Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

PIX-ASA, allow RA VPN clients to access servers at remote sites

I've had L2L tunnels set up to a couple of remote sites (PIX) for several months now. We have a VPN concentrator, which will be going EOL soon, so I'm working on moving our existing RA clients over to our ASA. I'm having trouble allowing the RA clients access to a server at one of our remote sites. The relevant ASA (main site) and PIX config is posted below. The error I get on the remote PIX when attempting a ping from the VPN client is:

Group = 204.14.*.*, IP = 204.14.*.*, Static Crypto Map check, map = outside_map, seq = 40, ACL does not match proxy IDs src:172.16.200.0 dst:172.16.26.0

Relevant config:

Main ASA config

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.0 172.16.26.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 172.16.26.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.22.0 255.255.255.0 172.16.26.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.200.0 255.255.255.0 172.16.26.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.0 172.16.200.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.0.0 255.255.255.0 172.16.26.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.1.0 255.255.255.0 172.16.26.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.22.0 255.255.255.0 172.16.26.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.200.0 255.255.255.0 172.16.26.0 255.255.255.0

crypto map outside_map 60 match address outside_cryptomap_60

crypto map outside_map 60 set peer 24.97.*.*

crypto map outside_map 60 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

=========================================

Remote PIX config

access-list inside_nat0_outbound extended permit ip 172.16.26.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.26.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.26.0 255.255.255.0 172.16.22.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.26.0 255.255.255.0 172.16.200.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.26.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.26.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.26.0 255.255.255.0 172.16.22.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 172.16.26.0 255.255.255.0 172.16.200.0 255.255.255.0

crypto map outside_map 60 match address outside_cryptomap_60

crypto map outside_map 60 set peer 204.14.*.*

crypto map outside_map 60 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

EDIT: Guess I should add, remote site is 172.16.26.0/24, VPN VLAN is 172.16.200.0/24...

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

What you want to do is "tunnelall", which is not split tunneling. This will still allow the clients to get to the main and remote site, but will not allow them to get to the internet....unless you specifically allowed them to by do a "nat (outside)" or something. Your routes on the client will then be, Secured Routes 0.0.0.0 0.0.0.0

group-policy attributes

split-tunnel-policy tunnelall

Is that your existing config, I don't see where the walton acl is assigned to anything for the split tunnel?

16 REPLIES
Cisco Employee

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

Jeff,

What is the Pool of IP Addresses that you are assigning for the RA Clients.

Also, in your configuration, do you have the below line configured.

"same-security-traffic permit intra-interface"

I hope the below URL helps.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Regards,

Arul

** Please rate all helpful posts **

New Member

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

Hi Arul,

Thanks for the response. The VPN clients are being assigned 172.16.200.25-100/24. I need to provide them access to 172.16.0.0/24 (server VLAN), as well as 172.16.26.0/24 (remote site VLAN).

I have added the command you specified. However, we do web filtering here, and there is a concern among The Powers That Be about allowing split tunneling, with no control over sites accessed.

New Member

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

I guess I should add that I'm still not able to connect to the remote site. With the config in my first post I was at least seeing traffic on the remote firewall. Now the traffic doesn't seem to get there.

New Member

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

Anyone at all?

Green

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

As someone said before, you need "same-security-traffic permit intra-interface" in the main site ASA.

I also see one statement that is not needed.

no access-list inside_nat0_outbound extended permit ip 172.16.200.0 255.255.255.0 172.16.26.0 255.255.255.0

Could you post 2 complete clean configs?

Green

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

Another thing I noticed in your error message

"Group = 204.14.*.*, IP = 204.14.*.*, Static Crypto Map check, map = outside_map, seq = 40, ACL does not match proxy IDs src:172.16.200.0 dst:172.16.26.0"

is why it is seq 40 and not 60?

New Member

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

I'll post a clean config as soon as I can, typical firefighting going on here after a long weekend.

Seq 40 is used for another L2L tunnel at the remote site. I have no clue why I'm getting that message, as my RA VPN config doesn't reference that other site at all.

New Member

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

Clean configs attached.

Green

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

Main site is still missing "intra-interface"....not "inter".

New Member

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

Doh! I don't know how I missed that. That seems to have done the trick!

The only concern will be the use of split tunneling. Right now (through our VPN Concentrator), we do not allow it. Is it possible to allow access to the remote L2L sites without opening up internet access?

Green

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

Unless I'm overlooking something, I don't see how they would be getting to the internet right now.

New Member

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

Well, I don't want to second-guess you after helping me out, but... :)

I have a laptop setup outside the main ASA, connected via VPN client. From that laptop I can ping a host on the remote site, and bring up Google.

Green

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

Well in that case...haha.

Looks like you may have had a split tunnel acl, walton-tunnel, at one point but isn't being used. What do your routes show in your vpn client when connected? Status -> Statistics -> Route Details

New Member

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

Walton is the remote site. I was under the impression I needed that configuration from the config example in the second post.

Routes on the VPN client are:

172.16.0.0 255.255.255.0

172.16.26.0 255.255.255.0

Green

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

What you want to do is "tunnelall", which is not split tunneling. This will still allow the clients to get to the main and remote site, but will not allow them to get to the internet....unless you specifically allowed them to by do a "nat (outside)" or something. Your routes on the client will then be, Secured Routes 0.0.0.0 0.0.0.0

group-policy attributes

split-tunnel-policy tunnelall

Is that your existing config, I don't see where the walton acl is assigned to anything for the split tunnel?

New Member

Re: PIX-ASA, allow RA VPN clients to access servers at remote si

Sorry about that. When I posted my clean config before, I realized that I was using an older config. So I did a quick cut & paste from CLI to the config I posted, and I must have missed the split-tunnel-policy line, which was:

split-tunnel-policy walton-tunnel

I set that back to tunnelall, and now have the result I was looking for. VPN clients can reach the main and remote sites, with no internet access while connected.

Thanks very much for your help.

462
Views
5
Helpful
16
Replies
CreatePlease to create content