10-06-2008 11:06 AM - edited 02-21-2020 03:58 PM
I've had L2L tunnels set up to a couple of remote sites (PIX) for several months now. We have a VPN concentrator, which will be going EOL soon, so I'm working on moving our existing RA clients over to our ASA. I'm having trouble allowing the RA clients access to a server at one of our remote sites. The relevant ASA (main site) and PIX config is posted below. The error I get on the remote PIX when attempting a ping from the VPN client is:
Group = 204.14.*.*, IP = 204.14.*.*, Static Crypto Map check, map = outside_map, seq = 40, ACL does not match proxy IDs src:172.16.200.0 dst:172.16.26.0
Relevant config:
Main ASA config
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.0 172.16.26.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 172.16.26.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.22.0 255.255.255.0 172.16.26.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.200.0 255.255.255.0 172.16.26.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.0 172.16.200.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 172.16.0.0 255.255.255.0 172.16.26.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 172.16.1.0 255.255.255.0 172.16.26.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 172.16.22.0 255.255.255.0 172.16.26.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 172.16.200.0 255.255.255.0 172.16.26.0 255.255.255.0
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 24.97.*.*
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
=========================================
Remote PIX config
access-list inside_nat0_outbound extended permit ip 172.16.26.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.26.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.26.0 255.255.255.0 172.16.22.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.26.0 255.255.255.0 172.16.200.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 172.16.26.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 172.16.26.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 172.16.26.0 255.255.255.0 172.16.22.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 172.16.26.0 255.255.255.0 172.16.200.0 255.255.255.0
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 204.14.*.*
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
EDIT: Guess I should add, remote site is 172.16.26.0/24, VPN VLAN is 172.16.200.0/24...
Solved! Go to Solution.
10-14-2008 12:53 PM
What you want to do is "tunnelall", which is not split tunneling. This will still allow the clients to get to the main and remote site, but will not allow them to get to the internet....unless you specifically allowed them to by do a "nat (outside)" or something. Your routes on the client will then be, Secured Routes 0.0.0.0 0.0.0.0
group-policy
split-tunnel-policy tunnelall
Is that your existing config, I don't see where the walton acl is assigned to anything for the split tunnel?
10-06-2008 12:49 PM
Jeff,
What is the Pool of IP Addresses that you are assigning for the RA Clients.
Also, in your configuration, do you have the below line configured.
"same-security-traffic permit intra-interface"
I hope the below URL helps.
Regards,
Arul
** Please rate all helpful posts **
10-07-2008 06:15 AM
Hi Arul,
Thanks for the response. The VPN clients are being assigned 172.16.200.25-100/24. I need to provide them access to 172.16.0.0/24 (server VLAN), as well as 172.16.26.0/24 (remote site VLAN).
I have added the command you specified. However, we do web filtering here, and there is a concern among The Powers That Be about allowing split tunneling, with no control over sites accessed.
10-08-2008 05:42 AM
I guess I should add that I'm still not able to connect to the remote site. With the config in my first post I was at least seeing traffic on the remote firewall. Now the traffic doesn't seem to get there.
10-14-2008 05:05 AM
Anyone at all?
10-14-2008 07:42 AM
As someone said before, you need "same-security-traffic permit intra-interface" in the main site ASA.
I also see one statement that is not needed.
no access-list inside_nat0_outbound extended permit ip 172.16.200.0 255.255.255.0 172.16.26.0 255.255.255.0
Could you post 2 complete clean configs?
10-14-2008 07:53 AM
Another thing I noticed in your error message
"Group = 204.14.*.*, IP = 204.14.*.*, Static Crypto Map check, map = outside_map, seq = 40, ACL does not match proxy IDs src:172.16.200.0 dst:172.16.26.0"
is why it is seq 40 and not 60?
10-14-2008 07:56 AM
I'll post a clean config as soon as I can, typical firefighting going on here after a long weekend.
Seq 40 is used for another L2L tunnel at the remote site. I have no clue why I'm getting that message, as my RA VPN config doesn't reference that other site at all.
10-14-2008 10:57 AM
10-14-2008 11:14 AM
Main site is still missing "intra-interface"....not "inter".
10-14-2008 11:34 AM
Doh! I don't know how I missed that. That seems to have done the trick!
The only concern will be the use of split tunneling. Right now (through our VPN Concentrator), we do not allow it. Is it possible to allow access to the remote L2L sites without opening up internet access?
10-14-2008 11:40 AM
Unless I'm overlooking something, I don't see how they would be getting to the internet right now.
10-14-2008 11:57 AM
Well, I don't want to second-guess you after helping me out, but... :)
I have a laptop setup outside the main ASA, connected via VPN client. From that laptop I can ping a host on the remote site, and bring up Google.
10-14-2008 12:08 PM
Well in that case...haha.
Looks like you may have had a split tunnel acl, walton-tunnel, at one point but isn't being used. What do your routes show in your vpn client when connected? Status -> Statistics -> Route Details
10-14-2008 12:30 PM
Walton is the remote site. I was under the impression I needed that configuration from the config example in the second post.
Routes on the VPN client are:
172.16.0.0 255.255.255.0
172.16.26.0 255.255.255.0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: