02-08-2012 08:24 AM
We have a Cisco ASA 5505 that has two Site-to-Site VPN connections. When users connect through the AnyConnect client, they are unable to access these networks. I have done some searching and tried several things with no avail.
VPN Network: 192.168.50.192/27
Internal Network: 192.168.5.0/24
Site-to-Site VPN Networks: object-group VPN1_NETWORK (lets say mainly 244.0.0.0/8) and 10.224.52.0/22
Any help would be most appreciated. Here's the running config:
: Saved
:
ASA Version 8.2(1)
!
hostname x
domain-name x.com
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 200.100.50.25 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 200.100.50.26
name-server 200.100.50.27
domain-name x.com
dns server-group VPNDNS
name-server 192.168.5.2
domain-name x.com
object-group network VPN1_NETWORK
network-object x.x.x.x 255.255.240.0
network-object x.x.x.x 255.255.224.0
network-object x.x.x.x 255.255.224.0
network-object x.x.x.x 255.248.0.0
network-object 244.0.0.0 255.0.0.0
network-object x.x.x.x 255.255.252.0
object-group network DM_INLINE_NETWORK_1
network-object host y.y.y.y
network-object host y.y.y.y
object-group network DM_INLINE_NETWORK_2
network-object host y.y.y.y
network-object host y.y.y.y
object-group network DM_INLINE_NETWORK_3
network-object host y.y.y.y
network-object host y.y.y.y
network-object host y.y.y.y
network-object host y.y.y.y
network-object host y.y.y.y
object-group network DM_INLINE_NETWORK_5
network-object host y.y.y.y
network-object host y.y.y.y
network-object host y.y.y.y
network-object host y.y.y.y
network-object host y.y.y.y
access-list SplitTunnelList standard permit 192.168.5.0 255.255.255.0
access-list SplitTunnelList standard permit 10.224.52.0 255.255.252.0
access-list SplitTunnelList standard permit 244.0.0.0 255.0.0.0
access-list inside_access_in extended deny ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 inactive
access-list inside_access_in extended permit ip any any
access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.50.192 255.255.255.192
access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 10.224.52.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip any 192.168.50.192 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 10.224.52.0 255.255.252.0
access-list outside_access_in extended permit tcp host y.y.y.y any eq www
access-list outside_access_in extended permit tcp host y.y.y.y any eq https
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any eq ldap
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any eq 8888
access-list outside_access_in extended deny tcp any any eq www
access-list outside_access_in extended deny tcp any any eq ldap
access-list outside_access_in extended deny tcp any any eq https
access-list outside_access_in extended deny tcp any any eq 8888
access-list outside_access_in extended permit ip any any
access-list inside_ldap_for_srvs extended permit tcp host 192.168.5.2 eq ldap object-group DM_INLINE_NETWORK_1
access-list inside_http_for_x extended permit tcp host 192.168.5.5 eq www host y.y.y.y
access-list outside_vpn1_cryptomap extended permit ip host x.x.x.x object-group VPN1_NETWORK
access-list outside_vpn2_cryptomap extended permit ip 192.168.5.0 255.255.255.0 10.224.52.0 255.255.252.0
access-list inside_nat_static extended permit tcp host 192.168.5.2 eq https host y.y.y.y
access-list inside_nat_static_1 extended permit tcp host 192.168.5.14 eq 8080 object-group DM_INLINE_NETWORK_3 inactive
pager lines 24
logging timestamp
logging asdm informational
logging host inside 192.168.5.14
logging class auth console debugging
logging class webvpn console debugging
logging class svc console debugging
logging class ssl console debugging
mtu inside 1500
mtu outside 1500
ip local pool CTVPN-Pool 192.168.50.192-192.168.50.220 mask 255.255.255.192
ipv6 access-list inside_access_ipv6_in permit ip any any
ipv6 access-list outside_access_ipv6_in permit ip any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.5.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list no_nat
static (inside,outside) tcp interface 18005 192.168.5.20 18005 netmask 255.255.255.255
static (inside,outside) tcp interface www access-list inside_http_for_x
static (inside,outside) tcp interface ldap access-list inside_ldap_for_srvs
static (inside,outside) tcp interface https access-list inside_nat_static
static (inside,outside) tcp interface 8888 access-list inside_nat_static_1
access-group inside_access_in in interface inside
access-group inside_access_ipv6_in in interface inside
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
route outside 0.0.0.0 0.0.0.0 200.100.50.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server CT-LDAP protocol ldap
aaa-server CT-LDAP (inside) host 192.168.5.2
timeout 5
ldap-base-dn cn=users,dc=x,dc=x,dc=com
ldap-scope subtree
ldap-naming-attribute uid
server-type auto-detect
aaa authentication ssh console LOCAL
http server enable
http 192.168.5.0 255.255.255.0 inside
snmp-server group No_Authentication_No_Encryption v3 noauth
snmp-server user authOnlyUser No_Authentication_No_Encryption v3
snmp-server host inside 192.168.5.14 community public
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set VPN1_AES256SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 match address outside_vpn1_cryptomap
crypto map outside_map 10 set peer 100.75.50.25
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map 10 set nat-t-disable
crypto map outside_map 10 set reverse-route
crypto map outside_map 20 match address outside_vpn2_cryptomap
crypto map outside_map 20 set peer 70.50.30.10
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set reverse-route
crypto map outside_map 30 match address outside_vpn2_cryptomap
crypto map outside_map 30 set peer 70.50.35.10
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map 30 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=x,O=x,C=x,St=x,L=x
keypair DigiCertCT.key
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate x
quit
certificate ca x
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 inside
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd dns 192.168.5.2
!
dhcpd address 192.168.5.100-192.168.5.199 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 199.4.29.166 source outside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
port 8080
enable outside
dtls port 8080
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 2
svc enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
banner value Unauthorized access prohibited
banner value Authorized access only
banner value This system is the property of xxx
banner value Disconnect IMMEDIATELY if you are not an authorized user!
dns-server value 192.168.5.2
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelList
split-dns value x.x.com
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username sysad password x encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool CTVPN-Pool
authentication-server-group CT-LDAP
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool CTVPN-Pool
authentication-server-group CT-LDAP
default-group-policy DefaultRAGroup
tunnel-group DefaultWEBVPNGroup webvpn-attributes
dns-group VPNDNS
tunnel-group 100.75.50.25 type ipsec-l2l
tunnel-group 100.75.50.25 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive disable
tunnel-group 70.50.30.10 type ipsec-l2l
tunnel-group 70.50.30.10 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group 70.50.35.10 type ipsec-l2l
tunnel-group 70.50.35.10 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ca6cc312ba1ccbbbe66cd8427fa6bf12
: end
02-08-2012 11:18 AM
Hi Kyle,
You need to alter the below statements..
access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.50.192 255.255.255.192
access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 10.224.52.0 255.255.252.0
The no_nat ACL is applied to outside interface, the source would be your VPN pool and destination - remote subnets.
Ex: Remote subnet 192.169.200.x
--------------------------------------------------
access-list no_nat extended permit ip 192.168.50.0 255.255.255.192 192.168.200.0 255.255.255.0
add the similar ACL 9with proper syntax) to crypto ACLs (ex: outside_vpn2_cryptomap)
-------------------------------------------------
On the remote end ASA/VPN device, you need to create same nonat/crypto ACL rules with source as Remote n/w and destination - VPN pool.
Add the Remote location Subnets to Splittunnel list.
hth
MS
02-09-2012 10:33 AM
Thanks MS. Been very busy lately and will give that a shot when I have a chance. Just to clarify, on the crypto ACL's would look like this:
access-list outside_vpn1_cryptomap extended permit ip 192.168.50.192 255.255.255.224 object-group VPN1_NETWORK
and
access-list outside_vpn2_cryptomap extended permit ip 192.168.50.192 255.255.255.224 10.224.52.0 255.255.252.0
is this correct?
02-13-2012 05:57 AM
I tried adding the following ACLs with no luck.
access-list SplitTunnelList standard permit 192.168.5.0 255.255.255.0
access-list SplitTunnelList standard permit 10.224.52.0 255.255.252.0
access-list SplitTunnelList standard permit 19.0.0.0 255.0.0.0
access-list no_nat extended permit ip 192.168.50.192 255.255.255.224 object-group VPN1_NETWORK inactive
access-list no_nat extended permit ip 192.168.50.192 255.255.255.224 10.224.52.0 255.255.252.0
access-list no_nat extended permit ip 192.168.50.192 255.255.255.224 192.168.5.0 255.255.255.0
access-list outside_vpn1_cryptomap extended permit ip host 200.100.50.25 object-group VPN1_NETWORK
access-list outside_vpn1_cryptomap extended permit ip 192.168.50.192 255.255.255.224 object-group VPN1_NETWORK
access-list outside_vpn2_cryptomap extended permit ip 192.168.5.0 255.255.255.0 10.224.52.0 255.255.252.0
access-list outside_vpn2_cryptomap extended permit ip 192.168.50.192 255.255.255.224 10.224.52.0 255.255.252.0
Doing a trace route through the VPN just times out. I don't have access to change the remote site vpn device configs. Is there a way that I can masquerade the VPN subnet (192.168.50.192/27) as the local subnet (192.168.5.0/24) so that connecting via VPN will act exactly like being in the office (having access to the two site-to-site tunnels)?
02-13-2012 08:50 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: