Solved

Cisco SSL VPN route to site-to-site

Posted on 2012-03-26
1
469 Views
Last Modified: 2012-09-13
Hello experts,

I have a cisco ASA5510.  Its current roles are internet gateway, site to site VPN  and SSL VPN access.   I have one site to site tunnel running on this.  

I would like my SSL users to be able to talk to the site-to-site network.  

ASA: 10.6.66.254
Local network: 10.6.66.x
site-to-site: 10.0.0.x
SSL: 10.200.200.x


: Saved
: Written by enable_15 at 22:36:59.421 UTC Mon Mar 15 2010
!
ASA Version 8.0(5)
!
hostname xxxxxxxxxxxxxxxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxxxxxxxxxxx
enable password lBgvvfd/E2cA9Vsl encrypted
passwd lBgvvfd/E2cA9Vsl encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif OUTSIDE
 security-level 0
 ip address xxxxxxxxxxxxxxxxxxxxxx
!
interface Ethernet0/1
 nameif Outside-backup
 security-level 0
 ip address xxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif INSIDE
 security-level 100
 ip address 10.6.66.254 255.255.255.0
!
interface Ethernet0/3.1
 no vlan
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address xxxxxxxxxxxxxxxxxxxxxxxxx
 management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
 name-server 4.2.2.3
 domain-name xxxxxxxxxxxxxxxx
same-security-traffic permit intra-interface
access-list INSIDE_nat0_outbound extended permit ip 10.6.66.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 10.200.200.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip 10.6.66.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip 10.200.200.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list OUTSIDE_cryptomap_20 extended permit ip 10.6.66.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list OUTSIDE_cryptomap_20 extended permit ip 10.200.200.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list remote-vpn_splitTunnelAcl standard permit any
access-list remote-vpn_split extended permit ip 10.6.66.0 255.255.255.0 10.200.200.0 255.255.255.0
access-list remote-vpn_split extended permit ip 10.0.0.0 255.255.255.0 10.200.200.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging list syslog level notifications
logging trap syslog
logging asdm informational
logging host INSIDE xxxxxxxxxxxxxxx
mtu OUTSIDE 1500
mtu Outside-backup 1500
mtu INSIDE 1500
mtu management 1500
ip local pool vpn-pool 10.200.200.1-10.200.200.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 10 interface
global (Outside-backup) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 10 10.6.66.0 255.255.255.0

 
static (INSIDE,OUTSIDE) xxxxxxxxxxxxxxxx 10.6.66.252 netmask 255.255.255.255 dns
static (INSIDE,OUTSIDE) xxxxxxxxxxxxxxxx 10.6.66.250 netmask 255.255.255.255 dns
access-group OUTSIDE_access_in in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 xxxxxxxxxxxxxxxxxxxxxx 1 track 1
route Outside-backup 0.0.0.0 0.0.0.0 xxxxxxxxxxxxxxxxxxxxxx 200
route INSIDE 192.168.0.0 255.255.0.0 10.6.66.220 1       (MPLS)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server windows protocol kerberos
aaa-server windows (INSIDE) host 10.6.66.250
 timeout 5
 kerberos-realm xxxxxxxxxx
aaa-server xxxxxxxxxxxX protocol nt
aaa-server xxxxxxxxxxxxxX (INSIDE) host 10.6.66.250
 nt-auth-domain-controller xxxxxxxxxxxxxxxxxxxx
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 4.2.2.3 interface OUTSIDE
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 20 set reverse-route
crypto map OUTSIDE_map 20 match address OUTSIDE_cryptomap_20
crypto map OUTSIDE_map 20 set peer 72.166.9.122
crypto map OUTSIDE_map 20 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_map 20 set reverse-route
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map
crypto map OUTSIDE_map interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh 0.0.0.0 0.0.0.0 INSIDE
ssh timeout 5
console timeout 0
telnet 0.0.0.0 0.0.0.0 inside
management-access INSIDE
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
threat-detection scanning-threat shun duration 600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server xxxxxxxxxxxxxxxxxxxx source OUTSIDE
webvpn
 port 444
 enable OUTSIDE
 dtls port 444
 svc image disk0:/anyconnect-dart-win-2.4.0202-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy remote-vpn internal
group-policy remote-vpn attributes
 dns-server value 10.6.66.250 192.168.1.248
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remote-vpn_split
 default-domain value xxxxxxxxxxxxxxxxxxxxxxxxxx
 webvpn
  url-list none
  svc ask enable
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group xxxxxxxxxxxxxxxxxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxxxxxxxxxxxxxxxxxx ipsec-attributes
 pre-shared-key *
tunnel-group remote-vpn type remote-access
tunnel-group remote-vpn general-attributes
 address-pool (INSIDE) vpn-pool
 address-pool vpn-pool
 authentication-server-group xxxxxxxxxxX LOCAL
 authentication-server-group (INSIDE) xxxxxxxxxxxX LOCAL
 authorization-server-group LOCAL
 default-group-policy remote-vpn
tunnel-group remote-vpn ipsec-attributes
 pre-shared-key *
tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
 address-pool vpn-pool
 authentication-server-group xxxxxxxxxxxxxxxxxx-
 default-group-policy remote-vpn
tunnel-group Anyconnect webvpn-attributes
 group-alias Anyconnect enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a8e602d17ad08ed67449d8e177b620c4
0
Comment
Question by:gws226
1 Comment
 
LVL 10

Accepted Solution

by:
pclinuxguru earned 500 total points
Comment Utility
Well last I heard it won't work that way.

Basically the ASA won't receive traffic on an interface and then send it back out on that interface which is what you would be doing.

Solutions... have your second vpn somewhere on the inside of your network. OpenVPN is linux based SSL vpn server if you want to try it.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
export data from ASA 5 46
Cisco USB Device Setup 8 49
Secure host to host communication 5 61
Calyptix AE1200 VLAN Question 3 12
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now