Need Help

Unanswered Question
Nov 13th, 2013
User Badges:

      top.png  

use static route between 3750X_Main and ASA 

only 10.2.101.0/24 permit access internet

10.2.101.222 connect to 3750X_Main

     

ASA_Config


interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 222.202.222.99 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.2.101.203 255.255.255.0

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 202.106.0.20

domain-name default.domain.invalid

same-security-traffic permit intra-interface

object network INSIDE_OUTSIDE

subnet 10.2.101.0 255.255.255.0

object network INSIDE

host 10.2.101.203

object network WEB_SERVER

host 10.2.101.222

object network VPN_CLIENT

subnet 10.2.80.0 255.255.255.0

object network VPN_LOCAL

subnet 10.0.0.0 255.0.0.0

object-group network VPN_REMOTE

network-object 10.2.77.0 255.255.255.252

access-list 101 extended permit ip any any 

access-list split extended permit ip 10.0.0.0 255.0.0.0 any

ip local pool VPN_CLIENT 10.2.80.1-10.2.80.254 mask 255.255.255.0

no nat (inside,outside) source dynamic VPN_LOCAL INSIDE destination static VPN_REMOTE VPN_REMOTE

no nat (outside,outside) source dynamic VPN_CLIENT INSIDE destination static VPN_REMOTE VPN_REMOTE

no nat (outside,inside) source static VPN_REMOTE VPN_REMOTE destination static VPN_LOCAL VPN_LOCAL

no nat (outside,inside) source static VPN_CLIENT VPN_CLIENT destination static VPN_LOCAL VPN_LOCAL

!

object network INSIDE_OUTSIDE

nat (inside,outside) dynamic interface

object network WEB_SERVER

nat (inside,outside) static interface service tcp 4000 4000

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 222.202.222.97 1

route inside 10.2.12.0 255.255.255.0 10.2.101.254 1

route inside 10.2.13.0 255.255.255.0 10.2.101.254 1

aaa authentication ssh console LOCAL

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map DYNMAP 1 set ikev1 transform-set ESP-3DES-MD5

crypto dynamic-map DYNMAP 1 set reverse-route

crypto map OUTSIDEMAP 1 ipsec-isakmp dynamic DYNMAP

crypto map OUTSIDEMAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

ssh version 2

console timeout 0

management-access inside    

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

group-policy VPN_CLIENT internal

group-policy VPN_CLIENT attributes

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

address-pools value VPN_CLIENT

username cisco password 3USUcOPFUiMCO4Jk encrypted

username cisco attributes

vpn-group-policy VPN_CLIENT

tunnel-group DefaultL2LGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group VPN_CLIENT type remote-access

tunnel-group VPN_CLIENT general-attributes

default-group-policy VPN_CLIENT

tunnel-group VPN_CLIENT ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group-map default-group DefaultL2LGroup

interface GigabitEthernet0/0

nameif outside

security-level 0


As shown above

1.EzVPN_Client can access L2L_PC

2.EzVPN_Client can access 10.2.101.0/24

3.EzVPN_Client can not access 10.2.12.0/24&10.2.13.0/24 

4.10.2.12.0/24&10.2.13.0/24 can access L2L_PC,but once L2L_PC access 10.2.12.0/24&10.2.13.0/24,     10.2.12.0/24&10.2.13.0/24 can not access L2L_PC.

5.between 10.2.101.0/24 and L2L_PC can access together any time.


why? need help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion