefaultDNS
 name-server ccc-westsac-server
 name-server 10.0.0.13
 name-server 76.14.96.13
 domain-name communicare
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network UC-Davis
 network-object host USDAVIS101-84
 network-object host USDAVIS167.-61
 network-object host USDAVIS167-62
 network-object host USDAVIS167-65
 network-object USDAVIS112-0 255.255.255.0
 network-object host USDAVIS200-5
 network-object host USDAVIS207-187
 network-object host USDAVIS207-188
 network-object host USDAVIS207-9
 network-object host USDAVIS208121
 network-object host USDAVIS35-228
 network-object host USDAVIS35-230
 network-object host USDAVIS37-118
 network-object host USDAVIS37-83
 network-object host USDAVIS40-21
 network-object host USDAVIS40-22
 network-object host USDAVIS41-89
 network-object host USDAVIS60-10
 network-object host USDAVIS-New-159
 network-object host USDAVIS-New-175
 network-object host USDAVIS-New-214
access-list AdtranT1_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 peterson-lan 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 woodland-lan 255.255.255.0 
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list rdp-capture extended permit tcp any interface outside eq 3389 
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 peterson-lan 255.255.255.0 
access-list telemed_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis 
access-list telemed_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list outside_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis 
access-list outside_cryptomap_1 extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis 
access-list outside_access_in_1 extended permit tcp any host polyComm eq 1731 
access-list outside_access_in_1 extended permit tcp any host polyComm eq https 
access-list outside_access_in_1 extended permit tcp any host polyComm eq www 
access-list outside_access_in_1 extended permit tcp any host polyComm eq 2776 
access-list outside_access_in_1 extended permit tcp any host polyComm eq ftp 
access-list outside_access_in_1 extended permit tcp any host polyComm eq telnet 
access-list outside_access_in_1 extended permit tcp any host polyComm eq 123 
access-list outside_access_in_1 extended permit tcp any host polyComm eq 963 
access-list outside_access_in_1 extended permit tcp any host polyComm eq 1026 
access-list outside_access_in_1 extended permit tcp any host polyComm eq 1027 
access-list outside_access_in_1 extended permit tcp any host polyComm eq h323 
access-list outside_access_in_1 extended permit tcp any host polyComm eq ldap 
access-list outside_access_in_1 extended permit tcp any host polyComm eq 1503 
access-list outside_access_in_1 extended permit tcp any host polyComm eq 3603 
access-list outside_access_in_1 extended permit tcp any range 3230 3243 host polyComm range 3230 3243 
access-list outside_access_in_1 extended permit tcp any range 5555 5587 host polyComm range 5555 5587 
access-list outside_access_in_1 extended permit udp any range 3230 3285 host polyComm range 3230 3285 
access-list outside_access_in_1 extended permit udp any range 970 973 host polyComm range 970 973 
access-list outside_access_in_1 extended permit udp any range 2326 2373 host polyComm range 2326 2373 
access-list outside_access_in_1 extended permit tcp any host polyComm eq 1719 
access-list outside_access_in_1 extended permit udp any host polyComm eq 1719 
access-list outside_access_in_1 extended permit udp any host polyComm eq snmp 
access-list outside_access_in_1 extended permit udp any host polyComm eq snmptrap 
access-list outside_access_in_1 extended permit udp any host polyComm eq 2873 
access-list outside_access_in_1 extended permit udp any host polyComm eq 1718 
access-list outside_access_in_1 extended permit gre any host polyComm 
access-list AdtranT1_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 woodland-lan 255.255.255.0 
access-list AdtranT1_3_cryptomap extended permit ip 10.1.1.0 255.255.255.0 peterson-lan 255.255.255.0 
access-list telemed_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0 
pager lines 24
logging enable
logging buffer-size 9000
logging buffered emergencies
logging trap emergencies
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu telemed 1500
mtu AdtranT1 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (telemed) 0 access-list telemed_nat0_outbound
nat (telemed) 1 0.0.0.0 0.0.0.0
static (inside,outside) polyComm 10.1.1.228 netmask 255.255.255.255 
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 76.*.*.1 1 track 1
route AdtranT1 0.0.0.0 0.0.0.0 64.*.*.170 254
route AdtranT1 10.0.0.0 255.255.255.0 64.*.*.170 1
route AdtranT1 peterson-lan 255.255.255.0 64.*.*.170 1
route AdtranT1 woodland-lan 255.255.255.0 64.*.*.170 1
route AdtranT1 12.*.*.222255.255.255.255 64.*.*.170 1
route AdtranT1 12.69.26.82 255.255.255.255 64.*.*.170 1
route AdtranT1 63.*.*.19 255.255.255.255 64.*.*.170 1
route AdtranT1 76.*.*.168 255.255.255.255 64.*.*.170 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 telemed
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 74.*.*.1 interface outside
 num-packets 4
 frequency 5
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 256
crypto map outside_map 3 match address outside_cryptomap_1
crypto map outside_map 3 set peer 152.*.*.10 
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto map AdtranT1_map 1 match address AdtranT1_1_cryptomap
crypto map AdtranT1_map 1 set peer 12.*.*.222
crypto map AdtranT1_map 1 set transform-set ESP-3DES-MD5
crypto map AdtranT1_map 2 match address AdtranT1_2_cryptomap
crypto map AdtranT1_map 2 set peer 76.*.*.168 
crypto map AdtranT1_map 2 set transform-set ESP-3DES-MD5
crypto map AdtranT1_map 3 match address AdtranT1_3_cryptomap
crypto map AdtranT1_map 3 set peer 63.*.*.19 
crypto map AdtranT1_map 3 set transform-set ESP-3DES-MD5
crypto map AdtranT1_map interface AdtranT1
crypto map telemed_map 1 match address telemed_1_cryptomap
crypto map telemed_map 1 set peer 12.*.*.222
crypto map telemed_map 1 set transform-set ESP-3DES-MD5
crypto map telemed_map interface telemed
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp enable telemed
crypto isakmp enable AdtranT1
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
!
track 1 rtr 123 reachability
telnet 10.5.5.5 255.255.255.255 telemed
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group 12.*.*.222type ipsec-l2l
tunnel-group 12.*.*.222ipsec-attributes
 pre-shared-key *****
tunnel-group 152.*.*.10 type ipsec-l2l
tunnel-group 152.*.*.10 ipsec-attributes
 pre-shared-key *****
tunnel-group 76.*.*.168 type ipsec-l2l
tunnel-group 76.*.*.168 ipsec-attributes
 pre-shared-key *****
tunnel-group 63.*.*.19 type ipsec-l2l
tunnel-group 63.*.*.19 ipsec-attributes
 pre-shared-key *****
tunnel-group retinopathy-vpn type ipsec-l2l
tunnel-group retinopathy-vpn ipsec-attributes
 pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect pptp 
  inspect icmp 
  inspect h323 h225 
  inspect h323 ras 
!
service-policy global-policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b33210040ddb8d040a9d18fc510c294a
: end
asdm image disk0:/asdm-625.bin
asdm location woodland-lan 255.255.255.0 inside
asdm location ccc-westsac-server 255.255.255.255 inside
no asdm history enable


here is the config for the source site (10.0.0.0)


: Saved
:
ASA Version 8.2(2) 
!
hostname ciscoasa
domain-name Communicare
enable password XFy9CjYNnphRv1bP encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.1.1.0 SaludSite
name 10.2.2.0 PetersonSite
name 10.3.3.0 JJWoodlandSite
name 10.10.11.0 EJM
name 10.0.0.24 CCC-MailPrivate24
name 10.0.0.25 CCC-MailPrivate25
name 12.*.*.211 CCC-MailPublic
name 208.*.*.245 CCC-MailPublic2
name 10.0.0.12 CCC-TM2Private
name 12.*.*.213 CCC-TM2Public
name 10.0.0.7 CCC-TMPrivare
name 12.*.*.212 CCC-TMPublic
name 10.9.9.0 webvpn
name 12.*.*.210 CCC-Mailpublic3
name 12.*.*.222 outsideATT-network
name 10.0.0.26 ccc-mail-26 description ccc-mail-DOT26
name 10.0.0.27 CCC-EMAIL
name 12.*.*.215 CCC-EMAIL-PUBLIC
name 12.*.*.214 PolyComm description polyComm External
name 10.5.5.0 salud-retinopathy
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.2 255.255.255.0 
!
interface Vlan11
 nameif outsideATT
 security-level 0
 ip address outsideATT-network 255.255.255.240 
!
interface Ethernet0/0
 switchport access vlan 11
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 21
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outsideATT
dns server-group DefaultDNS
 name-server 10.0.0.13
 name-server CCC-MailPrivate25
 name-server 12.127.17.71
 domain-name Communicare
same-security-traffic permit intra-interface
object-group service CCC-Mail-Services
 service-object tcp eq https 
 service-object tcp eq imap4 
 service-object tcp eq smtp 
 service-object tcp eq www 
object-group network DM_INLINE_NETWORK_1
 network-object host CCC-TMPublic
 network-object host CCC-TM2Public
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outsideATT_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 SaludSite 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 SaludSite 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 PetersonSite 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 JJWoodlandSite 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 EJM 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 webvpn 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 salud-retinopathy 255.255.255.0 
access-list outsideATT_3_cryptomap extended permit ip 10.0.0.0 255.255.255.0 JJWoodlandSite 255.255.255.0 
access-list outsideATT_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 EJM 255.255.255.0 
access-list 101 extended permit icmp any any echo-reply 
access-list 101 extended permit icmp any any source-quench 
access-list 101 extended permit icmp any any unreachable 
access-list 101 extended permit icmp any any time-exceeded 
access-list rdp-capture extended permit tcp any interface outsideATT eq 3389 
access-list inside_access_in extended permit gre any any 
access-list outside_access_in extended permit gre any host CCC-TMPublic 
access-list outside_access_in extended permit gre any host CCC-TM2Public 
access-list outside_access_in extended permit tcp any host CCC-MailPublic eq https 
access-list outside_access_in extended permit tcp any host CCC-MailPublic eq smtp 
access-list outside_access_in extended permit tcp any host CCC-MailPublic eq www 
access-list outside_access_in extended permit tcp any host CCC-TMPublic eq pptp 
access-list outside_access_in extended permit tcp any host CCC-TM2Public eq pptp 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in extended permit icmp any any unreachable 
access-list OutsideINT_access_in extended permit object-group CCC-Mail-Services any host CCC-MailPublic2 
access-list OutsideINT_access_in extended permit icmp any any 
access-list outsideATT_access_in extended permit object-group CCC-Mail-Services any host CCC-MailPublic 
access-list outsideATT_access_in extended permit tcp any host CCC-TM2Public eq pptp 
access-list outsideATT_access_in extended permit tcp any host CCC-TMPublic eq pptp 
access-list outsideATT_access_in extended permit gre any object-group DM_INLINE_NETWORK_1 
access-list outsideATT_access_in extended deny object-group TCPUDP any host CCC-MailPublic eq domain 
access-list outsideATT_4_cryptomap extended permit ip 10.0.0.0 255.255.255.0 PetersonSite 255.255.255.0 
access-list outsideATT_access_in_1 extended permit object-group CCC-Mail-Services any host CCC-MailPublic 
access-list outsideATT_access_in_1 extended permit object-group CCC-Mail-Services any host CCC-EMAIL-PUBLIC 
access-list outsideATT_access_in_1 extended permit tcp any host CCC-Mailpublic3 eq smtp 
access-list outsideATT_access_in_1 extended permit object-group CCC-Mail-Services any host CCC-MailPublic2 
access-list outsideATT_access_in_1 extended permit tcp any host outsideATT-network eq smtp 
access-list outsideATT_access_in_1 extended permit tcp any host CCC-TMPublic eq pptp 
access-list outsideATT_access_in_1 remark ccc-remote ecw
access-list outsideATT_access_in_1 extended permit tcp any host 12.*.*.219 eq www 
access-list outsideATT_access_in_1 remark ccc-remote ecw
access-list outsideATT_access_in_1 extended permit tcp any host 12.*.*.219 eq 4019 
access-list outsideATT_access_in_1 remark ccc-remote ecw
access-list outsideATT_access_in_1 extended permit tcp any host 12.*.*.219 eq https 
access-list outsideATT_access_in_1 extended permit tcp any host CCC-TM2Public eq pptp 
access-list outsideATT_access_in_1 extended permit gre any any 
access-list outsideATT_access_in_1 extended permit gre any host CCC-TMPublic 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq 1731 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq https 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq www 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq 2776 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq ftp 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq telnet 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq 123 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq 963 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq 1026 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq 1027 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq h323 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq ldap 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq 1503 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq 3389 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq 3603 
access-list outsideATT_access_in_1 extended permit tcp any range 3230 3243 host PolyComm range 3230 3243 
access-list outsideATT_access_in_1 extended permit tcp any range 5555 5587 host PolyComm range 5555 5587 
access-list outsideATT_access_in_1 extended permit udp any range 3230 3285 host PolyComm range 3230 3285 
access-list outsideATT_access_in_1 extended permit udp any range 970 973 host PolyComm range 970 973 
access-list outsideATT_access_in_1 extended permit udp any range 2326 2373 host PolyComm range 2326 2373 
access-list outsideATT_access_in_1 extended permit tcp any host PolyComm eq 1719 
access-list outsideATT_access_in_1 extended permit udp any host PolyComm eq 1719 
access-list outsideATT_access_in_1 extended permit udp any host PolyComm eq snmp 
access-list outsideATT_access_in_1 extended permit udp any host PolyComm eq snmptrap 
access-list outsideATT_access_in_1 extended permit udp any host PolyComm eq 2873 
access-list outsideATT_access_in_1 extended permit udp any host PolyComm eq 1718 
access-list outsideATT_access_in_1 extended permit gre any host PolyComm 
access-list outsideATT_5_cryptomap extended permit ip 10.0.0.0 255.255.255.0 salud-retinopathy 255.255.255.0 
pager lines 24
logging enable
logging asdm notifications
no logging message 313001
no logging message 106023
no logging message 106021
no logging message 507003
no logging message 733100
no logging message 108004
mtu inside 1500
mtu outsideATT 1500
ip local pool 10.9.9.100 10.9.9.100-10.9.9.150 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outsideATT
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outsideATT
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outsideATT) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outsideATT) tcp CCC-EMAIL-PUBLIC www CCC-EMAIL www netmask 255.255.255.255 
static (inside,outsideATT) tcp CCC-EMAIL-PUBLIC https CCC-EMAIL https netmask 255.255.255.255 
static (inside,outsideATT) tcp CCC-EMAIL-PUBLIC smtp CCC-EMAIL smtp netmask 255.255.255.255 
static (inside,outsideATT) tcp CCC-MailPublic www CCC-MailPrivate24 www netmask 255.255.255.255 
static (inside,outsideATT) tcp CCC-MailPublic https CCC-MailPrivate24 https netmask 255.255.255.255 
static (inside,outsideATT) tcp CCC-MailPublic smtp CCC-MailPrivate24 smtp netmask 255.255.255.255 
static (inside,outsideATT) tcp CCC-Mailpublic3 smtp CCC-MailPrivate25 smtp netmask 255.255.255.255 
static (inside,outsideATT) tcp interface smtp ccc-mail-26 smtp netmask 255.255.255.255 
static (inside,outsideATT) tcp CCC-TM2Public pptp 10.0.0.36 pptp netmask 255.255.255.255 
static (inside,outsideATT) tcp CCC-TMPublic pptp 10.0.0.37 pptp netmask 255.255.255.255 
static (inside,outsideATT) tcp 12.*.*.219 www 10.0.0.39 www netmask 255.255.255.255 
static (inside,outsideATT) tcp 12.*.*.219 4019 10.0.0.39 3389 netmask 255.255.255.255 
static (inside,outsideATT) tcp 12.*.*.219 135 10.0.0.39 135 netmask 255.255.255.255 
static (inside,outsideATT) tcp 12.*.*.219 https 10.0.0.39 https netmask 255.255.255.255 
static (inside,outsideATT) PolyComm 10.0.0.244 netmask 255.255.255.255 
static (inside,outsideATT) CCC-MailPublic CCC-MailPrivate24 netmask 255.255.255.255 
access-group outsideATT_access_in_1 in interface outsideATT
route outsideATT 0.0.0.0 0.0.0.0 12.*.*.209 1
route outsideATT SaludSite 255.255.255.0 12.*.*.209 1
route outsideATT PetersonSite 255.255.255.0 12.*.*.209 1
route outsideATT JJWoodlandSite 255.255.255.0 12.*.*.209 1
route outsideATT EJM 255.255.255.0 12.*.*.209 1
route outsideATT 12.*.*.82 255.255.255.255 12.*.*.209 1
route outsideATT 76.*.*.115 255.255.255.255 12.*.*.209 1
route outsideATT 76.*.*.168 255.255.255.255 12.*.*.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outsideATT_map 1 match address outsideATT_1_cryptomap
crypto map outsideATT_map 1 set peer 70.*.*.100 
crypto map outsideATT_map 1 set transform-set ESP-3DES-SHA
crypto map outsideATT_map 2 match address outsideATT_2_cryptomap
crypto map outsideATT_map 2 set peer 208.*.*.163 
crypto map outsideATT_map 2 set transform-set ESP-3DES-MD5
crypto map outsideATT_map 3 match address outsideATT_3_cryptomap
crypto map outsideATT_map 3 set peer 76.*.*.168 
crypto map outsideATT_map 3 set transform-set ESP-3DES-MD5
crypto map outsideATT_map 4 match address outsideATT_4_cryptomap
crypto map outsideATT_map 4 set peer 63.*.*.19 
crypto map outsideATT_map 4 set transform-set ESP-3DES-MD5
crypto map outsideATT_map 5 match address outsideATT_5_cryptomap
crypto map outsideATT_map 5 set peer 76.*.*.115 
crypto map outsideATT_map 5 set transform-set ESP-3DES-MD5
crypto map outsideATT_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outsideATT_map interface outsideATT
crypto isakmp enable outsideATT
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 110
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
vpn-addr-assign local reuse-delay 10
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outsideATT
!

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.0.0.0 255.255.255.0
threat-detection scanning-threat shun except ip-address SaludSite 255.255.255.0
threat-detection scanning-threat shun except ip-address EJM 255.255.255.0
threat-detection scanning-threat shun except ip-address PetersonSite 255.255.255.0
threat-detection scanning-threat shun except ip-address JJWoodlandSite 255.255.255.0
threat-detection scanning-threat shun except ip-address 208.*.*.240 255.255.255.248
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable outsideATT
 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
 svc enable
group-policy rchc internal
group-policy rchc attributes
 dns-server value 12.127.17.71
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 webvpn
  url-list value cccmail
  svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
 dns-server value 10.0.0.13
 vpn-simultaneous-logins 10
 vpn-idle-timeout 480
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 webvpn
  url-list value cccmail
  svc ask enable
username rchcadmin password YqHZcxZ3f7BvifEX encrypted privilege 0
username teenprogram password uehenI.efD9efbkV encrypted privilege 0
username teenprogram attributes
 vpn-group-policy DfltGrpPolicy
username Prenatal4 password u6TUJXxHUhlIfHTz encrypted privilege 0
username Prenatal4 attributes
 vpn-group-policy DfltGrpPolicy
username Prenatal3 password u6TUJXxHUhlIfHTz encrypted privilege 0
username Prenatal3 attributes
 vpn-group-policy DfltGrpPolicy
username Prenatal2 password u6TUJXxHUhlIfHTz encrypted privilege 0
username Prenatal2 attributes
 vpn-group-policy DfltGrpPolicy
username Prenatal password u6TUJXxHUhlIfHTz encrypted privilege 0
username Prenatal attributes
 vpn-group-policy DfltGrpPolicy
username DavidK password jga6Z.hpaCmJSQR7 encrypted privilege 0
username garyf password 816VxhtdKiQVfWaU encrypted privilege 0
username garyf attributes
 vpn-group-policy DfltGrpPolicy
username Sutter password 8BQ8WsVBln7Y7Wxw encrypted privilege 0
username Sutter attributes
 vpn-group-policy DfltGrpPolicy
username gilbert password 9abKfXDypgaIBL/w encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
 address-pool 10.9.9.100
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool 10.9.9.100
 default-group-policy rchc
tunnel-group 208.*.*.163 type ipsec-l2l
tunnel-group 208.*.*.163 ipsec-attributes
 pre-shared-key *****
tunnel-group 76.*.*.168 type ipsec-l2l
tunnel-group 76.*.*.168 ipsec-attributes
 pre-shared-key *****
tunnel-group 70.*.*.100 type ipsec-l2l
tunnel-group 70.*.*.100 ipsec-attributes
 pre-shared-key *****
tunnel-group 63.*.*.19 type ipsec-l2l
tunnel-group 63.*.*.19 ipsec-attributes
 pre-shared-key *****
tunnel-group retinopathy-vpn type ipsec-l2l
tunnel-group retinopathy-vpn ipsec-attributes
 pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect netbios 
  inspect pptp 
  inspect icmp 
  inspect icmp error 
policy-map global-policy
 class global-class
  inspect icmp 
  inspect pptp 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e612d8214cd79c81e35e4a2783a8d6f8
: end
asdm image disk0:/asdm-625.bin
asdm location PolyComm 255.255.255.255 inside
asdm location salud-retinopathy 255.255.255.0 inside
no asdm history enable

Open in new window

0
 
LVL 3

Expert Comment

by:Mystique_87
ID: 36494932
Should the server in the 10.5.5.0 network be accessed via the secondary VPN tunnel?
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36495055
Can you describe your topology once again?


From your ASA2 I see this:

access-list outsideATT_5_cryptomap extended permit ip 10.0.0.0 255.255.255.0 salud-retinopathy 255.255.255.0
crypto map outsideATT_map 5 match address outsideATT_5_cryptomap
crypto map outsideATT_map 5 set peer 76.*.*.115   - ------------------------------------ this is your ASA1

At the same time on your ASA2:

access-list outsideATT_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 SaludSite 255.255.255.0
crypto map outsideATT_map 2 match address outsideATT_2_cryptomap
crypto map outsideATT_map 2 set peer 208.*.*.163 ------------------------------------ This is also your ASA1, but different interface


Now, You have got 2 tunnels, one from 10.0.0.0 to 10.1.1.0 using 76.*.*.115 as a peer and second tunnel from 10.0.0.0 to 10.5.5.0 using peer 208.*.*.163 as a peer. But these 2 peers are both on ASA1.  
0
 

Author Comment

by:Comptx
ID: 36498175
I want to be able to access the server on 10.5.5.0 from the 10.0.0.0 site thru the main VPN connection that's already connecting them together. So the traffic should be able to go from 10.0.0.0 to 10.1.1.0 and then jump to the 10.5.5.0 vlan
0
 

Author Comment

by:Comptx
ID: 36498306
fgasimzade, some of those might have been from my fail attempt of trying to get this to work.

right now the asa on network 10.0.0.10 (peer 12.*.*.222)  connects to 10.1.1.1 (peer 208.*.*163)

208.*.*163 being a secondary ISP line we use for VPN traffic only (10.1.1.0 network)
76.*.*.115 being the primary ISP line we use for internet traffic (10.1.1.0) network)

then traffic from the other vlan 10.5.5.0 goes to the remote site connected thru another VPN on network 10.1.1.0 using its main internet line 76.*.*.115 and connecting to remote peer 152.*.*.10

is that easier to understand?
0
 

Author Comment

by:Comptx
ID: 36498323
so i think i only need to make changes on the ASA in network 10.1.1.0 to allow the traffic from 10.0.0.0 to jump to the 10.5.5.0 network vlan, since right now traffic goes from 10.0.0.0 to 10.1.1.0
0
 

Author Comment

by:Comptx
ID: 36498345
maybe some kind of route to tell the incoming traffic from 10.0.0.0 (which is looking for the host on the 10.5.5.0 vlan) where to go....
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 500 total points
ID: 36498867
Ok, remove this line on ASA2

access-list outsideATT_5_cryptomap extended permit ip 10.0.0.0 255.255.255.0 salud-retinopathy 255.255.255.0

and add

access-list outsideATT_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 salud-retinopathy 255.255.255.0

Also remove this:

crypto map outsideATT_map 5 match address outsideATT_5_cryptomap
crypto map outsideATT_map 5 set peer 76.*.*.115
crypto map outsideATT_map 5 set transform-set ESP-3DES-MD5

Also add this line:

route outsideATT  salud-retinopathy 255.255.255.0 12.*.*.209


On ASA1:

Add this:


access-list outside_20_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0

Which interface on ASA is used for VPN to 10.0.0.0 ?
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:Comptx
ID: 36499494
just to make sure i know which youre refering to:

asa1 = 10.1.1.0
            10.5.5.0 other vlan

asa2 = 10.0.0.0

correct?

VPN to 10.0.0.0 from the 10.1.1.1.0 ASA goes thru the secondary ISP interface AdtranT1 (208.*.*.163)
0
 

Author Comment

by:Comptx
ID: 36503984
added the commands, but i still cant get to the 10.5.5.5 server on the 10.5.5.
0
 

Author Comment

by:Comptx
ID: 36504055
just saw i got this error on the 10.1.1.0/10.5.5.0 ASA

Group = 12.*.*.222, IP = 12.*.*.222, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.0.0.0/255.255.255.0/0/0 local proxy 10.5.5.0/255.255.255.0/0/0 on interface AdtranT1
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36504070
Yes, ASA1 is 10.1.1.0, ASA2 is 10.0.0.0

My commands were not finished since I did not know which tunnel was used

Now on ASA1 add this line:

access-list AdtranT1_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0

remove this line:

access-list outside_20_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0

On ASA2 add this line:

route outsideATT salud-retinopathy 255.255.255.0 12.*.*.209

0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36504080
just saw i got this error on the 10.1.1.0/10.5.5.0 ASA

Group = 12.*.*.222, IP = 12.*.*.222, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.0.0.0/255.255.255.0/0/0 local proxy 10.5.5.0/255.255.255.0/0/0 on interface AdtranT1


Yes, you need the line I mentioned in the previous post:

access-list AdtranT1_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
0
 

Author Comment

by:Comptx
ID: 36504123
ahhhh i thought i had added it. the 10.5.5.5 server is responding to ping now from the 10.0.0.0 network.

thanks alot!
0
 

Author Closing Comment

by:Comptx
ID: 36504131
excelent! great help!
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36504147
Wow! I did not think we could do it from the first shot!

Good luck!
0
 

Author Comment

by:Comptx
ID: 37115078
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now