sohoniprachi
asked on
I am able to authenticate Remote access VPN but not able to access inside LAN
I configure Remote access VPN onASA firewall and able to authenticate but i am not able to access the inside network.I am using one more firewall cisco ASA to protect inside network.these two firewall are in the same network.ASA is for remote access vpn endpoint. and pix is a regular firewall and lan is behind Pix
ASA Version 8.2(1)
!
hostname FHFW02
domain-name abc.net
enable password TuoG03LNtol5cyid encrypted
passwd vhSJ2Gjl22YiIWoj encrypted
name 12.175.185.19 ATT-gateway
name 12.175.185.91 fhfw02-ext
name 10.17.33.5 verizonrtr-new
name 10.17.33.74 marketplace-staging
dns-guard
!
interface Ethernet0/0
description Out to AT&T ISP
nameif outside
security-level 0
ip address fhfw02-ext 255.255.255.128
!
interface Ethernet0/1
description inside FHR 10.17.33.x network
nameif inside
security-level 100
ip address 10.17.33.17 255.255.255.0
!
interface Ethernet0/2
description inside FHR 10.17.34.x network for users
nameif inside1
security-level 100
ip address 10.17.34.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
domain-name abc.net
object-group network FHR-inside-33-network
description FHR network 10.17.33.x
network-object 10.17.33.0 255.255.255.0
object-group network FHR-inside-34-network
network-object 10.17.34.0 255.255.255.0
object-group network abc-mex-network
network-object 10.17.35.0 255.255.255.0
object-group network PAN-network
network-object 10.17.46.0 255.255.255.0
object-group network CAT-network
description CAT Servers
network-object 172.70.0.0 255.255.252.0
network-object 172.30.0.0 255.255.252.0
network-object 172.40.0.0 255.255.252.0
object-group network BXB-network
description BXB Internal Network
network-object host 100.0.20.1
network-object host 100.0.20.2
network-object host 100.0.20.3
network-object host 100.0.20.4
access-list acl-out extended permit icmp any any
access-list acl-in extended permit icmp any any
access-list acl-in extended permit ip any any
access-list acl-in extended permit udp any any eq snmp
access-list acl-in1 extended permit icmp any any
access-list acl-voip-out extended permit ip host 10.17.33.187 host 10.17.35.10
access-list acl-voip-out extended permit ip host 10.17.33.191 host 10.17.35.10
no pager
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside1 1500
mtu management 1500
ip local pool vpnpool 10.17.254.10-10.17.254.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 10.17.33.0 255.255.255.0
nat (inside) 1 10.17.254.0 255.255.255.0
nat (inside1) 0 access-list no-nat
nat (inside1) 1 10.17.34.0 255.255.255.0
access-group acl-out in interface outside
access-group acl-in in interface inside
access-group acl-in1 in interface inside1
route outside 0.0.0.0 0.0.0.0 ATT-gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.17.33.0 255.255.255.0 inside
snmp-server host inside 10.17.33.250 community Abc
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
sysopt connection tcpmss 1200
crypto ipsec transform-set set2 esp-des esp-md5-hmac
crypto ipsec transform-set set1 esp-des esp-sha-hmac
crypto ipsec transform-set set3 esp-aes esp-md5-hmac
crypto ipsec transform-set set4 esp-3des esp-md5-hmac
crypto ipsec transform-set set5 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set transform-set set4
crypto dynamic-map outside_dyn_map 60 set reverse-route
crypto map FHR2 60 ipsec-isakmp dynamic outside_dyn_map
crypto map FHR2 interface outside
crypto ca trustpoint localtrust
enrollment self
fqdn sslabcfw.abc.net
subject-name CN=sslabcfw. abc.net
keypair m0rd0r
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 10.17.33.250 255.255.255.255 inside
telnet 0.0.0.0 0.0.0.0 inside1
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 inside1
ssh timeout 30
ssh version 2
console timeout 0
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
enable outside
svc enable
group-policy testvpn internal
group-policy testvpn attributes
dns-server value 10.17.33.56
vpn-tunnel-protocol IPSec
default-domain value abc.net
username avb password QZTdpUt6Lq39fY7h encrypted privilege 0
username avb attributes
vpn-group-policy remotevpn
service-type remote-access
username abc password NYpqubgKNxc6U0bb encrypted privilege 15
pre-shared-key *
tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
address-pool vpnpool
default-group-policy testvpn
tunnel-group testvpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
class-map Voice-OUT
match access-list acl-voip-out
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map VoicePolicy
class Voice-OUT
priority
!
service-policy global_policy global
service-policy VoicePolicy interface outside
prompt hostname context
Cryptochecksum:9e6754e20eff7a5db91dc538406b4c58
: end
Ernie Beek
So are the firewalls behind each other or are they both on the inside connected to the network and have on the outside their own public ip?
ASKER
they are both on the inside connected to the network and have own public ip
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Create a ACL for nonat
access-list nonat extended permit ip any 10.17.254.0 255.255.255.0
access-list nonat extended permit ip any 10.17.254.0 255.255.255.0
ASKER
I used the following command sysopt connection permit-ipsec
pix ip 10.17.33.2 Firewall
ASA 10.17.33.17 VPN gateway
how should i direct traffic from asa to pix to get access to inside network which is same 10.17.33.0 network.
I have to go through pix as tunnel traffic will have ip address 10.17.254.0
pix ip 10.17.33.2 Firewall
ASA 10.17.33.17 VPN gateway
how should i direct traffic from asa to pix to get access to inside network which is same 10.17.33.0 network.
I have to go through pix as tunnel traffic will have ip address 10.17.254.0
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all.
Its working now. I added the nat rule on ASA
so now vpn ip 10.17.254.0 is nat to 10.17.33.0 and i am able to access inside lan now
Its working now. I added the nat rule on ASA
so now vpn ip 10.17.254.0 is nat to 10.17.33.0 and i am able to access inside lan now
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for sohoniprachi's comment http:/Q_27298185.html#36506707
for the following reason:
Its working now
Accepted answer: 0 points for sohoniprachi's comment http:/Q_27298185.html#36506707
for the following reason:
Its working now
Hi sohoniprachi,
As far as I can see you solved this using a solution which several of us posted here. So are you sure you closed this and assigned the points correctly?
Just curious.
As far as I can see you solved this using a solution which several of us posted here. So are you sure you closed this and assigned the points correctly?
Just curious.
I Agree with erniebeek
I would propose a split between ID: 36505427 and ID: 36506191
Thanks Erniebeek.
Moderator, I accept with Erniebeek
Moderator, I accept with Erniebeek