site-to-site VPN with Vlans

Unanswered Question

Hi,

Is it possible to setup site-to-site VPN which will allow 2 intercaes in each location to communicate ?

I'm trying to implement QoS for IPPhones and I found that the easiest way is to create VLANs - this way it is easier to create bandwith limits on computer network and also prioritize VLAN with IPPhones...

Here is my situation:


First Location: Cisco ASA 5505 (3 interfaces: outside, inside, ipphones)

local net: 10.1.1.0/24 - interface inside (switchport 1,3,4,5,6,7)

local net: 192.168.10.0/24 - interface ipphones (switchport 2) security level 0


Second location: Cisco ASA 5505 (3 interfaces: outside, inside, ipphones)

local net: 10.0.0.0/24 - interface inside (switchport 1,3,4,5,6,7)

local net: 192.168.11.0/24 - interface ipphones (switchport 2) security level 0


Localy in each location VLAN is working just fine - I can access IPPhones from 10.x network, etc. NAT is also working fine for both VLANs. I also allowed interfaces with same security level to communicate.

I was able to setup site-to-site VPN but only for 10.x.x.x networks. When I'm using graphical UI VPN wizard its asking me on which interface I want to run VPN...If I try to create 2nd VPN its telling me that I can't because it already exist.

I tried to modify it by creating network-objects and I also created NAT exceptions for both Vlans - still no luck.


Can anyone point me to right direction ?

PS. Both ASA are running software 8.2.2


Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 03/16/2010 - 08:43

Hi,


You can create the Site-to-Site to allow multiple VLANs to communicate through the tunnel.

You should just add the new subnet to the interesting traffic for the VPN (and include the same traffic in the nat0 ACL)


If you post the configuration, with the subnets that you want to communicate through the tunnel, you can tell you what you're missing.


Federico.

OK - here is a config from location1



ASA Version 8.2(2)

names
name 10.0.0.0 location2_NET

interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 66.X.X.43 255.255.255.0
!
interface Vlan12
nameif phones
security-level 0
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object-group service VoIP tcp-udp
description SIP,IAX,IAX2
port-object eq 4569
port-object eq 5036
port-object eq sip
port-object range 10000 20000
port-object eq 4100
port-object eq 5000
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq ssh

access-list softvpn_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list ports_forwarding extended permit object-group TCPUDP any 192.168.10.0 255.255.255.0 object-group VoIP
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.9.9.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 location2_NET 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 location2_NET 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list inside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 location2_NET 255.255.255.0
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool vpn_pool 10.9.9.1-10.9.9.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 66.X.X.44
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.1.0 255.255.255.0
nat (phones) 2 192.168.10.0 255.255.255.0
static (inside,outside) tcp 66.X.X.46 64101 10.1.1.108 64101 netmask 255.255.255.255
static (inside,outside) tcp 66.X.X.46 www 10.1.1.4 www netmask 255.255.255.255
static (inside,outside) 66.X.X.44 10.1.1.10 netmask 255.255.255.255
static (inside,outside) 66.X.X.45 10.1.1.250 netmask 255.255.255.255
static (inside,outside) 66.X.X.42 10.1.1.252 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group ports_forwarding in interface outside
route outside 0.0.0.0 0.0.0.0 66.X.X.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 1 match address inside_1_cryptomap
crypto map inside_map 1 set pfs
crypto map inside_map 1 set peer 24.X.X.88
crypto map inside_map 1 set transform-set ESP-DES-SHA ESP-3DES-SHA
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 300
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.10.10-192.168.10.30 phones
dhcpd dns 4.2.2.2 4.2.2.5 interface phones
dhcpd enable phones
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 216.184.20.83 source outside prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy soft_vpn internal
group-policy soft_vpn attributes
wins-server value 10.1.1.4
dns-server value 10.1.1.4 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value softvpn_splitTunnelAcl

tunnel-group soft_vpn type remote-access
tunnel-group soft_vpn general-attributes
address-pool vpn_pool
authentication-server-group our_ActiveDir LOCAL
default-group-policy soft_vpn
tunnel-group soft_vpn ipsec-attributes
pre-shared-key *****
tunnel-group 24.X.X.88 type ipsec-l2l
tunnel-group 24.X.X.88 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
asdm location location2_NET 255.255.255.0 inside
no asdm history enable

and here is location2

BTW - in this location I have only 1 external IP and site-to-site VPN with 3rd location



ASA Version 8.2(2)
!
names
name 66.X.X.0 location1
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan12
no forward interface Vlan1
nameif phones
security-level 0
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.3
name-server 4.2.2.4
name-server 4.2.2.5
domain-name mydomain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service voip_udp udp
description 10000-30000
port-object range 3478 3478
port-object range 4569 4569
port-object range 10001 65000
port-object range sip 5080
object-group network trusted_nets
network-object 67.X.X.0 255.0.0.0
network-object location1 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_access_in extended permit udp any any object-group voip_udp
access-list outside_access_in extended permit tcp any any eq www
access-list ip-qos extended permit ip 10.0.0.0 255.255.255.0 any inactive
access-list ip-qos extended permit ip any 10.0.0.0 255.255.255.0 inactive
access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm debugging
logging class vpn asdm warnings
logging class vpnc asdm warnings
logging class vpnfo asdm warnings
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool softVPNPool 192.168.26.1-192.168.26.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 10.0.0.100 www netmask 255.255.255.255
static (inside,outside) tcp interface ssh 10.0.0.100 64022 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 10.0.0.100 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 10.0.0.100 ftp-data netmask 255.255.255.255
static (inside,outside) udp interface 5061 10.0.0.100 5061 netmask 255.255.255.255
static (inside,outside) udp interface sip 10.0.0.100 sip netmask 255.255.255.255
static (inside,outside) udp interface 4569 10.0.0.100 4569 netmask 255.255.255.255
static (inside,outside) udp interface 3478 10.0.0.100 3478 netmask 255.255.255.255
static (inside,outside) udp interface 5070 10.0.0.100 5070 netmask 255.255.255.255
static (inside,outside) udp interface 5080 10.0.0.100 5080 netmask 255.255.255.255
static (inside,outside) udp interface 10000 10.0.0.100 10000 netmask 255.255.255.255
static (inside,outside) udp interface 10001 10.0.0.100 10001 netmask 255.255.255.255
static (inside,outside) udp interface 10002 10.0.0.100 10002 netmask 255.255.255.255
static (inside,outside) udp interface 10003 10.0.0.100 10003 netmask 255.255.255.255
static (inside,outside) udp interface 10004 10.0.0.100 10004 netmask 255.255.255.255
static (inside,outside) udp interface 10005 10.0.0.100 10005 netmask 255.255.255.255
static (inside,outside) udp interface 10006 10.0.0.100 10006 netmask 255.255.255.255
static (inside,outside) udp interface 10007 10.0.0.100 10007 netmask 255.255.255.255
static (inside,outside) udp interface 10008 10.0.0.100 10008 netmask 255.255.255.255
static (inside,outside) udp interface 10009 10.0.0.100 10009 netmask 255.255.255.255
static (inside,outside) udp interface 10010 10.0.0.100 10010 netmask 255.255.255.255
static (inside,outside) udp interface 10011 10.0.0.100 10011 netmask 255.255.255.255
static (inside,outside) udp interface 10012 10.0.0.100 10012 netmask 255.255.255.255
static (inside,outside) udp interface 10013 10.0.0.100 10013 netmask 255.255.255.255
static (inside,outside) udp interface 10014 10.0.0.100 10014 netmask 255.255.255.255
static (inside,outside) udp interface 10015 10.0.0.100 10015 netmask 255.255.255.255
static (inside,outside) udp interface 10016 10.0.0.100 10016 netmask 255.255.255.255
static (inside,outside) udp interface 10017 10.0.0.100 10017 netmask 255.255.255.255
static (inside,outside) udp interface 10018 10.0.0.100 10018 netmask 255.255.255.255
static (inside,outside) udp interface 10019 10.0.0.100 10019 netmask 255.255.255.255
static (inside,outside) udp interface 10020 10.0.0.100 10020 netmask 255.255.255.255
static (inside,outside) udp interface 10021 10.0.0.100 10021 netmask 255.255.255.255
static (inside,outside) udp interface 10022 10.0.0.100 10022 netmask 255.255.255.255
static (inside,outside) udp interface 10023 10.0.0.100 10023 netmask 255.255.255.255
static (inside,outside) udp interface 10024 10.0.0.100 10024 netmask 255.255.255.255
static (inside,outside) udp interface 10025 10.0.0.100 10025 netmask 255.255.255.255
static (inside,outside) udp interface 10026 10.0.0.100 10026 netmask 255.255.255.255
static (inside,outside) udp interface 10027 10.0.0.100 10027 netmask 255.255.255.255
static (inside,outside) udp interface 10028 10.0.0.100 10028 netmask 255.255.255.255
static (inside,outside) udp interface 10029 10.0.0.100 10029 netmask 255.255.255.255
static (inside,outside) udp interface 10030 10.0.0.100 10030 netmask 255.255.255.255
static (inside,outside) udp interface 10031 10.0.0.100 10031 netmask 255.255.255.255
static (inside,outside) udp interface 10032 10.0.0.100 10032 netmask 255.255.255.255
static (inside,outside) udp interface 10033 10.0.0.100 10033 netmask 255.255.255.255
static (inside,outside) udp interface 10034 10.0.0.100 10034 netmask 255.255.255.255
static (inside,outside) udp interface 10035 10.0.0.100 10035 netmask 255.255.255.255
static (inside,outside) udp interface 10036 10.0.0.100 10036 netmask 255.255.255.255
static (inside,outside) udp interface 10037 10.0.0.100 10037 netmask 255.255.255.255
static (inside,outside) udp interface 10038 10.0.0.100 10038 netmask 255.255.255.255
static (inside,outside) udp interface 10039 10.0.0.100 10039 netmask 255.255.255.255
static (inside,outside) udp interface 10040 10.0.0.100 10040 netmask 255.255.255.255
static (inside,outside) udp interface 10041 10.0.0.100 10041 netmask 255.255.255.255
static (inside,outside) udp interface 10042 10.0.0.100 10042 netmask 255.255.255.255
static (inside,outside) udp interface 10043 10.0.0.100 10043 netmask 255.255.255.255
static (inside,outside) udp interface 10044 10.0.0.100 10044 netmask 255.255.255.255
static (inside,outside) udp interface 10045 10.0.0.100 10045 netmask 255.255.255.255
static (inside,outside) udp interface 10046 10.0.0.100 10046 netmask 255.255.255.255
static (inside,outside) udp interface 10047 10.0.0.100 10047 netmask 255.255.255.255
static (inside,outside) udp interface 10048 10.0.0.100 10048 netmask 255.255.255.255
static (inside,outside) udp interface 10049 10.0.0.100 10049 netmask 255.255.255.255
static (inside,outside) udp interface 10050 10.0.0.100 10050 netmask 255.255.255.255
static (inside,outside) udp interface 10051 10.0.0.100 10051 netmask 255.255.255.255
static (inside,outside) udp interface 16385 10.0.0.100 16385 netmask 255.255.255.255
static (inside,outside) udp interface 16386 10.0.0.100 16386 netmask 255.255.255.255
static (inside,outside) udp interface 16387 10.0.0.100 16387 netmask 255.255.255.255
static (inside,outside) udp interface 16388 10.0.0.100 16388 netmask 255.255.255.255
static (inside,outside) udp interface 16389 10.0.0.100 16389 netmask 255.255.255.255
static (inside,outside) udp interface 10052 10.0.0.100 10052 netmask 255.255.255.255
static (inside,outside) udp interface 10053 10.0.0.100 10053 netmask 255.255.255.255
static (inside,outside) udp interface 10054 10.0.0.100 10054 netmask 255.255.255.255
static (inside,outside) udp interface 10055 10.0.0.100 10055 netmask 255.255.255.255
static (inside,outside) udp interface 10056 10.0.0.100 10056 netmask 255.255.255.255
static (inside,outside) udp interface 10057 10.0.0.100 10057 netmask 255.255.255.255
static (inside,outside) udp interface 10058 10.0.0.100 10058 netmask 255.255.255.255
static (inside,outside) udp interface 10059 10.0.0.100 10059 netmask 255.255.255.255
static (inside,outside) udp interface 10060 10.0.0.100 10060 netmask 255.255.255.255
static (inside,outside) udp interface 10061 10.0.0.100 10061 netmask 255.255.255.255
static (inside,outside) udp interface 10062 10.0.0.100 10062 netmask 255.255.255.255
static (inside,outside) udp interface 10063 10.0.0.100 10063 netmask 255.255.255.255
static (inside,outside) udp interface 10064 10.0.0.100 10064 netmask 255.255.255.255
static (inside,outside) udp interface 10065 10.0.0.100 10065 netmask 255.255.255.255
static (inside,outside) udp interface 10066 10.0.0.100 10066 netmask 255.255.255.255
static (inside,outside) udp interface 10067 10.0.0.100 10067 netmask 255.255.255.255
static (inside,outside) udp interface 10068 10.0.0.100 10068 netmask 255.255.255.255
static (inside,outside) udp interface 10069 10.0.0.100 10069 netmask 255.255.255.255
static (inside,outside) udp interface 10070 10.0.0.100 10070 netmask 255.255.255.255
static (inside,outside) udp interface 10071 10.0.0.100 10071 netmask 255.255.255.255
static (inside,outside) udp interface 10072 10.0.0.100 10072 netmask 255.255.255.255
static (inside,outside) udp interface 10073 10.0.0.100 10073 netmask 255.255.255.255
static (inside,outside) udp interface 10074 10.0.0.100 10074 netmask 255.255.255.255
static (inside,outside) udp interface 10075 10.0.0.100 10075 netmask 255.255.255.255
static (inside,outside) udp interface 10076 10.0.0.100 10076 netmask 255.255.255.255
static (inside,outside) udp interface 10077 10.0.0.100 10077 netmask 255.255.255.255
static (inside,outside) udp interface 10078 10.0.0.100 10078 netmask 255.255.255.255
static (inside,outside) udp interface 10079 10.0.0.100 10079 netmask 255.255.255.255
static (inside,outside) udp interface 10080 10.0.0.100 10080 netmask 255.255.255.255
static (inside,outside) udp interface 10081 10.0.0.100 10081 netmask 255.255.255.255
static (inside,outside) udp interface 10082 10.0.0.100 10082 netmask 255.255.255.255
static (inside,outside) udp interface 10083 10.0.0.100 10083 netmask 255.255.255.255
static (inside,outside) udp interface 10084 10.0.0.100 10084 netmask 255.255.255.255
static (inside,outside) udp interface 10085 10.0.0.100 10085 netmask 255.255.255.255
static (inside,outside) udp interface 10086 10.0.0.100 10086 netmask 255.255.255.255
static (inside,outside) udp interface 10087 10.0.0.100 10087 netmask 255.255.255.255
static (inside,outside) udp interface 10088 10.0.0.100 10088 netmask 255.255.255.255
static (inside,outside) udp interface 10089 10.0.0.100 10089 netmask 255.255.255.255
static (inside,outside) udp interface 10090 10.0.0.100 10090 netmask 255.255.255.255
static (inside,outside) udp interface 10091 10.0.0.100 10091 netmask 255.255.255.255
static (inside,outside) udp interface 10092 10.0.0.100 10092 netmask 255.255.255.255
static (inside,outside) udp interface 10093 10.0.0.100 10093 netmask 255.255.255.255
static (inside,outside) udp interface 10094 10.0.0.100 10094 netmask 255.255.255.255
static (inside,outside) udp interface 10095 10.0.0.100 10095 netmask 255.255.255.255
static (inside,outside) udp interface 10096 10.0.0.100 10096 netmask 255.255.255.255
static (inside,outside) udp interface 10097 10.0.0.100 10097 netmask 255.255.255.255
static (inside,outside) udp interface 10098 10.0.0.100 10098 netmask 255.255.255.255
static (inside,outside) udp interface 10099 10.0.0.100 10099 netmask 255.255.255.255
static (inside,outside) udp interface 10100 10.0.0.100 10100 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 92.Y.Y.83
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 66.X.X.43
crypto map outside_map 2 set transform-set ESP-3DES-SHA ESP-DES-SHA
crypto map outside_map 2 set reverse-route
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 300
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.200-10.0.0.224 inside
dhcpd dns 4.2.2.3 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 216.184.20.83 source outside prefer
webvpn
enable outside
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy softvpn internal
group-policy softvpn attributes
vpn-tunnel-protocol svc webvpn
webvpn
  url-list value AWbookmarklist
  svc ask enable
tunnel-group 92.Y.Y.83 type ipsec-l2l
tunnel-group 92.Y.Y.83 ipsec-attributes
pre-shared-key *****
tunnel-group softvpn type remote-access
tunnel-group softvpn general-attributes
address-pool softVPNPool
default-group-policy softvpn
tunnel-group 66.X.X.43 type ipsec-l2l
tunnel-group 66.X.X.43 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map qos
description qos policy
match access-list ip-qos
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
policy-map qos
class qos
  police output 2097000 2097000
  police input 16000000 16000000
!
service-policy global_policy global
service-policy qos interface inside

Federico Coto F... Tue, 03/16/2010 - 09:31

Ok, based on this configuration, the traffic that is going to be encrypted and sent through the tunnel is
traffic between 10.1.1.0/24 and 10.0.0.0/24


Basically, what you should do is that on both sides, you must add on the ACL for VPN the other subnets
that correspond to the other VLANs.

For example, if you have another VLAN 10.3.3.0/24 on location 2, you should add the following:


On location1:
name 10.3.3.0 location3_NET
access-list inside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 location3_NET 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 location3_NET 255.255.255.0


The ACLs on location2 should be a mirror from the ACLs on location1.


Federico.

Thanks Federico - I think I understand the concept now.


So If I have 2 VLANs in location1 and 2 VLANs in Location2 (as in my description in first post)

I should have 4 ACL to encrypt traffic and 4 NAT exemptions on each firewall , correct (If I want all subnets to communicate) ?


Location1:

access-list inside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list inside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list inside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list inside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

! Location1 - exemption from NAT:

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0


Location2:

access-list inside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list inside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list inside_1_cryptomap extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list inside_1_cryptomap extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0

! Location2 - exemption from NAT:

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0


Also If I have soft VPN set and I want to be able to access both Vlans I also need additional ACL and exemption from NAT, correct ?


Thanks again,

Adam

I did what you sugessted but still not working....

Should I also have this in location 1 since I'm using 2 global statements:


global (outside) 1 interface
global (outside) 2 66.X.X.44
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.1.0 255.255.255.0
nat (phones) 0 access-list inside_nat0_outbound
nat (phones) 2 192.168.10.0 255.255.255.0


???

Federico Coto F... Tue, 03/16/2010 - 10:36

To bypass NAT on location 1 all you need is this command:


nat (inside) 0 access-list inside_nat0_outbound

With the correect statements in the ACL.

The same ACL should be reflected on the crypto ACL.


Did you apply the same config in location 2?


If still does not work, you can post your configurations to let you know what is that you're missing.


Federico.

Actions

This Discussion