Cisco ASA VPN problem
We have three sites. Two remote sites (sites B and C) are connected to the main site (site A) using site-to-site vpn tunnels on Cisco ASA 5505s. Site A IP net is 172.20.28.0/24. Site B is 172.21.28.0/24. Site C is 172.22.28.0/24. At site A, we have two ASA 5505s installed. ASA #1 is used for systems at site A to access the internet, and it is used for employees to remotely access the network using Cisco's legacy VPN client. ASA #2 at site A is used for the Site-to-site VPNs between sites A and B and sites A and C. All systems local to site A network can ping systems on both the site B network and the site C network. Systems on the site B network can ping systems on the Site A network, as can systems on the site C network. Remote VPN clients receive a 172.20.28.xxx ip address when connected to Site A VPN. The problem is that VPN clients cannot successfully ping systems in either site B or C, even when systems local to site A can. We have set up proper routing statements on the VPN clients.
Last Comment
Can you post your config pls?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASA #2 has to have a route statement for the range of VPn client ip addresses.
Example:
route inside 172.20.28.128 255.255.255.128 172.20.28.x < where X is ASA#1
Example:
route inside 172.20.28.128 255.255.255.128 172.20.28.x < where X is ASA#1
ASKER
I have been out with a death in the family. Sorry fir the delay. I will look at each solution in the next few days when I am at my client's office and see if I can get any of these solutions to work. Thanks for your patience.
ASKER
Here are the Configs. I am listing 3 configs...First Site A ASA#1, next site A ASA#2 and Finally the ASA in site B.
Site A ASA 1:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name sma.local
enable password 8srdyW5Zc220aRXm encrypted
passwd 8srdyW5Zc220aRXm encrypted
!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.28.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.82 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name sma.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RTP udp
port-object range 10000 20000
object-group service TCP987 tcp
port-object eq 987
object-group service RDP tcp
port-object eq 3389
object-group network SIPConnect
description SIP Servers at Cbeyond
network-object host 192.168.22.212
network-object host sip-proxy.chi0.cbeyond.net
access-list outside_access_in extended permit udp object-group SIPConnect host x.x.x.86 eq sip
access-list outside_access_in extended permit udp object-group SIPConnect host x.x.x.86 object-group RTP
access-list outside_access_in extended permit tcp any host x.x.x.83 eq www
access-list outside_access_in extended permit tcp any host x.x.x.83 eq https
access-list outside_access_in extended permit tcp any host x.x.x eq smtp
access-list outside_access_in extended permit tcp a.a.a.40 255.255.255.248 host x.x.x.83 object-group RDP
access-list outside_access_in extended permit tcp host d.d.d.201 host x.x.x.83 object-group RDP
access-list outside_access_in extended permit tcp a.a.a.40 255.255.255.248 host x.x.x.86 eq www
access-list outside_access_in extended permit tcp a.a.a.40 255.255.255.248 host x.x.x.86 eq ssh
access-list outside_access_in extended permit tcp any host x.x.x.84 eq www
access-list outside_access_in extended permit tcp any host x.x.x.84 eq https
access-list outside_access_in extended permit tcp a.a.a.40 255.255.255.248 host x.x.x.84 object-group RDP
access-list outside_access_in extended permit tcp host b.b.b.26 host x.x.x.84 object-group RDP
access-list outside_access_in extended permit tcp host c.c.c.38 host x.x.x.84 object-group RDP
access-list outside_access_in extended permit tcp any host x.x.x.86 eq www inactive
access-list outside_access_in extended permit tcp any host x.x.x.83 object-group TCP987
access-list inside_nat0_outbound extended permit ip any 172.20.28.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 172.20.28.0 255.255.255.0 172.21.28.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.20.28.128 255.255.255.128
access-list inside_nat0_outbound extended permit ip 172.20.28.0 255.255.255.0 172.22.28.0 255.255.255.0
access-list DefaultRAGroup_splitTunnel
access-list split standard permit 172.20.28.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL 172.20.28.200-172.20.28.25
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.86 172.20.28.21 netmask 255.255.255.255
static (inside,outside) x.x.x.83 172.20.28.1 netmask 255.255.255.255
static (inside,outside) x.x.x.84 172.20.28.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
route inside 172.22.28.0 255.255.255.0 172.20.28.9 1
route inside 172.21.28.0 255.255.255.0 172.20.28.9 1
route outside 0.0.0.0 0.0.0.0 x.x.x.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 444
http x.x.x.x 255.255.255.248 outside
http 0.0.0.0 0.0.0.0 inside
http x.x.x.x 255.255.255.240 outside
http x.x.x.x.252 255.255.255.252 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 33
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh x.x.x.x 255.255.255.248 outside
ssh timeout 60
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.20.28.51-172.20.28.60 inside
!
webvpn
svc image disk0:/sslclient-win-1.1.0
svc enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 172.20.28.1
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-network-list value DefaultRAGroup_splitTunnel
default-domain value sma.local
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 172.20.28.1
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 99
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value sma.local
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value VPN_POOL
smartcard-removal-disconne
client-firewall none
client-access-rule none
webvpn
functions url-entry file-access file-entry file-browsing mapi auto-download
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc enable
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy SMA internal
group-policy SMA attributes
wins-server value 172.20.28.1
dns-server value 172.20.28.1
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value sma.local
webvpn
svc required
svc keep-installer installed
username STMA password 0QoA2HnBgE4oZ95E encrypted privilege 0
username STMA attributes
vpn-group-policy SMA
username SMAVPN password GXhBBT6LW21eDAw1eAHCIQ== nt-encrypted
username SMAVPN attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_POOL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_POOL
tunnel-group SMA type ipsec-ra
tunnel-group SMA general-attributes
address-pool VPN_POOL
default-group-policy SMA
tunnel-group SMA ipsec-attributes
pre-shared-key *
tunnel-group SMA ppp-attributes
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6d43ec94309
: end
--------------------------
Site A ASA #2
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.28.9 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.85 255.255.255.248
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip 172.20.28.0 255.255.255.0 172.21.28.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.28.0 255.255.255.0 172.21.28.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.28.0 255.255.255.0 172.22.28.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 172.20.28.0 255.255.255.0 172.22.28.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 72.16.171.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer d.d.d.194
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer e.e.e.253
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group d.d.d.194 type ipsec-l2l
tunnel-group d.d.d.194 ipsec-attributes
pre-shared-key *****
tunnel-group e.e.e.253 type ipsec-l2l
tunnel-group e.e.e.253 ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d4ea74c50fd
: end
--------------------------
Site B ASA
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8srdyW5Zc220aRXm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.22.28.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address e.e.e.253 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service rtp udp
port-object range 10000 20000
access-list outside_1_cryptomap extended permit ip 172.22.28.0 255.255.255.0 172.20.28.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.22.28.0 255.255.255.0 172.20.28.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.22.28.192 255.255.255.224
access-list outside_access_in extended permit udp any e.e.e.252 255.255.255.252 object-group rtp
access-list outside_access_in extended permit udp any e.e.e.252 255.255.255.252 eq sip
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool IPPool 172.22.28.201-172.22.28.22
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) udp interface sip 172.22.28.21 sip netmask 255.255.255.255
static (inside,outside) udp interface 10000 172.22.28.21 10000 netmask 255.255.255.255
static (inside,outside) udp interface 10001 172.22.28.21 10001 netmask 255.255.255.255
static (inside,outside) udp interface 10002 172.22.28.21 10002 netmask 255.255.255.255
static (inside,outside) udp interface 10003 172.22.28.21 10003 netmask 255.255.255.255
static (inside,outside) udp interface 10004 172.22.28.21 10004 netmask 255.255.255.255
static (inside,outside) udp interface 10005 172.22.28.21 10005 netmask 255.255.255.255
static (inside,outside) udp interface 10006 172.22.28.21 10006 netmask 255.255.255.255
static (inside,outside) udp interface 10007 172.22.28.21 10007 netmask 255.255.255.255
static (inside,outside) udp interface 10008 172.22.28.21 10008 netmask 255.255.255.255
static (inside,outside) udp interface 10009 172.22.28.21 10009 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 e.e.e.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.85
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.22.28.51-172.22.28.75 inside
dhcpd dns 75.103.5.202 209.244.0.3 interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy SMAIN internal
group-policy SMAIN attributes
dns-server value 172.22.28.1
vpn-tunnel-protocol IPSec
default-domain value sma.local
username STMA password 0QoA2HnBgE4oZ95E encrypted privilege 0
username STMA attributes
vpn-group-policy SMAIN
tunnel-group SMAIN type remote-access
tunnel-group SMAIN general-attributes
address-pool IPPool
default-group-policy SMAIN
tunnel-group SMAIN ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.85 type ipsec-l2l
tunnel-group x.x.x.85 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:61af47aa79b
: end
Site A ASA 1:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name sma.local
enable password 8srdyW5Zc220aRXm encrypted
passwd 8srdyW5Zc220aRXm encrypted
!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.28.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.82 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name sma.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RTP udp
port-object range 10000 20000
object-group service TCP987 tcp
port-object eq 987
object-group service RDP tcp
port-object eq 3389
object-group network SIPConnect
description SIP Servers at Cbeyond
network-object host 192.168.22.212
network-object host sip-proxy.chi0.cbeyond.net
access-list outside_access_in extended permit udp object-group SIPConnect host x.x.x.86 eq sip
access-list outside_access_in extended permit udp object-group SIPConnect host x.x.x.86 object-group RTP
access-list outside_access_in extended permit tcp any host x.x.x.83 eq www
access-list outside_access_in extended permit tcp any host x.x.x.83 eq https
access-list outside_access_in extended permit tcp any host x.x.x eq smtp
access-list outside_access_in extended permit tcp a.a.a.40 255.255.255.248 host x.x.x.83 object-group RDP
access-list outside_access_in extended permit tcp host d.d.d.201 host x.x.x.83 object-group RDP
access-list outside_access_in extended permit tcp a.a.a.40 255.255.255.248 host x.x.x.86 eq www
access-list outside_access_in extended permit tcp a.a.a.40 255.255.255.248 host x.x.x.86 eq ssh
access-list outside_access_in extended permit tcp any host x.x.x.84 eq www
access-list outside_access_in extended permit tcp any host x.x.x.84 eq https
access-list outside_access_in extended permit tcp a.a.a.40 255.255.255.248 host x.x.x.84 object-group RDP
access-list outside_access_in extended permit tcp host b.b.b.26 host x.x.x.84 object-group RDP
access-list outside_access_in extended permit tcp host c.c.c.38 host x.x.x.84 object-group RDP
access-list outside_access_in extended permit tcp any host x.x.x.86 eq www inactive
access-list outside_access_in extended permit tcp any host x.x.x.83 object-group TCP987
access-list inside_nat0_outbound extended permit ip any 172.20.28.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 172.20.28.0 255.255.255.0 172.21.28.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.20.28.128 255.255.255.128
access-list inside_nat0_outbound extended permit ip 172.20.28.0 255.255.255.0 172.22.28.0 255.255.255.0
access-list DefaultRAGroup_splitTunnel
access-list split standard permit 172.20.28.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL 172.20.28.200-172.20.28.25
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.86 172.20.28.21 netmask 255.255.255.255
static (inside,outside) x.x.x.83 172.20.28.1 netmask 255.255.255.255
static (inside,outside) x.x.x.84 172.20.28.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
route inside 172.22.28.0 255.255.255.0 172.20.28.9 1
route inside 172.21.28.0 255.255.255.0 172.20.28.9 1
route outside 0.0.0.0 0.0.0.0 x.x.x.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 444
http x.x.x.x 255.255.255.248 outside
http 0.0.0.0 0.0.0.0 inside
http x.x.x.x 255.255.255.240 outside
http x.x.x.x.252 255.255.255.252 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 33
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh x.x.x.x 255.255.255.248 outside
ssh timeout 60
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.20.28.51-172.20.28.60 inside
!
webvpn
svc image disk0:/sslclient-win-1.1.0
svc enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 172.20.28.1
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-network-list value DefaultRAGroup_splitTunnel
default-domain value sma.local
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 172.20.28.1
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 99
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value sma.local
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value VPN_POOL
smartcard-removal-disconne
client-firewall none
client-access-rule none
webvpn
functions url-entry file-access file-entry file-browsing mapi auto-download
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc enable
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy SMA internal
group-policy SMA attributes
wins-server value 172.20.28.1
dns-server value 172.20.28.1
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value sma.local
webvpn
svc required
svc keep-installer installed
username STMA password 0QoA2HnBgE4oZ95E encrypted privilege 0
username STMA attributes
vpn-group-policy SMA
username SMAVPN password GXhBBT6LW21eDAw1eAHCIQ== nt-encrypted
username SMAVPN attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_POOL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_POOL
tunnel-group SMA type ipsec-ra
tunnel-group SMA general-attributes
address-pool VPN_POOL
default-group-policy SMA
tunnel-group SMA ipsec-attributes
pre-shared-key *
tunnel-group SMA ppp-attributes
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6d43ec94309
: end
--------------------------
Site A ASA #2
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.28.9 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.85 255.255.255.248
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip 172.20.28.0 255.255.255.0 172.21.28.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.28.0 255.255.255.0 172.21.28.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.28.0 255.255.255.0 172.22.28.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 172.20.28.0 255.255.255.0 172.22.28.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 72.16.171.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer d.d.d.194
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer e.e.e.253
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group d.d.d.194 type ipsec-l2l
tunnel-group d.d.d.194 ipsec-attributes
pre-shared-key *****
tunnel-group e.e.e.253 type ipsec-l2l
tunnel-group e.e.e.253 ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d4ea74c50fd
: end
--------------------------
Site B ASA
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8srdyW5Zc220aRXm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.22.28.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address e.e.e.253 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service rtp udp
port-object range 10000 20000
access-list outside_1_cryptomap extended permit ip 172.22.28.0 255.255.255.0 172.20.28.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.22.28.0 255.255.255.0 172.20.28.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.22.28.192 255.255.255.224
access-list outside_access_in extended permit udp any e.e.e.252 255.255.255.252 object-group rtp
access-list outside_access_in extended permit udp any e.e.e.252 255.255.255.252 eq sip
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool IPPool 172.22.28.201-172.22.28.22
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) udp interface sip 172.22.28.21 sip netmask 255.255.255.255
static (inside,outside) udp interface 10000 172.22.28.21 10000 netmask 255.255.255.255
static (inside,outside) udp interface 10001 172.22.28.21 10001 netmask 255.255.255.255
static (inside,outside) udp interface 10002 172.22.28.21 10002 netmask 255.255.255.255
static (inside,outside) udp interface 10003 172.22.28.21 10003 netmask 255.255.255.255
static (inside,outside) udp interface 10004 172.22.28.21 10004 netmask 255.255.255.255
static (inside,outside) udp interface 10005 172.22.28.21 10005 netmask 255.255.255.255
static (inside,outside) udp interface 10006 172.22.28.21 10006 netmask 255.255.255.255
static (inside,outside) udp interface 10007 172.22.28.21 10007 netmask 255.255.255.255
static (inside,outside) udp interface 10008 172.22.28.21 10008 netmask 255.255.255.255
static (inside,outside) udp interface 10009 172.22.28.21 10009 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 e.e.e.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.85
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.22.28.51-172.22.28.75 inside
dhcpd dns 75.103.5.202 209.244.0.3 interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy SMAIN internal
group-policy SMAIN attributes
dns-server value 172.22.28.1
vpn-tunnel-protocol IPSec
default-domain value sma.local
username STMA password 0QoA2HnBgE4oZ95E encrypted privilege 0
username STMA attributes
vpn-group-policy SMAIN
tunnel-group SMAIN type remote-access
tunnel-group SMAIN general-attributes
address-pool IPPool
default-group-policy SMAIN
tunnel-group SMAIN ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.85 type ipsec-l2l
tunnel-group x.x.x.85 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:61af47aa79b
: end
ASKER
Adding "access-list split standard permit 172.21.28.0 255.255.255.0" and "access-list split standard permit 172.22.28.0 255.255.255.0" to ASA #1 took care of it. Thanks for the help and sorry for the delay.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
YOu need to configure hairpinnig, and crate nonat for remote users, de you set it?