Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA VPN issues

I am trying to setup VLANs to test between my site to site tunnels and seem to be having issues with my voip and main VLAN, as well as access to the remote VLAN which is the 192.168.220.0 network.  I can't get the phones to access the remote network and teh remote side has a ACL on it to allow 10.150.10.0.  Also is there a way to allow telnet to work across the VPN?  I could do it with ASA 8.2.5 but i'm unsure how to do this with 9.1.2.

ASA Version 9.1(2)

!

hostname ASM-ASA

xlate per-session permit tcp any4 any4

xlate per-session permit udp any4 any4

names

ip local pool VPNpool 10.150.254.1-10.150.254.254 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

description vader-pc

switchport trunk allowed vlan 1010

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/7

switchport trunk allowed vlan 1010

switchport trunk native vlan 1

switchport mode trunk

!

interface Vlan1

nameif inside

security-level 100

ip address 10.150.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan1001

security-level 100

ip address 10.150.98.1 255.255.255.0

!

interface Vlan1002

no nameif

no security-level

no ip address

!

interface Vlan1010

nameif voip

security-level 100

ip address 10.150.10.1 255.255.255.0

!

interface Vlan1099

nameif Wireless

security-level 90

ip address 10.150.99.1 255.255.255.0

!

boot system disk0:/asa912-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-ExchangeSever-smtp

host 10.150.1.60

object network obj-ExchangeSever-www

host 10.150.1.60

object network obj-ExchangeSever-https

host 10.150.1.60

object network obj-Linux-Desktop

host 10.150.1.99

object network obj-ExchangeSever-tftp

host 10.150.1.60

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network obj-voip

subnet 10.150.10.0 255.255.255.0

object-group network Subnet_ASM_Local

network-object 10.150.1.0 255.255.255.0

object-group network VPN_Remote_Subnets

group-object Subnet_ASM_Local

object-group network TSG

network-object 192.168.220.0 255.255.255.0

object-group network Subnet_VPN_Client

network-object 10.150.254.0 255.255.255.0

object-group network Voip

network-object 10.150.10.0 255.255.255.0

object-group network Subnet_Remote_Networks

group-object TSG

group-object Subnet_VPN_Client

group-object Voip

object-group network obj-ExchangeSever

network-object host 10.150.1.60

object-group network obj-Linux

network-object host 10.150.1.99

access-list ACL_NONAT_VPN_Traffic extended permit ip object-group Subnet_ASM_Local object-group Subnet_Remote_Networks

access-list incoming extended permit tcp any4 host 10.150.1.60 eq smtp

access-list incoming extended permit tcp any4 host 10.150.1.60 eq www

access-list incoming extended permit tcp any4 host 10.150.1.60 eq 69

access-list incoming extended permit tcp any4 host 10.150.1.60 eq https

access-list incoming extended permit tcp any4 object-group obj-ExchangeSever eq www

access-list incoming extended permit tcp any4 object-group obj-ExchangeSever eq https

access-list incoming extended permit udp any4 host 10.150.1.60 eq tftp

access-list incoming extended permit tcp any4 host 10.150.1.99 eq ssh

access-list incoming extended permit tcp any4 host 10.150.1.50 eq 32400

access-list ACL_VPN_Client extended permit ip object-group Subnet_ASM_Local object-group Subnet_VPN_Client

access-list ACL_TSG extended permit ip object-group Subnet_ASM_Local object-group TSG

!

snmp-map public

!

pager lines 24

logging enable

logging timestamp

logging list logging level warnings

logging buffered debugging

logging trap debugging

logging asdm informational

logging mail alerts

logging facility 21

logging host inside 10.150.1.70

flow-export destination inside 10.150.1.70 2055

mtu inside 1500

mtu outside 1500

mtu jamiewifi 1500

mtu voip 1500

mtu Wireless 1500

ip verify reverse-path interface inside

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp inside 10.150.1.19 2437.4c87.156e

arp timeout 14400

no arp permit-nonconnected

nat (inside,any) source static Subnet_ASM_Local Subnet_ASM_Local destination static Subnet_Remote_Networks Subnet_Remote_Networks no-proxy-arp

!

object network obj_any

nat (inside,outside) dynamic interface

object network obj-ExchangeSever-smtp

nat (inside,outside) static interface service tcp smtp smtp

object network obj-ExchangeSever-www

nat (inside,outside) static interface service tcp www www

object network obj-ExchangeSever-https

nat (inside,outside) static interface service tcp https https

object network obj-Linux-Desktop

nat (inside,outside) static interface service tcp ssh ssh

object network obj-ExchangeSever-tftp

nat (inside,outside) static interface service udp tftp tftp

object network obj_any-01

nat (voip,outside) dynamic interface

object network obj-voip

nat (inside,voip) static 10.150.10.0

access-group incoming in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa local authentication attempts max-fail 16

http server enable

http server idle-timeout 180

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 1200

service internal

crypto ipsec ikev1 transform-set ASM-Main esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ASM-Main2 esp-aes-256 esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map asm-map 1 set ikev1 transform-set ASM-Main

crypto dynamic-map asm-map 1 set security-association lifetime seconds 2147483647

crypto dynamic-map asm-map 1 set security-association lifetime kilobytes 2147483647

crypto dynamic-map ASMMAP 1 set ikev1 transform-set ASM-Main

crypto dynamic-map ASMMAP 1 set security-association lifetime seconds 2147483647

crypto dynamic-map ASMMAP 1 set security-association lifetime kilobytes 2147483647

crypto dynamic-map ASMMAPdynmap 5 set ikev1 transform-set ASM-Main

crypto map ASMMAP 65535 ipsec-isakmp dynamic ASMMAPdynmap

crypto map ASMMAP interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpool policy

crypto isakmp identity address

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto ikev1 policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

client-update enable

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 1440

ssh scopy enable

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd auto_config outside

!

!

dhcpd address 10.150.10.5-10.150.10.253 voip

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.5.41.41 source outside

tftp-server inside 10.150.1.60 cisco/ASM-ASA.rtf

group-policy ASM-VPN internal

group-policy ASM-VPN attributes

wins-server value 10.150.1.60

dns-server value 10.150.1.60

vpn-idle-timeout 120

vpn-tunnel-protocol ikev1 ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ACL_VPN_Client

address-pools value VPNpool

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key

isakmp keepalive threshold 10 retry 2

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect snmp

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

no loopback-proxy server

no loopback-proxy client syslog

Cryptochecksum:87522c3b177b22f6600d07176bcd7c28

: end

Everyone's tags (4)
397
Views
0
Helpful
0
Replies
CreatePlease to create content