Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5520 - I need to have two internal networks going over a VPN to head office

I have two seperate internal subnets 10.90.0.0 and 100.0.0.0 I have the two subnets talking to each other internally and I have 10.90.0.0 talking to our head office (10.1.0.0) over a site to site VPN. What I need to do know is get 100.0.0.0 talking to 10.1.0.0 over the same site to site VPN.

Here is a copy of the config.   

On the other end I have added the duplicate entries to the proper ACL's

Any ideas would be apprechiated.

Thanks,          

ASA Version 8.0(4)
!
hostname ****************
domain-name ************
enable password *************************

passwd ************************************

names
!
interface GigabitEthernet0/0
description outside interface ****************subnet
nameif outside
security-level 0
ip address *************************************
!
interface GigabitEthernet0/1
description inside interface 10.90.0.0 subnet
nameif inside
security-level 100
ip address 10.90.2.1 255.255.224.0
!
interface GigabitEthernet0/2
nameif temp
security-level 100
ip address 100.0.0.201 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name mestekcorp.com
same-security-traffic permit inter-interface
access-list 199 extended permit ip 10.90.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list 199 extended permit ip 10.90.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list 199 extended permit ip 10.90.0.0 255.255.0.0 10.65.0.0 255.255.0.0
access-list 199 extended permit ip 10.90.0.0 255.255.0.0 10.69.0.0 255.255.0.0
access-list 199 extended permit ip 100.0.0.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 199 extended permit ip 100.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 105 extended permit ip 10.90.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list 105 extended permit ip 10.90.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list 105 extended permit ip 100.0.0.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 105 extended permit ip 100.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 10.90.0.0 255.255.0.0 10.65.0.0 255.255.0.0
access-list 103 extended permit ip 10.90.0.0 255.255.0.0 10.69.0.0 255.255.0.0
no pager
logging enable
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu temp 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 ****************************

global (outside) 1 *****************************

global (inside) 1 interface
nat (inside) 0 access-list 199
nat (inside) 1 0.0.0.0 0.0.0.0
nat (temp) 0 access-list 199
nat (temp) 1 0.0.0.0 0.0.0.0
static (inside,temp) 10.90.0.0 10.90.0.0 netmask 255.255.224.0
static (temp,inside) 100.0.0.0 100.0.0.0 netmask 255.255.255.0
route outside 0.0.0.0 0.0.0.0 12.192.19.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set linel esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map linel-map 10 match address 105
crypto map linel-map 10 set peer **************************
crypto map linel-map 10 set transform-set linel
crypto map linel-map 10 set security-association lifetime seconds 28800
crypto map linel-map 10 set security-association lifetime kilobytes 4608000
crypto map linel-map 20 match address 101
crypto map linel-map 20 set peer *******************

crypto map linel-map 20 set transform-set linel
crypto map linel-map 20 set security-association lifetime seconds 28800
crypto map linel-map 20 set security-association lifetime kilobytes 4608000
crypto map linel-map 30 match address 103
crypto map linel-map 30 set peer ***************************
crypto map linel-map 30 set transform-set linel
crypto map linel-map 30 set security-association lifetime seconds 28800
crypto map linel-map 30 set security-association lifetime kilobytes 4608000
crypto map linel-map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 1000
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.90.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group ********************** type ipsec-l2l
tunnel-group *********************ipsec-attributes
pre-shared-key *
tunnel-group ********************type ipsec-l2l
tunnel-group **********************ipsec-attributes
pre-shared-key *
tunnel-group ************************ type ipsec-l2l
tunnel-group ****************************ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:001cd48f19626c3cfdef641257ee2dbd
: end
mvfw-001(config)#

  • Other Security Subjects
1 REPLY
Cisco Employee

ASA 5520 - I need to have two internal networks going over a VPN

You should create a different ACL for NONAT on inside and temp interface as follows:

no access-list 199 extended permit ip 100.0.0.0 255.255.255.0 10.1.0.0 255.255.0.0

no access-list 199 extended permit ip 100.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat-temp extended permit ip 100.0.0.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list nonat-temp extended permit ip 100.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

no nat (temp) 0 access-list 199

nat (temp) 0 access-list nonat-temp

Then "clear xlate"

622
Views
0
Helpful
1
Replies
This widget could not be displayed.