cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2196
Views
0
Helpful
4
Replies

Accessing Site-to-Site VPN through Client VPN

kyle.mcauliffe
Level 1
Level 1

We have a Cisco ASA 5505 that has two Site-to-Site VPN connections.  When users connect through the AnyConnect client, they are unable to access these networks.  I have done some searching and tried several things with no avail.

VPN Network: 192.168.50.192/27

Internal Network: 192.168.5.0/24

Site-to-Site VPN Networks: object-group VPN1_NETWORK (lets say mainly 244.0.0.0/8) and 10.224.52.0/22

Any help would be most appreciated.  Here's the running config:

: Saved

:

ASA Version 8.2(1)

!

hostname x

domain-name x.com

enable password xxx encrypted

passwd xxx encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 200.100.50.25 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

shutdown

!            

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 200.100.50.26

name-server 200.100.50.27

domain-name x.com

dns server-group VPNDNS

name-server 192.168.5.2

domain-name x.com

object-group network VPN1_NETWORK

network-object x.x.x.x 255.255.240.0

network-object x.x.x.x 255.255.224.0

network-object x.x.x.x 255.255.224.0

network-object x.x.x.x 255.248.0.0

network-object 244.0.0.0 255.0.0.0

network-object x.x.x.x 255.255.252.0

object-group network DM_INLINE_NETWORK_1

network-object host y.y.y.y

network-object host y.y.y.y

object-group network DM_INLINE_NETWORK_2

network-object host y.y.y.y

network-object host y.y.y.y

object-group network DM_INLINE_NETWORK_3

network-object host y.y.y.y

network-object host y.y.y.y

network-object host y.y.y.y

network-object host y.y.y.y

network-object host y.y.y.y

object-group network DM_INLINE_NETWORK_5

network-object host y.y.y.y

network-object host y.y.y.y

network-object host y.y.y.y

network-object host y.y.y.y

network-object host y.y.y.y

access-list SplitTunnelList standard permit 192.168.5.0 255.255.255.0

access-list SplitTunnelList standard permit 10.224.52.0 255.255.252.0

access-list SplitTunnelList standard permit 244.0.0.0 255.0.0.0

access-list inside_access_in extended deny ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 inactive

access-list inside_access_in extended permit ip any any

access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.50.192 255.255.255.192

access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 10.224.52.0 255.255.252.0

access-list inside_nat0_outbound extended permit ip any 192.168.50.192 255.255.255.224

access-list inside_nat0_outbound extended permit ip any 10.224.52.0 255.255.252.0

access-list outside_access_in extended permit tcp host y.y.y.y any eq www

access-list outside_access_in extended permit tcp host y.y.y.y any eq https

access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any eq ldap

access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any eq 8888

access-list outside_access_in extended deny tcp any any eq www

access-list outside_access_in extended deny tcp any any eq ldap

access-list outside_access_in extended deny tcp any any eq https

access-list outside_access_in extended deny tcp any any eq 8888

access-list outside_access_in extended permit ip any any

access-list inside_ldap_for_srvs extended permit tcp host 192.168.5.2 eq ldap object-group DM_INLINE_NETWORK_1

access-list inside_http_for_x extended permit tcp host 192.168.5.5 eq www host y.y.y.y

access-list outside_vpn1_cryptomap extended permit ip host x.x.x.x object-group VPN1_NETWORK

access-list outside_vpn2_cryptomap extended permit ip 192.168.5.0 255.255.255.0 10.224.52.0 255.255.252.0

access-list inside_nat_static extended permit tcp host 192.168.5.2 eq https host y.y.y.y

access-list inside_nat_static_1 extended permit tcp host 192.168.5.14 eq 8080 object-group DM_INLINE_NETWORK_3 inactive

pager lines 24

logging timestamp

logging asdm informational

logging host inside 192.168.5.14

logging class auth console debugging

logging class webvpn console debugging

logging class svc console debugging

logging class ssl console debugging

mtu inside 1500

mtu outside 1500

ip local pool CTVPN-Pool 192.168.50.192-192.168.50.220 mask 255.255.255.192

ipv6 access-list inside_access_ipv6_in permit ip any any

ipv6 access-list outside_access_ipv6_in permit ip any any

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.5.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list no_nat

static (inside,outside) tcp interface 18005 192.168.5.20 18005 netmask 255.255.255.255

static (inside,outside) tcp interface www access-list inside_http_for_x

static (inside,outside) tcp interface ldap access-list inside_ldap_for_srvs

static (inside,outside) tcp interface https access-list inside_nat_static

static (inside,outside) tcp interface 8888 access-list inside_nat_static_1

access-group inside_access_in in interface inside

access-group inside_access_ipv6_in in interface inside

access-group outside_access_in in interface outside

access-group outside_access_ipv6_in in interface outside

route outside 0.0.0.0 0.0.0.0 200.100.50.25 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server CT-LDAP protocol ldap

aaa-server CT-LDAP (inside) host 192.168.5.2

timeout 5

ldap-base-dn cn=users,dc=x,dc=x,dc=com

ldap-scope subtree

ldap-naming-attribute uid

server-type auto-detect

aaa authentication ssh console LOCAL

http server enable

http 192.168.5.0 255.255.255.0 inside

snmp-server group No_Authentication_No_Encryption v3 noauth

snmp-server user authOnlyUser No_Authentication_No_Encryption v3

snmp-server host inside 192.168.5.14 community public

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set VPN1_AES256SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 10 match address outside_vpn1_cryptomap

crypto map outside_map 10 set peer 100.75.50.25

crypto map outside_map 10 set transform-set ESP-AES-256-SHA

crypto map outside_map 10 set nat-t-disable

crypto map outside_map 10 set reverse-route

crypto map outside_map 20 match address outside_vpn2_cryptomap

crypto map outside_map 20 set peer 70.50.30.10

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 set reverse-route

crypto map outside_map 30 match address outside_vpn2_cryptomap

crypto map outside_map 30 set peer 70.50.35.10

crypto map outside_map 30 set transform-set ESP-3DES-MD5

crypto map outside_map 30 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=x,O=x,C=x,St=x,L=x

keypair DigiCertCT.key

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate x

  quit

certificate ca x

  quit

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.5.0 255.255.255.0 inside

ssh 192.168.50.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

management-access inside

dhcpd dns 192.168.5.2

!

dhcpd address 192.168.5.100-192.168.5.199 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 199.4.29.166 source outside

ssl trust-point ASDM_TrustPoint0 outside

webvpn

port 8080   

enable outside

dtls port 8080

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 2

svc enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

banner value Unauthorized access prohibited

banner value Authorized access only

banner value This system is the property of xxx

banner value Disconnect IMMEDIATELY if you are not an authorized user!

dns-server value 192.168.5.2

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnelList

split-dns value x.x.com

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username sysad password x encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool CTVPN-Pool

authentication-server-group CT-LDAP

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool CTVPN-Pool

authentication-server-group CT-LDAP

default-group-policy DefaultRAGroup

tunnel-group DefaultWEBVPNGroup webvpn-attributes

dns-group VPNDNS

tunnel-group 100.75.50.25 type ipsec-l2l

tunnel-group 100.75.50.25 ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

isakmp keepalive disable

tunnel-group 70.50.30.10 type ipsec-l2l

tunnel-group 70.50.30.10 ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

tunnel-group 70.50.35.10 type ipsec-l2l

tunnel-group 70.50.35.10 ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:ca6cc312ba1ccbbbe66cd8427fa6bf12

: end

4 Replies 4

mvsheik123
Level 7
Level 7

Hi Kyle,

You need to alter the below statements..

access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.50.192 255.255.255.192

access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 10.224.52.0 255.255.252.0

The no_nat ACL is applied to outside interface, the source would be your VPN pool and destination - remote subnets.

Ex: Remote subnet 192.169.200.x

--------------------------------------------------

access-list no_nat extended permit ip 192.168.50.0 255.255.255.192 192.168.200.0  255.255.255.0

add the similar ACL 9with proper syntax) to crypto ACLs (ex: outside_vpn2_cryptomap)

-------------------------------------------------

On the remote end ASA/VPN device, you need to create same nonat/crypto ACL rules with source as Remote n/w and destination - VPN pool.

Add the Remote location Subnets to Splittunnel list.

hth

MS

Thanks MS.  Been very busy lately and will give that a shot when I have a chance.  Just to clarify, on the crypto ACL's would look like this:

access-list outside_vpn1_cryptomap extended permit ip 192.168.50.192 255.255.255.224 object-group VPN1_NETWORK

and

access-list outside_vpn2_cryptomap extended permit ip 192.168.50.192 255.255.255.224 10.224.52.0 255.255.252.0

is this correct?

I tried adding the following ACLs with no luck. 

access-list SplitTunnelList standard permit 192.168.5.0 255.255.255.0

access-list SplitTunnelList standard permit 10.224.52.0 255.255.252.0

access-list SplitTunnelList standard permit 19.0.0.0 255.0.0.0

access-list no_nat extended permit ip 192.168.50.192 255.255.255.224 object-group VPN1_NETWORK inactive

access-list no_nat extended permit ip 192.168.50.192 255.255.255.224 10.224.52.0 255.255.252.0

access-list no_nat extended permit ip 192.168.50.192 255.255.255.224 192.168.5.0 255.255.255.0

access-list outside_vpn1_cryptomap extended permit ip host 200.100.50.25 object-group VPN1_NETWORK

access-list outside_vpn1_cryptomap extended permit ip 192.168.50.192 255.255.255.224 object-group VPN1_NETWORK

access-list outside_vpn2_cryptomap extended permit ip 192.168.5.0 255.255.255.0 10.224.52.0 255.255.252.0

access-list outside_vpn2_cryptomap extended permit ip 192.168.50.192 255.255.255.224 10.224.52.0 255.255.252.0

Doing a trace route through the VPN just times out. I don't have access to change the remote site vpn device configs.  Is there a way that I can masquerade the VPN subnet (192.168.50.192/27) as the local subnet (192.168.5.0/24) so that connecting via VPN will act exactly like being in the office (having access to the two site-to-site tunnels)?

You may want to look into Policy nat.

https://supportforums.cisco.com/docs/DOC-1692

htt

MS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: