12-12-2011 06:42 AM
Is it possible to allow remote access vpn users access to another remote site through a VPN tunnel? can anyone point me to some configuration on how this can be achieved?
I have already configured a site to site VPN between a PIX and ASA, and remote access VPN is also configured on the PIX (IPsec client). I am trying to allow any clients connecting the PIX to also have access to the inside network of the ASA.
Thanks,
Ash
Solved! Go to Solution.
12-12-2011 08:53 AM
Here you go:
Basicall you would need to do three things:
1. Modify the interesting traffic of the L2L tunnel
2. Modify the split tunneling ACL of the VPN client
3. Allow the comunication intra interfaces.
HTH
Raga
12-12-2011 08:53 AM
Here you go:
Basicall you would need to do three things:
1. Modify the interesting traffic of the L2L tunnel
2. Modify the split tunneling ACL of the VPN client
3. Allow the comunication intra interfaces.
HTH
Raga
12-13-2011 03:33 AM
Thanks for that Luis. I have applied the configuration and the VPN client shows the two secured routes that I expected to see, however the VPN client can not communicate with the remote VPN spoke. I did a packet tracer and it allows the flow.
Any ideas why this might be happening?
12-13-2011 03:41 AM
Please post packet tracer output as well as ASA config.
12-13-2011 05:42 AM
Yes, please paste your config.
BTW you also need to modify the other side of the tunnel to include the VPN client subnet as part of the interesting traffic.
Perhaps you missed that.
Regards.
12-13-2011 06:37 AM
Config below:
This is in a lab environment all using live cisco kit so no packet tracer I'm afraid
ASA - VPN client termination + L2L IPSec tunnel
ciscoasa(config)# packet-tracer input inside icmp 10.0.40.2 1 1 10.0.70.2
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 633, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# sho run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 12.12.12.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.39.1 255.255.255.0
!
object-group network INTERNAL
network-object 10.0.39.0 255.255.255.0
object-group network RA_SUBNETS
network-object 10.0.40.0 255.255.255.0
object-group network REMOTE_SITE
network-object 10.0.70.0 255.255.255.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list NO_NAT extended permit ip object-group INTERNAL object-group RA_SUBNETS
access-list NO_NAT extended permit ip object-group INTERNAL object-group REMOTE_SITE
access-list CRYPTO_ACL extended permit ip object-group INTERNAL object-group REMOTE_SITE
access-list CRYPTO_ACL extended permit ip object-group RA_SUBNETS object-group REMOTE_SITE
access-list SPLITTUNNEL extended permit ip object-group INTERNAL any
access-list SPLITTUNNEL extended permit ip object-group REMOTE_SITE any
access-list NAT_TRAFFIC extended permit ip object-group INTERNAL any
ip local pool RAPOOL 10.0.40.1-10.0.40.10 mask 255.255.255.0
n
global (outside) 1 interface
nat (inside) 0 access-list NO_NAT
nat (inside) 1 access-list NAT_TRAFFIC
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 12.12.12.2 1
crypto ipsec transform-set ESP_AES esp-aes esp-sha-hmac
crypto dynamic-map DYN_MAP 10 set pfs
crypto dynamic-map DYN_MAP 10 set transform-set ESP_AES
crypto dynamic-map DYN_MAP 10 set reverse-route
crypto map VPNMAP 10 match address CRYPTO_ACL
crypto map VPNMAP 10 set pfs
crypto map VPNMAP 10 set peer 13.13.13.2
crypto map VPNMAP 10 set transform-set ESP_AES
crypto map VPNMAP 20 ipsec-isakmp dynamic DYN_MAP
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy vpn-policy internal
group-policy vpn-policy attributes
banner value Welcome to NTS VPN Network.
dns-server value 10.0.39.10
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLITTUNNEL
username admin password 2IEpLd7895w0GBc7 encrypted
tunnel-group ASA-VPN type remote-access
tunnel-group ASA-VPN general-attributes
address-pool RAPOOL
default-group-policy vpn-policy
tunnel-group ASA-VPN ipsec-attributes
pre-shared-key *
tunnel-group 13.13.13.2 type ipsec-l2l
tunnel-group 13.13.13.2 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:e137d362cdc2bc106562d8aa154940e6
: end
PIX - L2L IPSec tunnel
pixfirewall(config)# sho run
: Saved
:
PIX Version 7.2(1)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 13.13.13.2 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.70.1 255.255.255.0
!
object-group network INTERNAL
network-object 10.0.70.0 255.255.255.0
object-group network REMOTE_SITE
network-object 10.0.39.0 255.255.255.0
object-group network RA_SUBNET
network-object 10.0.40.0 255.255.255.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list NO_NAT extended permit ip object-group INTERNAL object-group REMOTE_SITE
access-list NO_NAT extended permit ip object-group INTERNAL object-group RA_SUBNET
access-list CRYPTO_ACL extended permit ip object-group INTERNAL object-group REMOTE_SITE
access-list CRYPTO_ACL extended permit ip object-group INTERNAL object-group RA_SUBNET
global (outside) 1 interface
nat (inside) 0 access-list NO_NAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 13.13.13.1 1
crypto ipsec transform-set ESP_AES esp-aes esp-sha-hmac
crypto map VPNMAP 10 match address CRYPTO_ACL
crypto map VPNMAP 10 set pfs
crypto map VPNMAP 10 set peer 12.12.12.1
crypto map VPNMAP 10 set transform-set ESP_AES
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 12.12.12.1 type ipsec-l2l
tunnel-group 12.12.12.1 ipsec-attributes
pre-shared-key *
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
Public IPs are in a lab only and are not used on the internet.
thanks,
Ash
12-13-2011 06:51 AM
I guess you are also missing command on ASA - As said by Luis.
same-security-traffic permit intra-interface.
12-13-2011 06:55 AM
Sorry forgot to paste that in but that was configured on the ASA. Does it need to be configured on the PIX as well?
I used the sysopt connection permit-vpn command on the PIX...?
12-13-2011 07:06 AM
Please also paste output of show crypto ipsec sa.
12-13-2011 07:21 AM
PIX Output
pixfirewall(config)# sho cry ipsec sa
interface: outside
Crypto map tag: VPNMAP, seq num: 10, local addr: 13.13.13.2
access-list CRYPTO_ACL permit ip 10.0.70.0 255.255.255.0 10.0.39.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.70.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.39.0/255.255.255.0/0/0)
current_peer: 12.12.12.1
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 13.13.13.2, remote crypto endpt.: 12.12.12.1
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: A4BB743A
inbound esp sas:
spi: 0x00A5315D (10826077)
transform: esp-aes esp-sha-hmac
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 3, crypto-map: VPNMAP
sa timing: remaining key lifetime (kB/sec): (4274999/26633)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0xA4BB743A (2763748410)
transform: esp-aes esp-sha-hmac
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 3, crypto-map: VPNMAP
sa timing: remaining key lifetime (kB/sec): (4274999/26633)
IV size: 16 bytes
replay detection support: Y
pixfirewall(config)#
ASA Output
ciscoasa(config)# sho crypto ipsec sa
interface: outside
Crypto map tag: DYN_MAP, seq num: 10, local addr: 12.12.12.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.0.40.1/255.255.255.255/0/0)
current_peer: 11.11.11.2, username: admin
dynamic allocated peer ip: 10.0.40.1
#pkts encaps: 31, #pkts encrypt: 31, #pkts digest: 31
#pkts decaps: 155, #pkts decrypt: 155, #pkts verify: 155
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 31, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 12.12.12.1/4500, remote crypto endpt.: 11.11.11.2/64268
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: FB78154A
inbound esp sas:
spi: 0x72C684F7 (1925612791)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 32768, crypto-map: DYN_MAP
sa timing: remaining key lifetime (sec): 27331
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0xFB78154A (4218950986)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 32768, crypto-map: DYN_MAP
sa timing: remaining key lifetime (sec): 27329
IV size: 16 bytes
replay detection support: Y
Crypto map tag: VPNMAP, seq num: 10, local addr: 12.12.12.1
access-list CRYPTO_ACL permit ip 10.0.39.0 255.255.255.0 10.0.70.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.39.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.70.0/255.255.255.0/0/0)
current_peer: 13.13.13.2
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 12.12.12.1, remote crypto endpt.: 13.13.13.2
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 00A5315D
inbound esp sas:
spi: 0xA4BB743A (2763748410)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 24576, crypto-map: VPNMAP
sa timing: remaining key lifetime (kB/sec): (3824999/26515)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x00A5315D (10826077)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 24576, crypto-map: VPNMAP
sa timing: remaining key lifetime (kB/sec): (3824999/26515)
IV size: 16 bytes
replay detection support: Y
ciscoasa(config)#
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: