Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need help with ASA/PIX VPN

Is it possible to allow remote access vpn users access to another remote site through a VPN tunnel? can anyone point me to some configuration on how this can be achieved?

I have already configured a site to site VPN between a PIX and ASA, and remote access VPN is also configured on the PIX (IPsec client). I am trying to allow any clients connecting the PIX to also have access to the inside network of the ASA.

Thanks,

Ash

1 ACCEPTED SOLUTION

Accepted Solutions

Need help with ASA/PIX VPN

Here you go:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Basicall you would need to do three things:

1. Modify the interesting traffic of the L2L tunnel

2. Modify the split tunneling ACL of the VPN client

3. Allow the comunication intra interfaces.

HTH

Raga

9 REPLIES

Need help with ASA/PIX VPN

Here you go:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Basicall you would need to do three things:

1. Modify the interesting traffic of the L2L tunnel

2. Modify the split tunneling ACL of the VPN client

3. Allow the comunication intra interfaces.

HTH

Raga

New Member

Need help with ASA/PIX VPN

Thanks for that Luis. I have applied the configuration and the VPN client shows the two secured routes that I expected to see, however the VPN client can not communicate with the remote VPN spoke. I did a packet tracer and it allows the flow.

Any ideas why this might be happening?

Need help with ASA/PIX VPN

Please post packet tracer output as well as ASA config.

Need help with ASA/PIX VPN

Yes, please paste your config.

BTW you also need to modify the other side of the tunnel to include the VPN client subnet as part of the interesting traffic.

Perhaps you missed that.

Regards.

New Member

Need help with ASA/PIX VPN

Config below:

This is in a lab environment all using live cisco kit so no packet tracer I'm afraid

ASA - VPN client termination + L2L IPSec tunnel

ciscoasa(config)# packet-tracer input inside icmp 10.0.40.2 1 1 10.0.70.2

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 633, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

ciscoasa(config)#

ciscoasa(config)#

ciscoasa(config)#

ciscoasa(config)#

ciscoasa(config)# sho run

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 12.12.12.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.0.39.1 255.255.255.0

!

object-group network INTERNAL

network-object 10.0.39.0 255.255.255.0

object-group network RA_SUBNETS

network-object 10.0.40.0 255.255.255.0

object-group network REMOTE_SITE

network-object 10.0.70.0 255.255.255.0

access-list OUTSIDE_IN extended permit icmp any any echo-reply

access-list OUTSIDE_IN extended permit icmp any any time-exceeded

access-list OUTSIDE_IN extended permit icmp any any unreachable

access-list NO_NAT extended permit ip object-group INTERNAL object-group RA_SUBNETS

access-list NO_NAT extended permit ip object-group INTERNAL object-group REMOTE_SITE

access-list CRYPTO_ACL extended permit ip object-group INTERNAL object-group REMOTE_SITE

access-list CRYPTO_ACL extended permit ip object-group RA_SUBNETS object-group REMOTE_SITE

access-list SPLITTUNNEL extended permit ip object-group INTERNAL any

access-list SPLITTUNNEL extended permit ip object-group REMOTE_SITE any

access-list NAT_TRAFFIC extended permit ip object-group INTERNAL any

ip local pool RAPOOL 10.0.40.1-10.0.40.10 mask 255.255.255.0

n

global (outside) 1 interface

nat (inside) 0 access-list NO_NAT

nat (inside) 1 access-list NAT_TRAFFIC

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 12.12.12.2 1

crypto ipsec transform-set ESP_AES esp-aes esp-sha-hmac

crypto dynamic-map DYN_MAP 10 set pfs

crypto dynamic-map DYN_MAP 10 set transform-set ESP_AES

crypto dynamic-map DYN_MAP 10 set reverse-route

crypto map VPNMAP 10 match address CRYPTO_ACL

crypto map VPNMAP 10 set pfs

crypto map VPNMAP 10 set peer 13.13.13.2

crypto map VPNMAP 10 set transform-set ESP_AES

crypto map VPNMAP 20 ipsec-isakmp dynamic DYN_MAP

crypto map VPNMAP interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy vpn-policy internal

group-policy vpn-policy attributes

banner value Welcome to NTS VPN Network.

dns-server value 10.0.39.10

vpn-idle-timeout 30

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLITTUNNEL

username admin password 2IEpLd7895w0GBc7 encrypted

tunnel-group ASA-VPN type remote-access

tunnel-group ASA-VPN general-attributes

address-pool RAPOOL

default-group-policy vpn-policy

tunnel-group ASA-VPN ipsec-attributes

pre-shared-key *

tunnel-group 13.13.13.2 type ipsec-l2l

tunnel-group 13.13.13.2 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:e137d362cdc2bc106562d8aa154940e6

: end

PIX - L2L IPSec tunnel

pixfirewall(config)# sho run

: Saved

:

PIX Version 7.2(1)

!

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 13.13.13.2 255.255.255.252

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.70.1 255.255.255.0

!

object-group network INTERNAL

network-object 10.0.70.0 255.255.255.0

object-group network REMOTE_SITE

network-object 10.0.39.0 255.255.255.0

object-group network RA_SUBNET

network-object 10.0.40.0 255.255.255.0

access-list OUTSIDE_IN extended permit icmp any any echo-reply

access-list OUTSIDE_IN extended permit icmp any any unreachable

access-list OUTSIDE_IN extended permit icmp any any time-exceeded

access-list NO_NAT extended permit ip object-group INTERNAL object-group REMOTE_SITE

access-list NO_NAT extended permit ip object-group INTERNAL object-group RA_SUBNET

access-list CRYPTO_ACL extended permit ip object-group INTERNAL object-group REMOTE_SITE

access-list CRYPTO_ACL extended permit ip object-group INTERNAL object-group RA_SUBNET

global (outside) 1 interface

nat (inside) 0 access-list NO_NAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 13.13.13.1 1

crypto ipsec transform-set ESP_AES esp-aes esp-sha-hmac

crypto map VPNMAP 10 match address CRYPTO_ACL

crypto map VPNMAP 10 set pfs

crypto map VPNMAP 10 set peer 12.12.12.1

crypto map VPNMAP 10 set transform-set ESP_AES

crypto map VPNMAP interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 12.12.12.1 type ipsec-l2l

tunnel-group 12.12.12.1 ipsec-attributes

pre-shared-key *

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

Public IPs are in a lab only and are not used on the internet.

thanks,

Ash

Need help with ASA/PIX VPN

I guess you are also missing command on ASA  - As said by Luis.

same-security-traffic permit intra-interface.

New Member

Need help with ASA/PIX VPN

Sorry forgot to paste that in but that was configured on the ASA. Does it need to be configured on the PIX as well?

I used the sysopt connection permit-vpn command on the PIX...?

Need help with ASA/PIX VPN

Please also paste output of show crypto ipsec sa.

New Member

Need help with ASA/PIX VPN

PIX Output

pixfirewall(config)# sho cry ipsec sa

interface: outside

    Crypto map tag: VPNMAP, seq num: 10, local addr: 13.13.13.2

      access-list CRYPTO_ACL permit ip 10.0.70.0 255.255.255.0 10.0.39.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.0.70.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.0.39.0/255.255.255.0/0/0)

      current_peer: 12.12.12.1

      #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7

      #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 13.13.13.2, remote crypto endpt.: 12.12.12.1

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: A4BB743A

    inbound esp sas:

      spi: 0x00A5315D (10826077)

         transform: esp-aes esp-sha-hmac

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 3, crypto-map: VPNMAP

         sa timing: remaining key lifetime (kB/sec): (4274999/26633)

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xA4BB743A (2763748410)

         transform: esp-aes esp-sha-hmac

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 3, crypto-map: VPNMAP

         sa timing: remaining key lifetime (kB/sec): (4274999/26633)

         IV size: 16 bytes

         replay detection support: Y

pixfirewall(config)#

ASA Output

ciscoasa(config)# sho crypto ipsec sa

interface: outside

    Crypto map tag: DYN_MAP, seq num: 10, local addr: 12.12.12.1

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.0.40.1/255.255.255.255/0/0)

      current_peer: 11.11.11.2, username: admin

      dynamic allocated peer ip: 10.0.40.1

      #pkts encaps: 31, #pkts encrypt: 31, #pkts digest: 31

      #pkts decaps: 155, #pkts decrypt: 155, #pkts verify: 155

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 31, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 12.12.12.1/4500, remote crypto endpt.: 11.11.11.2/64268

      path mtu 1500, ipsec overhead 82, media mtu 1500

      current outbound spi: FB78154A

    inbound esp sas:

      spi: 0x72C684F7 (1925612791)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 32768, crypto-map: DYN_MAP

         sa timing: remaining key lifetime (sec): 27331

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xFB78154A (4218950986)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 32768, crypto-map: DYN_MAP

         sa timing: remaining key lifetime (sec): 27329

         IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: VPNMAP, seq num: 10, local addr: 12.12.12.1

      access-list CRYPTO_ACL permit ip 10.0.39.0 255.255.255.0 10.0.70.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.0.39.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.0.70.0/255.255.255.0/0/0)

      current_peer: 13.13.13.2

      #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7

      #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 12.12.12.1, remote crypto endpt.: 13.13.13.2

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 00A5315D

    inbound esp sas:

      spi: 0xA4BB743A (2763748410)

         transform: esp-aes esp-sha-hmac none

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 24576, crypto-map: VPNMAP

         sa timing: remaining key lifetime (kB/sec): (3824999/26515)

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x00A5315D (10826077)

         transform: esp-aes esp-sha-hmac none

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 24576, crypto-map: VPNMAP

         sa timing: remaining key lifetime (kB/sec): (3824999/26515)

         IV size: 16 bytes

         replay detection support: Y

ciscoasa(config)#

416
Views
0
Helpful
9
Replies