09-28-2010 08:48 AM - edited 03-04-2019 09:55 AM
Hello,
I have cisco anyconnect ssl vpn configured on one asa 5505 in siteA with split tunneling. The clients are able to connect to the internal network (20.20.20.0/24).
There is a site-to-site connection from siteA to siteB (5505 as well). Anyconnect users which are connected to the asa in SiteA can't connect to the internal network of siteB (10.0.1.0/24)
10.10.10.0 - outside network
20.20.20.0 - inside network SiteA
10.0.1.0 - inside network SiteB
50.50.50.0 - VPN users siteA
When using packet tracer from both sites it says the packet is allowed.
I found a related post on the forum and followed the steps mentioned in following post: https://supportforums.cisco.com/message/3112382
siteA
-----
-added nexemption for siteB
access-list no_nat extended permit ip 10.0.1.0 255.255.255.0 50.50.50.0 255.255.255.0
-added acl in cryptomap for site-to-site between siteA and siteB
access-list Outside_3_cryptomap extended permit ip 10.0.1.0 255.255.255.0 50.50.50.0 255.255.255.0
-added the siteB IP range to split-tunnel
access-list split-tunnel standard permit 10.0.1.0 255.255.255.0
enabled same-security-traffic permit inter-interface
enabled same-security-traffic permit intra-interface
siteB
-----
-added exemption for SiteA
access-list no_nat extended permit ip 50.50.50.0 255.255.255.0 10.0.1.0 255.255.255.0
-added acl in cryptomap for site-to-site between siteB and siteA
access-list Outside_3_cryptomap extended permit ip 50.50.50.0 255.255.255.0 10.0.1.0 255.255.255.0
Anyone knows what's missing?
Thanks
config firewall siteA
-----------------------
: Written by admin at 05:03:25.499 UTC Tue Sep 28 2010
!
ASA Version 8.2(2)
!
hostname fw1
domain-name domain.local
enable password FjvMKW4exVDlqgsq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan100
nameif Outside
security-level 0
ip address 10.10.10.2 255.255.255.240
!
interface Vlan200
nameif Inside
security-level 100
ip address 20.20.20.1 255.255.255.0
!
interface Vlan300
nameif DMZ
security-level 50
ip address 30.30.30.1 255.255.255.0
!
interface Vlan400
nameif VOIP
security-level 100
ip address 40.40.40.1 255.255.255.0
!
interface Ethernet0/0
description WAN Interface
switchport access vlan 100
speed 100
duplex full
!
interface Ethernet0/1
description DMZ Interface
switchport access vlan 300
!
interface Ethernet0/2
description Trunk port to sw1
switchport access vlan 400
switchport trunk allowed vlan 200,400
switchport trunk native vlan 200
switchport mode trunk
!
interface Ethernet0/3
description Trunk port to sw4
switchport access vlan 400
switchport trunk allowed vlan 200,400
switchport trunk native vlan 200
switchport mode trunk
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
description Trunk port to AP1
switchport access vlan 300
switchport trunk allowed vlan 200,300
switchport trunk native vlan 200
switchport mode trunk
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network SiteA
network-object 20.20.20.0 255.255.255.0
network-object host 10.10.10.1
object-group network siteB
network-object 10.0.1.0 255.255.255.0
network-object host 7.7.7.1
access-list acl_out_in extended permit tcp any interface Outside eq www
access-list no_nat extended permit ip 20.20.20.0 255.255.255.0 50.50.50.0 255.255.255.0
access-list no_nat extended permit ip object-group siteA object-group siteB
access-list no_nat extended permit ip 10.0.1.0 255.255.255.0 50.50.50.0 255.255.255.0
access-list split-tunnel standard permit 20.20.20.0 255.255.255.0
access-list split-tunnel standard permit 10.0.1.0 255.255.255.0
access-list Outside_3_cryptomap extended permit ip 20.20.20.0 255.255.255.0 object-group siteB
access-list Outside_3_cryptomap extended permit ip 10.0.1.0 255.255.255.0 50.50.50.0 255.255.255.0
pager lines 24
logging enable
mtu Management 1500
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu VOIP 1500
ip local pool SSLClientPool 50.50.50.1-50.50.50.254 mask 255.255.255.0
no failover
monitor-interface Management
monitor-interface Outside
monitor-interface Inside
monitor-interface DMZ
monitor-interface VOIP
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
global (DMZ) 1 10.10.10.3
nat (Management) 1 0.0.0.0 0.0.0.0
nat (Inside) 0 access-list no_nat
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (VOIP) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp interface www 20.20.20.32 www netmask 255.255.255.255
access-group acl_out_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map Allow_VPN
map-name msNPAllowDialin Tunneling-Protocols
map-value msNPAllowDialin FALSE 4
map-value msNPAllowDialin TRUE 48
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol ldap
aaa-server ActiveDirectory (Inside) host 20.20.20.9
ldap-base-dn dc=domain,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn CN=cisco,OU=Service Accounts,OU=HTCP, DC=domain, DC=local
server-type microsoft
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 Management
http 20.20.20.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map 3 match address Outside_3_cryptomap
crypto map Outside_map 3 set pfs
crypto map Outside_map 3 set peer 74.7.11.174
crypto map Outside_map 3 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto ca trustpoint localtrust
enrollment self
fqdn vpn.domain.com
subject-name CN=vpn.domain.com
keypair sslvpnkeypair
crl configure
crypto ca certificate chain localtrust
certificate 2097644c
308201fb 30820164 a0030201 02020420 97644c30 0d06092a 864886f7 0d010105
05003042 311c301a 06035504 03131376 706e6272 6564612e 69746573 736f2e63
6f6d3122 30200609 2a864886 f70d0109 02161376 706e6272 6564612e 69746573
736f2e63 6f6d301e 170d3130 30383133 30303531 34345a17 0d323030 38313030
30353134 345a3042 311c301a 06035504 03131376 706e6272 6564612e 69746573
736f2e63 6f6d3122 30200609 2a864886 f70d0109 02161376 706e6272 6564612e
69746573 736f2e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00
30818902 818100c0 7c562d66 47588291 2ddca190 2e8f52b3 7f50c7f1 5945d606
9ff63a2e 432d0602 162710c8 818d152d e2467645 96e7da33 8b39bacf f01e42ad
44ae2f2a 6bd6a9ab 024d47b6 273e720b 7263b0e9 8f24bf80 515e268e eace994e
d882ea36 fe8893d2 44d5cdb1 15f298b4 c26d5eff 6839ed68 6a13f453 fe35635e
c67ae205 da3ae502 03010001 300d0609 2a864886 f70d0101 05050003 81810068
bfae1b4d c1850c56 5826edfb ff86e504 e5e4be95 10f9e674 a3c7997e 96db735a
864176af 04fdae5d 4f401a32 dcadb213 857fda06 9a8764f1 1fcf0a31 76c6af20
9cd09e68 63e6efb9 61098b81 60d72f2d 9b71b127 5282cd9f 234d49d7 d29bd56e
d2b83698 bfb97cd7 a259593f f79b9694 7cce9fef c5fd79e0 4d89ae23 0e4c94
quit
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config Outside
priority-queue Outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust Outside
webvpn
enable Outside
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 20.20.20.9
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value domain.local
address-pools value SSLClientPool
username user1 password TEkjf52Nn3dfdf encrypted privilege 15
username user1 attributes
service-type admin
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group ActiveDirectory
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
tunnel-group 74.7.11.174 type ipsec-l2l
tunnel-group 74.7.11.174 ipsec-attributes
pre-shared-key somekey
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
policy-map VoicePolicy
class Voice-OUT
priority
class Voice-IN
priority
!
service-policy global_policy global
service-policy VoicePolicy interface Outside
prompt hostname context
service call-home
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:41ec9ba2201fcadac735b75fb4759120
09-28-2010 03:03 PM
Hi,
Looks fine.
Testing...
When try to access Site B internal LAN from the VPN clients, check the following:
Site A:
sh cry isa sa --> Tunnel should be established between the VPN client and the ASA, and tunnel should be established between Site A and Site B
sh cry ips sa --> You should see a Security Association established for 50.50.50.0/24 and 10.0.1.0/24
The second part is very important since you will see packets encrypted/decrypted that will shows is if traffic is flowing through.
Do the same thing on Site B.
Question.
Do you also have the routing set up correctly?
For example, Site B knows that to reach 50.50.50.0/24 should send the traffic to Site A?
Federico.
10-13-2010 03:41 AM
THere's no routers in between. SHould I add a route on both ASA's then?
on site B
route Outside 50.50.50.0 255.255.255.0 WANIP_SiteA 1 ??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide