02-29-2012 05:58 AM
I have an L2L VPN setup between two ASA 5505's. I can communicate across the VPN from either site without an issue. I'd like to be able to grant RA VPN users access to both LAN's but I'm not certain how to proceed (or if it's possible). I have split tunneling setup, and I've added both LAN subnets in the ACL. When I connect to either ASA via RA VPN, I can ping any host on the local subnet behind that ASA. However, when I try to ping hosts on the other side of the L2L VPN, it fails. I'm not sure if I have an ACL setup wrong, or if it's simply not possible. Any help or insight would certainly be appreciated.
Solved! Go to Solution.
03-02-2012 02:46 AM
Hi there,
This is what you have to do, create ACL for includes your remote-vpn-client pool and remote LAN segments as shown below. Please copy this line and try and let me know.
object-group network REMOTE-LANS
network-object 192.168.252.0 255.255.255.0
network-object 10.203.204.0 255.255.255.0
access-list OUTSIDE-NAT0 extended permit ip 192.168.250.208 255.255.255.240 object-group REMOTE-LANS
access-list OUTSIDE-NAT0 extended permit ip object-group REMOTE-LANS 192.168.250.208 255.255.255.240
nat (outside) 0 access-list OUTSIDE-NAT0
same-security-traffic permit intra-interface
--------------------------------------------------------------------------------------------------------------------------------
FYI... As you can see, these two network segment overlaps, bad design.
ip local pool RAVPN 192.168.250.211-192.168.250.220 mask 255.255.0.0
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.250.240 255.255.255.0
!
Subnet | Network Address | Starting Host | End Host | Broadcast | Netmask |
---|---|---|---|---|---|
0 | 192.168.0.0 | 192.168.0.1 | 192.168.255.254 | 192.168.255.255 | 255.255.0.0 |
For easier maintenance, please put the them on different networks otherwise, it is all in one basket and one network is stepping over another.
Hope that helps.
Thanks
Rizwan Rafeek
03-01-2012 07:43 PM
You are missing no-nat on outside interface.
Please post your config, I will compile it for you.
thanks
Rizwan Rafeek
03-02-2012 12:27 AM
Hi Rizwan,
Thank you for responding. Running config is posted below:
Result of the command: "show run"
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
names
name 192.168.250.84 YTCVS
name 96.17.98.7 NJJ1
name 96.17.97.19 NJJ2
name 96.17.98.11 NJJ3
name 96.17.97.15 NJJ4
name 96.17.98.15 VDOT1
name 96.17.96.5 VDOT2
name 96.17.98.19 VDOT3
name 96.17.96.9 VDOT4
name 96.17.96.10 VGOV1
name 96.17.96.6 VGOV2
name 216.33.198.0 DC2
name 64.19.183.67 Eatontown-ASA
name 64.241.196.50 Treasury-ASA
name 192.168.252.0 Treasury-LAN
name 216.33.198.4 DC2-ASA
name 10.203.204.0 DC2-LAN
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.250.240 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address Eatontown-ASA 255.255.255.224
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
object-group network Akamai_Streaming_Service_Group
network-object host VGOV1
network-object host VDOT2
network-object host VGOV2
network-object host VDOT4
network-object host NJJ4
network-object host NJJ2
network-object host NJJ3
network-object host VDOT1
network-object host VDOT3
network-object host NJJ1
group-object NJJStreaming
group-object VDOTStreaming
group-object VGOVStreaming
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any echo
access-list raeatontown_splitTunnelAcl standard permit 192.168.250.0 255.255.255.0
access-list raeatontown_splitTunnelAcl standard permit Treasury-LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.250.0 255.255.255.0 192.168.250.192 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.250.0 255.255.255.0 Treasury-LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.250.0 255.255.255.0 DC2-LAN 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.250.0 255.255.255.0 Treasury-LAN 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.250.0 255.255.255.0 DC2-LAN 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RA-VPN 192.168.250.200-192.168.250.210 mask 255.255.255.0
ip local pool RAVPN 192.168.250.211-192.168.250.220 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 64.19.183.84 YTCVS netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.19.183.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.250.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer Treasury-ASA
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer DC2-ASA
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy raeatontown internal
group-policy raeatontown attributes
dns-server value 192.168.250.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value raeatontown_splitTunnelAcl
vpn-group-policy raeatontown
tunnel-group raeatontown type remote-access
tunnel-group raeatontown general-attributes
address-pool RAVPN
default-group-policy raeatontown
tunnel-group raeatontown ipsec-attributes
pre-shared-key *****
tunnel-group 64.241.196.50 type ipsec-l2l
tunnel-group 64.241.196.50 ipsec-attributes
pre-shared-key *****
tunnel-group 216.33.198.4 type ipsec-l2l
tunnel-group 216.33.198.4 ipsec-attributes
pre-shared-key *****
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:26165d77fc6075a771f94ea98be973b9
: end
03-02-2012 02:46 AM
Hi there,
This is what you have to do, create ACL for includes your remote-vpn-client pool and remote LAN segments as shown below. Please copy this line and try and let me know.
object-group network REMOTE-LANS
network-object 192.168.252.0 255.255.255.0
network-object 10.203.204.0 255.255.255.0
access-list OUTSIDE-NAT0 extended permit ip 192.168.250.208 255.255.255.240 object-group REMOTE-LANS
access-list OUTSIDE-NAT0 extended permit ip object-group REMOTE-LANS 192.168.250.208 255.255.255.240
nat (outside) 0 access-list OUTSIDE-NAT0
same-security-traffic permit intra-interface
--------------------------------------------------------------------------------------------------------------------------------
FYI... As you can see, these two network segment overlaps, bad design.
ip local pool RAVPN 192.168.250.211-192.168.250.220 mask 255.255.0.0
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.250.240 255.255.255.0
!
Subnet | Network Address | Starting Host | End Host | Broadcast | Netmask |
---|---|---|---|---|---|
0 | 192.168.0.0 | 192.168.0.1 | 192.168.255.254 | 192.168.255.255 | 255.255.0.0 |
For easier maintenance, please put the them on different networks otherwise, it is all in one basket and one network is stepping over another.
Hope that helps.
Thanks
Rizwan Rafeek
03-06-2012 07:08 PM
Awesome - that worked! Thank you!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: