cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1137
Views
5
Helpful
16
Replies

PIX-ASA, allow RA VPN clients to access servers at remote sites

jeff.velten
Level 1
Level 1

I've had L2L tunnels set up to a couple of remote sites (PIX) for several months now. We have a VPN concentrator, which will be going EOL soon, so I'm working on moving our existing RA clients over to our ASA. I'm having trouble allowing the RA clients access to a server at one of our remote sites. The relevant ASA (main site) and PIX config is posted below. The error I get on the remote PIX when attempting a ping from the VPN client is:

Group = 204.14.*.*, IP = 204.14.*.*, Static Crypto Map check, map = outside_map, seq = 40, ACL does not match proxy IDs src:172.16.200.0 dst:172.16.26.0

Relevant config:

Main ASA config

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.0 172.16.26.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 172.16.26.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.22.0 255.255.255.0 172.16.26.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.200.0 255.255.255.0 172.16.26.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.0 172.16.200.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.0.0 255.255.255.0 172.16.26.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.1.0 255.255.255.0 172.16.26.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.22.0 255.255.255.0 172.16.26.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.200.0 255.255.255.0 172.16.26.0 255.255.255.0

crypto map outside_map 60 match address outside_cryptomap_60

crypto map outside_map 60 set peer 24.97.*.*

crypto map outside_map 60 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

=========================================

Remote PIX config

access-list inside_nat0_outbound extended permit ip 172.16.26.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.26.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.26.0 255.255.255.0 172.16.22.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.26.0 255.255.255.0 172.16.200.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.26.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.26.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.26.0 255.255.255.0 172.16.22.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.26.0 255.255.255.0 172.16.200.0 255.255.255.0

crypto map outside_map 60 match address outside_cryptomap_60

crypto map outside_map 60 set peer 204.14.*.*

crypto map outside_map 60 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

EDIT: Guess I should add, remote site is 172.16.26.0/24, VPN VLAN is 172.16.200.0/24...

1 Accepted Solution

Accepted Solutions

What you want to do is "tunnelall", which is not split tunneling. This will still allow the clients to get to the main and remote site, but will not allow them to get to the internet....unless you specifically allowed them to by do a "nat (outside)" or something. Your routes on the client will then be, Secured Routes 0.0.0.0 0.0.0.0

group-policy attributes

split-tunnel-policy tunnelall

Is that your existing config, I don't see where the walton acl is assigned to anything for the split tunnel?

View solution in original post

16 Replies 16

ajagadee
Cisco Employee
Cisco Employee

Jeff,

What is the Pool of IP Addresses that you are assigning for the RA Clients.

Also, in your configuration, do you have the below line configured.

"same-security-traffic permit intra-interface"

I hope the below URL helps.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Regards,

Arul

** Please rate all helpful posts **

Hi Arul,

Thanks for the response. The VPN clients are being assigned 172.16.200.25-100/24. I need to provide them access to 172.16.0.0/24 (server VLAN), as well as 172.16.26.0/24 (remote site VLAN).

I have added the command you specified. However, we do web filtering here, and there is a concern among The Powers That Be about allowing split tunneling, with no control over sites accessed.

I guess I should add that I'm still not able to connect to the remote site. With the config in my first post I was at least seeing traffic on the remote firewall. Now the traffic doesn't seem to get there.

jeff.velten
Level 1
Level 1

Anyone at all?

As someone said before, you need "same-security-traffic permit intra-interface" in the main site ASA.

I also see one statement that is not needed.

no access-list inside_nat0_outbound extended permit ip 172.16.200.0 255.255.255.0 172.16.26.0 255.255.255.0

Could you post 2 complete clean configs?

Another thing I noticed in your error message

"Group = 204.14.*.*, IP = 204.14.*.*, Static Crypto Map check, map = outside_map, seq = 40, ACL does not match proxy IDs src:172.16.200.0 dst:172.16.26.0"

is why it is seq 40 and not 60?

I'll post a clean config as soon as I can, typical firefighting going on here after a long weekend.

Seq 40 is used for another L2L tunnel at the remote site. I have no clue why I'm getting that message, as my RA VPN config doesn't reference that other site at all.

Clean configs attached.

Main site is still missing "intra-interface"....not "inter".

Doh! I don't know how I missed that. That seems to have done the trick!

The only concern will be the use of split tunneling. Right now (through our VPN Concentrator), we do not allow it. Is it possible to allow access to the remote L2L sites without opening up internet access?

Unless I'm overlooking something, I don't see how they would be getting to the internet right now.

Well, I don't want to second-guess you after helping me out, but... :)

I have a laptop setup outside the main ASA, connected via VPN client. From that laptop I can ping a host on the remote site, and bring up Google.

Well in that case...haha.

Looks like you may have had a split tunnel acl, walton-tunnel, at one point but isn't being used. What do your routes show in your vpn client when connected? Status -> Statistics -> Route Details

Walton is the remote site. I was under the impression I needed that configuration from the config example in the second post.

Routes on the VPN client are:

172.16.0.0 255.255.255.0

172.16.26.0 255.255.255.0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: