L2L Configuration between 2ASA & Remote Dial-in

Unanswered Question
Feb 23rd, 2008
User Badges:

Hi All,


Scenario:


SiteA : 10.10.0.0/16 (10.10.50.0/24--> Servers)

VPN dial in users: 10.10.40.0/24

Public ip:1.1.1.1/24


SiteB: 10.20.0.0/16 (10.20.50.0/24--> Servers)

VPN dial in users: 10.20.40.0/24

Public ip:2.2.2.2/24


Client requirement:


1. Users at SITEA can able Dial-in to SiteA ASA and able to access SITE A&SITE B resources and able reach SITEB VPNed in users.


2. Vice Versa for users at SITEB


3.SITEA and SITEB ASA should run L2L Tunnel(ofcourse this is must for this to work).


My sample config for SiteB (Site A -->same with changed IPs). please review if this is sufficient:


For Remote Dial-in:


ip local pool RemoteDialPool 10.20.40.1-10.20.40.254 mask 255.255.255.0


crypto ipsec transform-set VPN-IN-USERS esp-3des esp-md5-hmac


crypto dynamic-map Outside_dyn_map 20 set transform-set VPN-IN-USERS

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map


crypto isakmp enable Outside


crypto map Outside_map interface Outside


crypto isakmp nat-traversal 20


group-policy Remote_Dialin internal

group-policy Remote_Dialin attributes

vpn-idle-timeout 180

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Remote_Dialin_splitTunnelAcl


crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400




access-list Inside_nat0_outbound extended permit ip any 10.20.40.0 255.255.255.0


nat (Inside) 0 access-list Inside_nat0_outbound


L2L Tunneling:



access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0


access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0



nat (Inside) 0 access-list nonat



crypto ipsec transform-set SiteB2SiteA esp-3des esp-md5-hmac


crypto map Outside_map 30 match address SiteB-SiteA


crypto map Outside_map 30 set peer 1.1.1.1


crypto map Outside_map 30 set transform-set SiteB2SiteA




isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 5

isakmp policy 30 lifetime 86400

isakmp identity address


tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key xxxxxxxxxx



Thank you in advance

MS






  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Mon, 02/25/2008 - 19:20
User Badges:
  • Green, 3000 points or more

I'll give it a shot although it's a little late...


Site A-

same-security-traffic permit intra-interface

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.20.40.0 255.255.255.0

access-list SiteA-SiteB exended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list SiteA-SiteB exended permit ip 10.10.0.0 255.255.0.0 10.20.40.0 255.255.255.0

access-list SiteA-SiteB exended permit ip 10.10.40.0 255.255.255.0 10.20.0.0 255.255.0.0

access-list SiteA-SiteB exended permit ip 10.10.40.0 255.255.255.0 10.20.40.0 255.255.255.0


Site B-

same-security-traffic permit intra-interface

access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.40.0 255.255.255.0

access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list SiteB-SiteA exended permit ip 10.20.40.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.40.0 255.255.255.0

access-list SiteB-SiteA exended permit ip 10.20.40.0 255.255.255.0 10.10.40.0 255.255.255.0


Note: Your remote access vpn pools should not be part of your internal lan, for instance 10.10.40.0/24 is part of 10.10.0.0/16. Change your pools to something outside 10.10.0.0/16 and make the corrections in the acl's above.


ex. 10.100.40.0 255.255.255.0

10.200.40.0 255.255.255.0


fortis123 Mon, 02/25/2008 - 19:38
User Badges:

Hi,

Thank you for your reply. 10.20.0.0/16 is allocated to use at siteB. Not entire range being advertised.In the routing protocol individual subnets being advetd. So 10.20.40.0 not being advertised via routing protocol.ex: 10.20.50.0/24-->Servers, 10.20.25.0/24--> N/w management & 10.20.40.0/24 for VPN users.


So now...


access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0


access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0


Will not entire range from B-->A?

Do I need seperate subnets need to be listed (as you mentioned)..?


Please suggest..


Thank you

MS



acomiskey Tue, 02/26/2008 - 05:47
User Badges:
  • Green, 3000 points or more

When configuring remote access vpn, you always want the vpn client pool to be outside the range of the inside subnet.

fortis123 Thu, 02/28/2008 - 09:07
User Badges:

Thank you all for your replies.

Everything working fine (remote, L2L) with the existing IPs. Just need specific ALCs for dial-in user subnet instead of( /16 acl).


Thank you

MS

Actions

This Discussion