Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
292
Views
0
Helpful
5
Replies

L2L Configuration between 2ASA & Remote Dial-in

fortis123
Level 1
Level 1

‎02-23-2008 08:53 PM

Hi All,

Scenario:

SiteA : 10.10.0.0/16 (10.10.50.0/24--> Servers)

VPN dial in users: 10.10.40.0/24

Public ip:1.1.1.1/24

SiteB: 10.20.0.0/16 (10.20.50.0/24--> Servers)

VPN dial in users: 10.20.40.0/24

Public ip:2.2.2.2/24

Client requirement:

1. Users at SITEA can able Dial-in to SiteA ASA and able to access SITE A&SITE B resources and able reach SITEB VPNed in users.

2. Vice Versa for users at SITEB

3.SITEA and SITEB ASA should run L2L Tunnel(ofcourse this is must for this to work).

My sample config for SiteB (Site A -->same with changed IPs). please review if this is sufficient:

For Remote Dial-in:

ip local pool RemoteDialPool 10.20.40.1-10.20.40.254 mask 255.255.255.0

crypto ipsec transform-set VPN-IN-USERS esp-3des esp-md5-hmac

crypto dynamic-map Outside_dyn_map 20 set transform-set VPN-IN-USERS

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto isakmp enable Outside

crypto map Outside_map interface Outside

crypto isakmp nat-traversal 20

group-policy Remote_Dialin internal

group-policy Remote_Dialin attributes

vpn-idle-timeout 180

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Remote_Dialin_splitTunnelAcl

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

access-list Inside_nat0_outbound extended permit ip any 10.20.40.0 255.255.255.0

nat (Inside) 0 access-list Inside_nat0_outbound

L2L Tunneling:

access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

nat (Inside) 0 access-list nonat

crypto ipsec transform-set SiteB2SiteA esp-3des esp-md5-hmac

crypto map Outside_map 30 match address SiteB-SiteA

crypto map Outside_map 30 set peer 1.1.1.1

crypto map Outside_map 30 set transform-set SiteB2SiteA

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 5

isakmp policy 30 lifetime 86400

isakmp identity address

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key xxxxxxxxxx

Thank you in advance

MS

Labels:
0 Helpful
5 Replies 5

fortis123
Level 1
Level 1

‎02-25-2008 02:44 PM

any takers...???

thank you

MS

0 Helpful

acomiskey
Level 10
Level 10

‎02-25-2008 07:20 PM

I'll give it a shot although it's a little late...

Site A-

same-security-traffic permit intra-interface

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.20.40.0 255.255.255.0

access-list SiteA-SiteB exended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list SiteA-SiteB exended permit ip 10.10.0.0 255.255.0.0 10.20.40.0 255.255.255.0

access-list SiteA-SiteB exended permit ip 10.10.40.0 255.255.255.0 10.20.0.0 255.255.0.0

access-list SiteA-SiteB exended permit ip 10.10.40.0 255.255.255.0 10.20.40.0 255.255.255.0

Site B-

same-security-traffic permit intra-interface

access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.40.0 255.255.255.0

access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list SiteB-SiteA exended permit ip 10.20.40.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.40.0 255.255.255.0

access-list SiteB-SiteA exended permit ip 10.20.40.0 255.255.255.0 10.10.40.0 255.255.255.0

Note: Your remote access vpn pools should not be part of your internal lan, for instance 10.10.40.0/24 is part of 10.10.0.0/16. Change your pools to something outside 10.10.0.0/16 and make the corrections in the acl's above.

ex. 10.100.40.0 255.255.255.0

10.200.40.0 255.255.255.0

0 Helpful

fortis123
Level 1
Level 1
In response to acomiskey

‎02-25-2008 07:38 PM

Hi,

Thank you for your reply. 10.20.0.0/16 is allocated to use at siteB. Not entire range being advertised.In the routing protocol individual subnets being advetd. So 10.20.40.0 not being advertised via routing protocol.ex: 10.20.50.0/24-->Servers, 10.20.25.0/24--> N/w management & 10.20.40.0/24 for VPN users.

So now...

access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list SiteB-SiteA exended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

Will not entire range from B-->A?

Do I need seperate subnets need to be listed (as you mentioned)..?

Please suggest..

Thank you

MS

0 Helpful

acomiskey
Level 10
Level 10
In response to fortis123

‎02-26-2008 05:47 AM

When configuring remote access vpn, you always want the vpn client pool to be outside the range of the inside subnet.

0 Helpful

fortis123
Level 1
Level 1
In response to acomiskey

‎02-28-2008 09:07 AM

Thank you all for your replies.

Everything working fine (remote, L2L) with the existing IPs. Just need specific ALCs for dial-in user subnet instead of( /16 acl).

Thank you

MS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents