Hi Gilbert,

Thanks very much for you prompt reply.

Can you please explain how my static lan to lan is picking up the group policy as i am struggling to see in the code where it is picking up the default one ?

I would much appreciate your help on this as i am struggling to see where this is happening and i have been unable to find many good resources for version 8.

Thanks in advance

Wayne

Hi Gilbert,

Thanks again for the prompt post. I will have a go at this on Wednesday. To be honest i didn't realise that tunnel-groups used group policies, i have never had any dealings with Group Policies as all my experience has been from version 6 and migrated to version 7 on our Pix Firewalls (not really done anything with the ASA).

Dont suppose you can provide a link to a resource that explains its usage a little do you ? I have read the Command Reference but it doesn't really say why/context of use. The code on the ASA doesn't actually specify a group policy for the tunnel which is why i am guessing its using the default, which is configured to use AAA for authentication which i dont want to be doing.

Thanks again and if you know of a link to something that would be fantastic.

If you are using ASDM and when you configure the site to site tunnel, its should under the advanced section -- tunnel group where the group policy can be chosen.

With regard to the group-policy, you can look at the link given below. (I am sure you might have already gone through this, if not...its here)

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpngrp.html

Group-policies are used for tweaking the tunnel access settings.

For eg: vpn-filter --access for specific IP's/ports

tunneling protocols specification.

Normally, its left at default even if you configure a new one for a Lan to Lan tunnel.

Hi Gilbert,

Thanks once again for your help on this. I now understand whats going on with the groups. I have reconfigured it and seem to be getting a new issue which i have googled and cannot seem to work out whats going on. If you could please point me in the right direction i would much appreciate it. Here is the debug I am now receiving;

Jan 28 2009 11:20:09: %ASA-6-113009: AAA retrieved default group policy (sitea_29_1) for user = 1.1.1.1

Jan 28 2009 11:20:09: %ASA-3-713206: Group = 1.1.1.1, IP = 1.1.1.1, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

Jan 28 2009 11:20:09: %ASA-7-715065: Group = 1.1.1.1, IP = 1.1.1.1, IKE MM Responder FSM error history (struct &0xb0388270) , : MM_DONE,

I am trying to get this working without Split Tunneling as i want all traffic to traverse the tunnel. To expand my knowledge, i am trying to get this done through the CLI.

I have tried two different access-lists as i read that to disable split tunnelling you need to use standard access lists but in the crypto map it wont let me, i also read that in the extended, set the IP as the source if disabling split tunneling which is what i have tried. I have also tried using the standard access-list in the group policy as there is an option there for split tunneling.

The attached configpost.txt is the relevant sections of the config

Also, the attached shrunalltunnelgroups.txt is the tunnel group settings

Kindest Regards

Wayne

Wayne,

Ok - I read your note and here are somethings to clarify with the terminology.

What you are trying to do is Lan to Lan tunnel configuration.

With regard to split-tunneling, its a terminology used for Remote Access VPN clients. Like IPSec VPN clients or Cisco Anyconnect VPN Clients.

Having said that, what is your end goal.

Please clarify.

Send me the output of "sh run all group-policy" as well.

Thanks

Gilbert

Rate this post, if it helped.

Hi Gilbert,

Thanks for the reply. I have worked it out and got the tunnel up and running (although its dropping the odd ping request).

I had to set the protocols to only IPSec in the group-policy i created to get it working.

Now i just need to take a look at whats causing the request time outs :)

Regards

Wayne

Hmm, seems like my split-tunnelling isn't working.

I have a remote site and i want to force all traffic from the local subnet 172.29.1.0/24 through the VPN out of the main site.

This works fine through the VPN Concentrator but i cannot seem to get this working through the ASA.

Any suggestions ? I have noticed a setting in the Policy about split tunnelling but does this only work with remote access policies and not site-to-site ?

Anyhow, going to have a play around until you get chance to reply

Thank you for your help so far

Wayne

Sorted that error out, now i am getting an error that there is no crypto map entry (guessing this is now an issue trying to disable the split tunnelling). If you can think of anything that can help with the configuration provided then that would be fantastic.

I will continue to debug this in the mean time and post if i spot it.

Wayne

Hmm, i am having issues with forcing all the ipsec traffic down the tunnel and onto our internal network.

What i think is happening here is as follows;

1. Traffic is flowing down the tunnel fine (all traffic that is)

2. As it hits the ASA, the routing table of the ASA tells it to route traffic out to the Internet (which you would expect)

The problem i have which seems to work ok on the VPN Concentrator is that i want all traffic once it comes out of the VPN to then route through a seperate internet link (so it gets our filtering applied) and not to go directly out of the ASA.

Is there a way to resolve this issue ?

Regards

Wayne

Ooo, there is a tunneled parameter on the end of the route command.

Thanks very much this is all working now.

Wayne