Working IPSEC remote VPN together with L2L. ASA5505 and 5520.

Unanswered Question
Jun 1st, 2010

Hi here are two configs. L2L between 192.168.198.0 and 172.16.1,7,12.0 working fine I am can access 172.16.x.x but i'm want to make 192.168.198.0 also accessible with remote vpn from 10.200.1.0. What i'm doing wrong, can somebody help me?

Node A

Result of the command: "sh run"

: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 4444 encrypted
passwd 4444 encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description Internet
nameif Outside
security-level 10
ip address 84.243.228.98 255.255.255.224
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description Free
shutdown
nameif Free
security-level 100
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.1.254 255.255.255.0
!
interface Redundant1
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface Redundant1.1
description Management
no vlan
no nameif
security-level 100
no ip address
!
interface Redundant1.2
description Vlan2
shutdown
vlan 102
nameif Vlan2
security-level 100
ip address 172.16.2.254 255.255.255.0
!
interface Redundant1.3
description FiconMan
shutdown
vlan 103
nameif Vlan103
security-level 100
ip address 172.16.3.254 255.255.255.0
!
interface Redundant1.4
description FiconFront
shutdown
vlan 104
nameif Vlan104
security-level 100
ip address 172.16.4.254 255.255.255.0
!
interface Redundant1.5
description FiconBack
shutdown
vlan 105
nameif Vlan105
security-level 100
ip address 172.16.5.254 255.255.255.0
!
interface Redundant1.6
description Vlan6
shutdown
vlan 106
nameif Vlan6
security-level 100
ip address 172.16.6.254 255.255.255.0
!
interface Redundant1.7
description CompetePro
vlan 107
nameif Vlan107
security-level 100
ip address 172.16.7.254 255.255.255.0
!
interface Redundant1.8
description HollandIn
vlan 108
nameif Vlan108
security-level 100
ip address 172.16.8.254 255.255.255.0
!
interface Redundant1.9
description Fam-Bakker
vlan 109
nameif Vlan109
security-level 100
ip address 172.16.9.254 255.255.255.0
!
interface Redundant1.10
description Vlan10
vlan 110
nameif Vlan110
security-level 100
ip address 172.16.10.254 255.255.255.0
!
interface Redundant1.11
description Vlan11
shutdown
vlan 111
nameif Vlan111
security-level 100
ip address 172.16.11.254 255.255.255.0
!
interface Redundant1.12
description CompeteOffice
vlan 112
nameif Vlan112
security-level 100
ip address 172.16.12.254 255.255.255.0
!
interface Redundant1.13
description Vlan13
shutdown
vlan 113
nameif Vlan13
security-level 100
ip address 172.16.13.254 255.255.255.0
!
interface Redundant1.14
description Vlan14
shutdown
vlan 114
nameif Vlan14
security-level 100
ip address 172.16.14.254 255.255.255.0
!
interface Redundant1.100
description DMZ
vlan 200
nameif DMZ
security-level 100
ip address 172.16.15.254 255.255.255.0
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object network Server11
host 172.16.7.1
object network Server13
host 172.16.7.3
object network Server14
host 172.16.7.4
object network Server15
host 172.16.7.5
object network Server21
host 172.16.7.7
object network HollandInrichters
range 172.16.8.4 172.16.8.16
description HollandInrichters   
object network Fam_Bakker
host 172.16.9.252
object network Topdesk
host 172.16.12.2
description Topdesk 
object network Compete_Management
subnet 172.16.1.0 255.255.255.0
description Compete_Management   
object network Server16
host 172.16.7.6
object network Test
host 84.x.x.125
object network TestServer
host 172.16.15.1
object network NETWORK_OBJ_172.16.15.0_24
subnet 172.16.15.0 255.255.255.0
object network NETWORK_OBJ_192.168.198.0_24
subnet 192.168.198.0 255.255.255.0
object network Vlan112Network
subnet 172.16.12.0 255.255.255.0
object network ManagementLan
host 84.x.x.232
object network Management_Lan
subnet 172.16.1.0 255.255.255.0
object network Vrijedagen
subnet 172.16.7.0 255.255.255.0
object network CompeteMan
subnet 172.16.1.0 255.255.255.0
object network Preview
host 172.16.10.10
description preview.compete.nl 
object network NETWORK_OBJ_10.200.1.0_24
subnet 10.200.1.0 255.255.255.0
object service Nagios12489
service tcp destination eq 12489
object service Nagios5666
service tcp destination eq 5666
object network owa.compete.nl
host 172.16.12.4
object network Server22
host 172.16.12.1
object network Vlan112
subnet 172.16.12.0 255.255.255.0
object network Server12
host 172.16.7.2
object-group network DM_INLINE_NETWORK_1
network-object object CompeteMan
network-object object Vlan112Network
network-object object Vrijedagen
network-object object NETWORK_OBJ_10.200.1.0_24
object-group network DM_INLINE_NETWORK_2
network-object object Vlan112Network
network-object object Vrijedagen
network-object object CompeteMan
network-object object NETWORK_OBJ_10.200.1.0_24
object-group service http-https-pptp
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq pptp
object-group service http-https-ftp
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq https
object-group service http-https-smtp
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service ftp-smtp-http-81-pop-444
service-object tcp destination eq 444
service-object tcp destination eq 81
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service http-https-smtp-pptp-ftp-5666-12489
service-object tcp-udp destination eq 12489
service-object tcp-udp destination eq 5666
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq pptp
service-object tcp destination eq smtp
object-group network DM_INLINE_NETWORK_3
network-object object CompeteMan
network-object object Vlan112Network
network-object object Vrijedagen
network-object object NETWORK_OBJ_192.168.198.0_24
object-group service Nagios
service-object object Nagios12489
service-object object Nagios5666
object-group network DM_INLINE_NETWORK_4
network-object 172.16.1.0 255.255.255.0
network-object 172.16.10.0 255.255.255.0
network-object 172.16.12.0 255.255.255.0
network-object 172.16.7.0 255.255.255.0
network-object 172.16.8.0 255.255.255.0
network-object 172.16.9.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object object Nagios12489
service-object object Nagios5666
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host 82.204.44.133 any
access-list Outside_access_in extended permit object-group http-https-pptp any host 172.16.7.1
access-list Outside_access_in extended permit object-group http-https-smtp any host 172.16.12.4
access-list Outside_access_in extended permit tcp any host 172.16.1.243 eq ftp
access-list Outside_access_in extended permit tcp any host 172.16.1.240 eq pptp
access-list Outside_access_in extended permit tcp any object Server13 eq https
access-list Outside_access_in extended permit object-group http-https-ftp any object Server14
access-list Outside_access_in extended permit tcp any object Server15 eq pptp
access-list Outside_access_in extended permit gre any host 172.16.8.4
access-list Outside_access_in extended permit object-group http-https-smtp-pptp-ftp-5666-12489 any host 172.16.8.4
access-list Outside_access_in extended permit tcp any object Server16 eq www
access-list Outside_access_in extended permit object-group ftp-smtp-http-81-pop-444 any object Fam_Bakker
access-list Outside_access_in extended permit object-group http-https-smtp any object Server21
access-list Outside_access_in extended permit object-group http-https-pptp any host 172.16.12.2
access-list Outside_access_in extended permit tcp any host 84.x.x.125 eq www
access-list Outside_access_in extended permit object-group http-https-ftp any object Preview
access-list Outside_access_in extended permit tcp any any eq 12489
access-list Outside_access_in extended deny ip any any
access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object NETWORK_OBJ_192.168.198.0_24 log debugging
access-list Rem_VPN standard permit 172.16.1.0 255.255.255.0
access-list Rem_VPN standard permit 172.16.12.0 255.255.255.0
access-list Rem_VPN standard permit 172.16.7.0 255.255.255.0
access-list Rem_VPN standard permit 192.168.198.0 255.255.255.0
access-list RemVPN extended permit ip object NETWORK_OBJ_10.200.1.0_24 object NETWORK_OBJ_192.168.198.0_24
access-list RemVPN extended permit ip object NETWORK_OBJ_10.200.1.0_24 object CompeteMan
access-list RemVPN extended permit ip object NETWORK_OBJ_10.200.1.0_24 any
access-list RemVPN extended permit ip object NETWORK_OBJ_192.168.198.0_24 object NETWORK_OBJ_10.200.1.0_24
pager lines 24
logging enable
logging asdm debugging
mtu Outside 1500
mtu Free 1500
mtu management 1500
mtu Vlan2 1500
mtu Vlan103 1500
mtu Vlan104 1500
mtu Vlan105 1500
mtu Vlan6 1500
mtu Vlan107 1500
mtu Vlan108 1500
mtu Vlan109 1500
mtu Vlan110 1500
mtu Vlan111 1500
mtu Vlan112 1500
mtu Vlan13 1500
mtu Vlan14 1500
mtu DMZ 1500
ip local pool RemoteVPN 10.200.1.1-10.200.1.250 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (any,Outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static NETWORK_OBJ_192.168.198.0_24 NETWORK_OBJ_192.168.198.0_24
nat (any,Outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static NETWORK_OBJ_10.200.1.0_24 NETWORK_OBJ_10.200.1.0_24
!
object network Server11
nat (Vlan107,Outside) static 84.x.x.250 dns
object network Server13
nat (Vlan107,Outside) static 84.x.x.248 dns
object network Server14
nat (Vlan107,Outside) static 84.x.x.249 dns
object network Server15
nat (Vlan107,Outside) static 84.x.x.248 dns
object network Server21
nat (Vlan107,Outside) static 84.x.x.220 dns
object network HollandInrichters
nat (Vlan108,Outside) static 84.x.x.253 dns
object network Fam_Bakker
nat (Vlan109,Outside) static 84.x.x.251 dns
object network Topdesk
nat (Vlan112,Outside) static 84.x.x.231 dns
object network Compete_Management
nat (management,Outside) static 84.x.x.254 dns
object network Server16
nat (Vlan107,Outside) static 84.x.x.247 dns
object network Preview
nat (Vlan110,Outside) static 84.x.x.232 dns
object network owa.compete.nl
nat (Vlan112,Outside) static 84.x.x.230 dns
object network Vlan112
nat (Vlan112,Outside) static 84.x.x.230 dns
object network Server12
nat (Vlan107,Outside) static 84.x.x.229 dns
access-group Outside_access_in in interface Outside
!
router rip
version 1
no auto-summary
!
route Outside 0.0.0.0 0.0.0.0 84.x.x.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record RemVPN
network-acl RemVPN
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 management
http 172.16.7.0 255.255.255.0 Vlan107
http 84.x.x.0 255.255.255.128 DMZ
http 85.x.x.134 255.255.255.255 Outside
http 82.x.x.128 255.255.255.224 Outside
http 82.x.x.130 255.255.255.255 Free
http 85.x.x.134 255.255.255.255 Free
http 80.x.x.102 255.255.255.255 Free
http 82.x.xx.128 255.255.255.224 Free
http 172.16.2.0 255.255.255.0 Vlan2
http 62.177.x.99 255.255.255.255 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 82.x.x.139
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh 84.x.x.101 255.255.255.255 Outside
ssh 82.x.x.128 255.255.255.224 Outside
ssh 85.x.x.134 255.255.255.255 Outside
ssh 192.168.2.0 255.255.255.0 management
ssh 172.16.7.0 255.255.255.0 Vlan107
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-lock value DefaultRAGroup
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
dns-server value 172.16.1.200 192.168.198.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Rem_VPN
username Johan password 333 encrypted privilege 15
username Nikita password 333 encrypted privilege 15
username Nikita attributes
group-lock value RemoteVPN
tunnel-group 82.x.x.139 type ipsec-l2l
tunnel-group 82.x.x.139 ipsec-attributes
pre-shared-key *****
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool RemoteVPN
default-group-policy RemoteVPN
tunnel-group RemoteVPN ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 4096
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:***
: end

Node B

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 3333 encrypted
passwd 333 encrypted
names
name 172.16.1.0 Vlan1
name 172.16.7.0 Vlan107
name 172.16.9.0 Vlan109
name 172.16.10.0 Vlan110
name 172.16.11.0 Vlan111
name 172.16.12.0 Vlan112
name 10.200.1.0 RemoteVPN
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.198.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 82.x.x.139 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 22
!
interface Ethernet0/7
switchport access vlan 12
!
ftp mode passive
same-security-traffic permit inter-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network CL-Tunnel-Subnetten
network-object Vlan1 255.255.255.0
network-object Vlan110 255.255.255.0
network-object Vlan111 255.255.255.0
network-object Vlan112 255.255.255.0
network-object Vlan107 255.255.255.0
network-object Vlan109 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object Vlan1 255.255.255.0
network-object Vlan112 255.255.255.0
network-object Vlan107 255.255.255.0
network-object host 172.16.12.2
network-object RemoteVPN 255.255.255.0
access-list outside_access_in extended permit tcp any host 82.x.x.133 eq www
access-list outside_access_in extended permit object-group TCPUDP any host 82.x.x.133 eq 5667
access-list outside_access_in extended permit object-group TCPUDP any host 82.x.x.133 eq 52783
access-list outside_access_in extended permit tcp any host 82.x.x.134 eq smtp
access-list outside_access_in extended permit tcp any host 82.x.x.134 eq https
access-list outside_access_in extended permit tcp any host 82.x.x.134 eq www
access-list outside_access_in extended permit tcp any host 82.x.x.134 range 6001 6004
access-list outside_access_in extended permit tcp any host 82.x.x.131 eq pptp
access-list inside_nat0_outbound extended permit ip 192.168.198.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list outside_2_cryptomap extended permit ip 192.168.198.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 dns
static (inside,outside) 82.x.x.136 10.0.0.10 netmask 255.255.255.255 dns
static (inside,outside) 82.x.x.135 10.0.0.4 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
!
router rip
version 1
!
route outside 0.0.0.0 0.0.0.0 82.x.x.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.198.0 255.255.255.0 inside
http x.x.x.x outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 84.243.228.98
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group CaiWay request dialout pppoe
vpdn group CaiWay localname [email protected]
vpdn group CaiWay ppp authentication pap
vpdn username 3333 password ********* store-local
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 84.x.x.98 type ipsec-l2l
tunnel-group 84.x.x.98 general-attributes
tunnel-group 84.x.x.98 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 4512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:234
: end


Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Wed, 06/02/2010 - 04:17

You would need to add "same-security-traffic permit intra-interface" command on the ASA that runs version 8.3.1.

Hope that resolves the issue.

Actions

This Discussion