05-21-2012 06:41 PM
05-21-2012 08:30 PM
Hello,
Yes,, Just like you can make an annyconnect client talk to a remote access Ipsec client.
Regards,
DO rate all the helpful posts
Julio
05-22-2012 07:22 AM
Julio, thanks for the reply. The logic for doing this is escaping me - I've set up the split tunnel and nonat access lists on the host ASA, so the routes are established when I VPN into the host ASA. However, I can't figure out what to configure between the host ASA and EasyVPN ASA. Can you throw me out some ideas? Thanks
Just to clarify, I also added the IPs to the split tunnel access lists in the group policy as well.
05-22-2012 07:30 AM
Just dawned on me I didn't reboot the remote ASA.
Still no luck after the reboot.
05-22-2012 10:03 AM
Hello,
That's it, The no_nat configuration and the Split tunnel policy!
Also the crypto ACL for the remote access IPSEc.
if you want you can post the configuration so we can review it.
Regards.
Do rate all the helpful posts
05-22-2012 11:30 AM
Here's the configuration. I'm trying to go from 192.168.104.x (tunnel-group Jerry*vpn) to 192.168.103.x (tunnel-group corpAG*vpn). Thanks
hostname HOST-ASA
domain-name domain.com
enable password * encrypted
passwd * encrypted
no names
!
interface Vlan1
nameif outside
security-level 0
ip address 70.1.1.1 255.255.255.128
!
interface Vlan2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.15
domain-name corp.com
object-group network RESTRICTED-WEB-SITES
network-object 216.178.0.0 255.255.0.0
network-object 69.63.0.0 255.255.0.0
object-group icmp-type PERMITTED-ICMP
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group service INSECURE-TCP tcp
port-object range 135 netbios-ssn
port-object eq 445
object-group service INSECURE-UDP udp
port-object eq tftp
port-object range 135 139
port-object eq 445
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list NONAT extended permit ip 172.16.10.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list NONAT extended permit ip 192.168.103.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list NONAT extended permit ip 192.168.104.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 192.168.1.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 192.168.1.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 172.16.10.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 192.168.104.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list SPLIT-TUNNEL extended permit ip 192.168.103.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list INSIDE remark Deny insecure TCP and UDP traffic
access-list INSIDE extended deny tcp any any object-group INSECURE-TCP
access-list INSIDE extended deny udp any any object-group INSECURE-UDP
access-list INSIDE extended deny tcp any object-group INSECURE-TCP any
access-list INSIDE extended deny udp any object-group INSECURE-UDP any
access-list INSIDE extended permit ip any any
access-list dynamic-filter_acl extended permit ip any any
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any time-exceeded
access-list OUTSIDE extended permit icmp any any unreachable
access-list OUTSIDE extended deny ip object-group HACKERS any
access-list OUTSIDE remark Permit journal from Mailbanc
access-list OUTSIDE extended permit tcp 98.129.23.0 255.255.255.0 host 70.164.68.31 eq smtp
access-list OUTSIDE extended permit tcp 98.129.35.0 255.255.255.0 host 70.164.68.31 eq smtp
access-list SPLIT-TUNNEL-JERRY extended permit ip 192.168.1.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list SPLIT-TUNNEL-JERRY extended permit ip 172.16.10.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list SPLIT-TUNNEL-JERRY extended permit ip 192.168.103.0 255.255.255.0 192.168.104.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN-POOL 172.16.10.1-172.16.10.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside
icmp permit any inside
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.15 smtp netmask 255.255.255.255
access-group OUTSIDE in interface outside
access-group INSIDE in interface inside
route outside 0.0.0.0 0.0.0.0 70.164.68.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.1.15
key *****
url-cache dst 100
http server enable
http 192.168.100.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNMAP 10 set transform-set ESP-3DES-SHA
crypto map CORPVPN 100 ipsec-isakmp dynamic DYNMAP
crypto map CORPVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh * 255.255.255.0 outside
ssh * 255.255.255.255 outside
ssh * 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 30
vpnclient vpngroup * password *****
vpnclient username * password *****
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-filter use-database
dynamic-filter enable interface outside classify-list dynamic-filter_acl
ntp server 67.67.4.29 source outside
ntp server 67.67.4.30 source outside prefer
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc profiles SBL disk0:/AnyConnectProfile.xml
svc enable
tunnel-group-list enable
group-policy corpwebvpn internal
group-policy corpwebvpn attributes
dns-server value 192.168.1.15 68.105.28.11
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value corpag.local
webvpn
svc keep-installer installed
svc rekey time 120
svc rekey method ssl
svc ask enable default svc
group-policy corpAG*vpn internal
group-policy corpAG*vpn attributes
dns-server value 192.168.1.15
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value corpag.local
nem enable
group-policy SBL internal
group-policy SBL attributes
dns-server value 192.168.1.15 68.105.28.11
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
webvpn
svc modules value vpngina
group-policy Jerry*vpn internal
group-policy Jerry*vpn attributes
dns-server value 192.168.1.15
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL-JERRY
default-domain value corpag.local
nem enable
username admin password lt4ZAySH8rIeJViu encrypted privilege 15
username adsne password B8QtKJ7qnjuh.RdQ encrypted
username ezvpn password BJQ42kSMQcqohZHm encrypted
tunnel-group corpwebvpn type remote-access
tunnel-group corpwebvpn general-attributes
address-pool VPN-POOL
authentication-server-group RADIUS
default-group-policy corpwebvpn
tunnel-group corpwebvpn webvpn-attributes
group-alias webvpn enable
tunnel-group corpAG*vpn type remote-access
tunnel-group corpAG*vpn general-attributes
address-pool VPN-POOL
authentication-server-group RADIUS
default-group-policy corpAG*vpn
tunnel-group corpAG*vpn ipsec-attributes
pre-shared-key *****
tunnel-group SBL type remote-access
tunnel-group SBL general-attributes
address-pool VPN-POOL
authentication-server-group RADIUS
default-group-policy SBL
tunnel-group SBL webvpn-attributes
group-alias SBLwebvpn enable
tunnel-group Jerry*vpn type remote-access
tunnel-group Jerry*vpn general-attributes
address-pool VPN-POOL
authentication-server-group RADIUS
default-group-policy Jerry*vpn
tunnel-group Jerry*vpn ipsec-attributes
pre-shared-key *****
!
class-map dynamic-filter_snoop_class
match port udp eq domain
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 1536
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
policy-map dynamic-filter_snoop_policy
class dynamic-filter_snoop_class
inspect dns dynamic-filter-snoop
!
service-policy global_policy global
service-policy dynamic-filter_snoop_policy interface outside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
05-22-2012 12:08 PM
Hello,
Please add the following:
Access-List Nonat2 permit ip 192.168.103.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list Nonat2 permit ip 192.168.104.0 255.255.255.0 192.168.103.0 255.255.255.0
Nat (outside) 0 access-list Nonat2
same-security-traffic permit intra-interface
Regards,
Do rate all the helpul posts
Julio
05-22-2012 12:46 PM
Tried it, no luck. What I am seeing is that for "tunnel-group Jerry*vpn" there is an SA created for traffic between the two endpoints. This isn't the case for "tunnel-group corpAG*vpn".
05-23-2012 07:38 PM
Hello,
You need to bring up both SAs first....ping from the VPN Client to the EzVPN client and then from the EzVPN Client to the VPN Client. That will bring up both SAs and you will be able to pass traffic after that.
Julio, you are right the "same-security-traffic permit intra-interface" command but in this particular case we dont need a nat exemption for this traffic, from the hub perspective the packets go from outside to outside and since there is no nat (outside) then we dont need the nonat.
You may want to remove this line as well:
access-list SPLIT-TUNNEL extended permit ip 192.168.103.0 255.255.255.0 192.168.104.0 255.255.255.0
We do recommend using standard ACLs for the split-tunnel however the way you have it should work too.
HTH!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: