Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L Configuration between 2ASA & Remote Dial-in

Hi All,

Scenario:

SiteA : 10.10.0.0/16 (10.10.50.0/24--> Servers)

VPN dial in users: 10.10.40.0/24

Public ip:1.1.1.1/24

SiteB: 10.20.0.0/16 (10.20.50.0/24--> Servers)

VPN dial in users: 10.20.40.0/24

Public ip:2.2.2.2/24

Client requirement:

1. Users at SITEA can able Dial-in to SiteA ASA and able to access SITE A&SITE B resources and able reach SITEB VPNed in users.

2. Vice Versa for users at SITEB

3.SITEA and SITEB ASA should run L2L Tunnel(ofcourse this is must for this to work).

My sample config for SiteB (Site A -->same with changed IPs). please review if this is sufficient:

For Remote Dial-in:

ip local pool RemoteDialPool 10.20.40.1-10.20.40.254 mask 255.255.255.0

crypto ipsec transform-set VPN-IN-USERS esp-3des esp-md5-hmac

crypto dynamic-map Outside_dyn_map 20 set transform-set VPN-IN-USERS

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto isakmp enable Outside

crypto map Outside_map interface Outside

crypto isakmp nat-traversal 20

group-policy Remote_Dialin internal

group-policy Remote_Dialin attributes

vpn-idle-timeout 180

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Remote_Dialin_splitTunnelAcl

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

access-list Inside_nat0_outbound extended permit ip any 10.20.40.0 255.255.255.0

nat (Inside) 0 access-list Inside_nat0_outbound

L2L Tunneling:

access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

nat (Inside) 0 access-list nonat

crypto ipsec transform-set SiteB2SiteA esp-3des esp-md5-hmac

crypto map Outside_map 30 match address SiteB-SiteA

crypto map Outside_map 30 set peer 1.1.1.1

crypto map Outside_map 30 set transform-set SiteB2SiteA

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 5

isakmp policy 30 lifetime 86400

isakmp identity address

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key xxxxxxxxxx

Thank you in advance

MS

5 REPLIES
New Member

Re: L2L Configuration between 2ASA & Remote Dial-in

any takers...???

thank you

MS

Green

Re: L2L Configuration between 2ASA & Remote Dial-in

I'll give it a shot although it's a little late...

Site A-

same-security-traffic permit intra-interface

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.20.40.0 255.255.255.0

access-list SiteA-SiteB exended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list SiteA-SiteB exended permit ip 10.10.0.0 255.255.0.0 10.20.40.0 255.255.255.0

access-list SiteA-SiteB exended permit ip 10.10.40.0 255.255.255.0 10.20.0.0 255.255.0.0

access-list SiteA-SiteB exended permit ip 10.10.40.0 255.255.255.0 10.20.40.0 255.255.255.0

Site B-

same-security-traffic permit intra-interface

access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.40.0 255.255.255.0

access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list SiteB-SiteA exended permit ip 10.20.40.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.40.0 255.255.255.0

access-list SiteB-SiteA exended permit ip 10.20.40.0 255.255.255.0 10.10.40.0 255.255.255.0

Note: Your remote access vpn pools should not be part of your internal lan, for instance 10.10.40.0/24 is part of 10.10.0.0/16. Change your pools to something outside 10.10.0.0/16 and make the corrections in the acl's above.

ex. 10.100.40.0 255.255.255.0

10.200.40.0 255.255.255.0

New Member

Re: L2L Configuration between 2ASA & Remote Dial-in

Hi,

Thank you for your reply. 10.20.0.0/16 is allocated to use at siteB. Not entire range being advertised.In the routing protocol individual subnets being advetd. So 10.20.40.0 not being advertised via routing protocol.ex: 10.20.50.0/24-->Servers, 10.20.25.0/24--> N/w management & 10.20.40.0/24 for VPN users.

So now...

access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

Will not entire range from B-->A?

Do I need seperate subnets need to be listed (as you mentioned)..?

Please suggest..

Thank you

MS

Green

Re: L2L Configuration between 2ASA & Remote Dial-in

When configuring remote access vpn, you always want the vpn client pool to be outside the range of the inside subnet.

New Member

Re: L2L Configuration between 2ASA & Remote Dial-in

Thank you all for your replies.

Everything working fine (remote, L2L) with the existing IPs. Just need specific ALCs for dial-in user subnet instead of( /16 acl).

Thank you

MS

125
Views
0
Helpful
5
Replies