02-23-2008 08:53 PM
Hi All,
Scenario:
SiteA : 10.10.0.0/16 (10.10.50.0/24--> Servers)
VPN dial in users: 10.10.40.0/24
Public ip:1.1.1.1/24
SiteB: 10.20.0.0/16 (10.20.50.0/24--> Servers)
VPN dial in users: 10.20.40.0/24
Public ip:2.2.2.2/24
Client requirement:
1. Users at SITEA can able Dial-in to SiteA ASA and able to access SITE A&SITE B resources and able reach SITEB VPNed in users.
2. Vice Versa for users at SITEB
3.SITEA and SITEB ASA should run L2L Tunnel(ofcourse this is must for this to work).
My sample config for SiteB (Site A -->same with changed IPs). please review if this is sufficient:
For Remote Dial-in:
ip local pool RemoteDialPool 10.20.40.1-10.20.40.254 mask 255.255.255.0
crypto ipsec transform-set VPN-IN-USERS esp-3des esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set VPN-IN-USERS
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto isakmp enable Outside
crypto map Outside_map interface Outside
crypto isakmp nat-traversal 20
group-policy Remote_Dialin internal
group-policy Remote_Dialin attributes
vpn-idle-timeout 180
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote_Dialin_splitTunnelAcl
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
access-list Inside_nat0_outbound extended permit ip any 10.20.40.0 255.255.255.0
nat (Inside) 0 access-list Inside_nat0_outbound
L2L Tunneling:
access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
nat (Inside) 0 access-list nonat
crypto ipsec transform-set SiteB2SiteA esp-3des esp-md5-hmac
crypto map Outside_map 30 match address SiteB-SiteA
crypto map Outside_map 30 set peer 1.1.1.1
crypto map Outside_map 30 set transform-set SiteB2SiteA
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
isakmp identity address
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key xxxxxxxxxx
Thank you in advance
MS
02-25-2008 02:44 PM
any takers...???
thank you
MS
02-25-2008 07:20 PM
I'll give it a shot although it's a little late...
Site A-
same-security-traffic permit intra-interface
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.20.40.0 255.255.255.0
access-list SiteA-SiteB exended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list SiteA-SiteB exended permit ip 10.10.0.0 255.255.0.0 10.20.40.0 255.255.255.0
access-list SiteA-SiteB exended permit ip 10.10.40.0 255.255.255.0 10.20.0.0 255.255.0.0
access-list SiteA-SiteB exended permit ip 10.10.40.0 255.255.255.0 10.20.40.0 255.255.255.0
Site B-
same-security-traffic permit intra-interface
access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.40.0 255.255.255.0
access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list SiteB-SiteA exended permit ip 10.20.40.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.40.0 255.255.255.0
access-list SiteB-SiteA exended permit ip 10.20.40.0 255.255.255.0 10.10.40.0 255.255.255.0
Note: Your remote access vpn pools should not be part of your internal lan, for instance 10.10.40.0/24 is part of 10.10.0.0/16. Change your pools to something outside 10.10.0.0/16 and make the corrections in the acl's above.
ex. 10.100.40.0 255.255.255.0
10.200.40.0 255.255.255.0
02-25-2008 07:38 PM
Hi,
Thank you for your reply. 10.20.0.0/16 is allocated to use at siteB. Not entire range being advertised.In the routing protocol individual subnets being advetd. So 10.20.40.0 not being advertised via routing protocol.ex: 10.20.50.0/24-->Servers, 10.20.25.0/24--> N/w management & 10.20.40.0/24 for VPN users.
So now...
access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
Will not entire range from B-->A?
Do I need seperate subnets need to be listed (as you mentioned)..?
Please suggest..
Thank you
MS
02-26-2008 05:47 AM
When configuring remote access vpn, you always want the vpn client pool to be outside the range of the inside subnet.
02-28-2008 09:07 AM
Thank you all for your replies.
Everything working fine (remote, L2L) with the existing IPs. Just need specific ALCs for dial-in user subnet instead of( /16 acl).
Thank you
MS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: