Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1336
Views
0
Helpful
7
Replies

Single VPN IPsec

processweavertechnologies
Level 1
Level 1

‎06-02-2014 12:10 PM - edited ‎02-21-2020 07:40 PM

whenever I connect to the Site A with Cisco client VPN, if site A is having Site B and Site C site to site tunnel establishment, I have to access those tunnel subnets also in the single VPN connected to Site A

Site A : 192.168.0.0./24

Site B : 192.168.1.0/24

Site C : 192.168.2.0/24

 

I'm able to access Site A with Cisco client VPN with all the devices in SIte A, but I need to access the Site B and Site C also with same VPN connected the Site A.

 

Please help me on this and provide steps or good documentation to do this configuration.

 

FW Model : ASA 5515X

 

Thanks,
Chiranjeevi Panala

Labels:
0 Helpful
7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-02-2014 01:55 PM

Yes, this can be done.

The common term is "hairpinning" as the traffic comes in on your remote access VPN via the outside interface and immediately turns around to go out the site-site VPN. The flow is said to resemble a hairpin, thus the term.

There is a good example with diagrams and configuration commands at this external site.

In summary, you just need to define the remote sites in the tunneled network list for the VPN client, permit  traffic of the same-security level intra-interface, add the VPN pool addresses to the list of "interesting traffic" at both ends of the site-site VPNs and add it to the list of NAT exemptions.

0 Helpful

processweavertechnologies
Level 1
Level 1
In response to Marvin Rhoads

‎06-02-2014 11:44 PM

Thank you Marvin

Can you please provide ASDM configuration instead of CLI

i don't have much knowledge in CLI

 

Thanks for your support!

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to processweavertechnologies

‎06-03-2014 07:01 AM

I don't know of any guides that show you exactly these steps in ASDM. You can refer to the ASDM Configuration Guide sections as follows:

Defining tunneled networks

Allowing Same-security intra-interface

Modifying access-lists

Setting up NAT

Personally, I'd suggest trying the cli - it's really not that hard plus you learn more about what's really going on under the GUI.

 

 

0 Helpful

processweavertechnologies
Level 1
Level 1
In response to Marvin Rhoads

‎06-04-2014 12:08 PM

Thank you Marvin

 

i have followed the same what you have suggested, but some how it was not working, can you help me where i have gone wrong, please see the below show running-config

 

Result of the command: "show running-config"

: Saved
:
ASA Version 9.1(3) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool clientpool 192.168.200.0-192.168.200.100 mask 255.255.255.128
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.0.5 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 202.53.82.98 255.255.255.240 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.5.1 255.255.255.0 
!
ftp mode passive
dns domain-lookup outside
dns server-group PW
 name-server 202.53.64.202
 name-server 202.53.72.13
 name-server 192.168.0.16
 name-server 192.168.0.8
object network PW-LAN
 subnet 192.168.0.0 255.255.255.0
object network USA
 subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.200.0_25
 subnet 192.168.200.0 255.255.255.128
object network 202.53.82.110
 host 202.53.82.110
object network PWHYD
 subnet 192.168.1.0 255.255.255.0
object network 192.168.0.151
 host 192.168.0.151
object network 192.168.0.154
 host 192.168.0.154
object network 192.168.0.156
 host 192.168.0.156
object network 192.168.0.158
 host 192.168.0.158
object network 192.168.0.159
 host 192.168.0.159
object network 192.168.0.149
 host 192.168.0.149
object network Rackspace
 subnet 10.176.0.0 255.240.0.0
object network NETWORK_OBJ_10.176.0.0_12
 subnet 10.176.0.0 255.240.0.0
object network 192.168.0.147_http
 host 192.168.0.147
object service http
 service tcp source eq www destination eq www 
object network 192.168.0.14
 host 192.168.0.14
object network 192.168.0.14_iCA
 host 192.168.0.14
object network 192.168.0.159_http
 host 192.168.0.159
object network 192.168.0.159_50100
 host 192.168.0.159
object network 202.53.82.101
 host 202.53.82.101
object network 192.168.0.159_8001
 host 192.168.0.159
object network 192.168.0.192
 host 192.168.0.192
object network 192.168.0.159_any
 host 192.168.0.159
object-group network PW-All-Sites
 network-object 192.168.0.0 255.255.255.0
 network-object object PWHYD
 network-object object USA
access-list 100 extended permit ip any any 
access-list 100 extended permit icmp any any 
access-list l2l-list extended permit ip object-group PW-All-Sites 192.168.2.0 255.255.255.0 
access-list pw_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 
access-list pw_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list pw_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list pw_splitTunnelAcl standard permit 10.176.0.0 255.240.0.0 
access-list outside_access_in extended permit ip any any 
access-list outside_cryptomap extended permit ip object-group PW-All-Sites 192.168.1.0 255.255.255.0 
access-list outside_cryptomap_3 extended permit ip object-group PW-All-Sites object Rackspace 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static PW-All-Sites PW-All-Sites destination static NETWORK_OBJ_192.168.200.0_25 NETWORK_OBJ_192.168.200.0_25
nat (inside,outside) source static PW-LAN PW-LAN destination static Rackspace Rackspace
nat (inside,outside) source static PW-LAN PW-LAN destination static PWHYD PWHYD
nat (inside,outside) source static PW-LAN PW-LAN destination static USA USA
nat (inside,outside) source dynamic PW-LAN interface
!
object network 192.168.0.151
 nat (any,any) static 202.53.82.102 service tcp 3200 3200 
object network 192.168.0.154
 nat (any,any) static 202.53.82.104 service tcp 3201 3201 
object network 192.168.0.156
 nat (any,any) static 202.53.82.107 service tcp 3201 3201 
object network 192.168.0.158
 nat (any,any) static 202.53.82.109 service tcp 3222 3222 
object network 192.168.0.159
 nat (any,any) static 202.53.82.101 service tcp 3201 3201 
object network 192.168.0.149
 nat (any,any) static 202.53.82.100 service tcp www www 
object network 192.168.0.147_http
 nat (any,any) static 202.53.82.110 service tcp www www 
object network 192.168.0.14
 nat (any,any) static 202.53.82.99 service tcp https https 
object network 192.168.0.14_iCA
 nat (any,any) static 202.53.82.99 service tcp citrix-ica citrix-ica 
object network 192.168.0.159_50100
 nat (any,any) static 202.53.82.101 service tcp 50100 50100 
object network 192.168.0.159_8001
 nat (any,any) static 202.53.82.101 service tcp 8001 8001 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 202.53.82.97 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.5.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set pwset esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set pwsethyd esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set RackspaceSet esp-3des esp-sha-hmac 
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal secure
 protocol esp encryption aes 3des des
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal pwhydsetsecure
 protocol esp encryption 3des
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal RackSpaceSecure
 protocol esp encryption 3des
 protocol esp integrity sha-1
crypto ipsec security-association replay disable
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outsidemap 1 match address l2l-list
crypto map outsidemap 1 set peer 63.82.1.98 
crypto map outsidemap 1 set ikev1 transform-set pwset
crypto map outsidemap 1 set ikev2 ipsec-proposal secure
crypto map outsidemap 2 match address outside_cryptomap
crypto map outsidemap 2 set pfs 
crypto map outsidemap 2 set peer 115.119.186.194 
crypto map outsidemap 2 set ikev1 transform-set pwsethyd
crypto map outsidemap 3 match address outside_cryptomap_3
crypto map outsidemap 3 set peer 67.192.250.53 
crypto map outsidemap 3 set ikev1 transform-set RackspaceSet
crypto map outsidemap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outsidemap interface outside
crypto ca trustpool policy
crypto ikev2 policy 10
 encryption 3des
 integrity sha
 group 2
 prf sha
 lifetime seconds 28800
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.5.2-192.168.5.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_115.119.186.194 internal
group-policy GroupPolicy_115.119.186.194 attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec 
group-policy GroupPolicy_67.192.250.53 internal
group-policy GroupPolicy_67.192.250.53 attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy pw internal
group-policy pw attributes
 dns-server value 192.168.0.16
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value pw_splitTunnelAcl
 default-domain none
username test password kpa9K76zISdsrYdf encrypted privilege 0
username test attributes
 vpn-group-policy pw
username rajuvaradha password 6biM7HbMtaadT82k encrypted
username e172 password E1abOIw/eu.DKO/y encrypted
username e150 password dJMsBQfrQRISuR8n encrypted
username e134 password bLBixKKCoH5Udlk9 encrypted
username e182 password mirFopEi/OG0LT4d encrypted
username e192 password u2P6WXLa1k8.kA1w encrypted
username u033 password pS5QN8QLvYFHJfoK encrypted
username u011 password HGFsDnR5XiFAzrcE encrypted
username u010 password 5R8mktMpyUYPCpTO encrypted
username u032 password rst8O1b/yrXsKVmu encrypted
username u002 password .u2izEtqOIC5D2fT encrypted
username admin password eY/fQXw7Ure8Qrz7 encrypted
username u012 password JClYI3r7x0T/ed26 encrypted
username u015 password 6tNvtB4hPcUNDyhE encrypted
username u014 password Wy6x8dPcSnMcAT1v encrypted
username u017 password xahCXrBaZWzW8aEp encrypted
username u006 password BCEOAmlRL6CbQfTV encrypted
username e006 password DG96SZQ2gBqIXEYv encrypted
username e034 password 1sG72DUjsY7nt81V encrypted
username u007 password vtcK6xerueHvqZJZ encrypted
username u016 password pZgySMnraNBlTTnL encrypted
username u025 password ulAXIX1u2.UD/KvT encrypted
username u008 password G4vmDF.mv3rXWa7h encrypted
username u019 password NxlycJwroZrzCSJ3 encrypted
username e019 password E9NaUPs18c0.PBnd encrypted
username u018 password 33CghGQSMjbWDfdb encrypted
username u009 password uaaSLEu55XXbD5Sr encrypted
username u028 password UMFMzXMs6He7.zR8 encrypted
username e097 password .UawdlGNiYnRHnzF encrypted
username e314 password ye2/LpVufAXvAUJ6 encrypted
username e327 password 6mKef3HGlnyb6hnu encrypted
username e343 password 0g33Wbvzi.NL1PjH encrypted
username e222 password e0.SFEwm1RqC6lLj encrypted
username e289 password /YrO2mEvMUr9zxq3 encrypted
username e265 password fTk7Vxw0Z06AAbHi encrypted
username e251 password 6y7YjKQO1rP3nAQG encrypted
username e219 password p049Lf7jFLisN6UJ encrypted
username e269 password v7oFefIpmPGd307D encrypted
username ipsecvpn nopassword
tunnel-group 63.82.1.98 type ipsec-l2l
tunnel-group 63.82.1.98 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group pw type remote-access
tunnel-group pw general-attributes
 address-pool clientpool
 default-group-policy pw
tunnel-group pw ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 115.119.186.194 type ipsec-l2l
tunnel-group 115.119.186.194 general-attributes
 default-group-policy GroupPolicy_115.119.186.194
tunnel-group 115.119.186.194 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group 67.192.250.53 type ipsec-l2l
tunnel-group 67.192.250.53 general-attributes
 default-group-policy GroupPolicy_67.192.250.53
tunnel-group 67.192.250.53 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous prompt 1
Cryptochecksum:ed2e14bc3af8bd7748d096cf379bd4c2
: end

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to processweavertechnologies

‎06-04-2014 01:20 PM

Chiranjeevi,

So your VPN clients should be getting the necessary routes according to:

access-list pw_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 
access-list pw_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list pw_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list pw_splitTunnelAcl standard permit 10.176.0.0 255.240.0.0

 

The client address comes from:

ip local pool clientpool 192.168.200.0-192.168.200.100 mask 255.255.255.128

However your acls used by the cryptomaps for the LAN-LAN VPN are:

access-list l2l-list extended permit ip object-group PW-All-Sites 192.168.2.0 255.255.255.0

access-list outside_cryptomap extended permit ip object-group PW-All-Sites 192.168.1.0 255.255.255.0

where PW-All-Sites includes 192.168.<0,1,2>.0 networks. So you need to define clientpool as an object and add it to that object-group to make it match up as interesting traffic.

object network clientpool

range 192.168.200.0 192.168.200.100

object-group network PW-All-Sites
 network-object clientpool

You need to also add a NAT exemption for the client pool to each of the remote LANs as follows:

nat (inside,outside) source static clientpool clientpool destination static PWHYD PWHYD

nat (inside,outside) source static clietnpool clientpool destination static USA USA

and the same security traffic command:

same-security-traffic permit intra-interface

0 Helpful

processweavertechnologies
Level 1
Level 1
In response to Marvin Rhoads

‎06-04-2014 09:25 PM

Hi Marvin

 

i did the same adjustments what you suggested, but still i'm not getting the traffic. 

anything do you want me change in other firewalls devices side?

please look at the show running-config

 

Result of the command: "show running-config"

: Saved
:
ASA Version 9.1(3) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool clientpool 192.168.200.0-192.168.200.100 mask 255.255.255.128
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.0.5 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 202.53.82.98 255.255.255.240 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.5.1 255.255.255.0 
!
ftp mode passive
dns domain-lookup outside
dns server-group PW
 name-server 202.53.64.202
 name-server 202.53.72.13
 name-server 192.168.0.16
 name-server 192.168.0.8
same-security-traffic permit intra-interface
object network PW-LAN
 subnet 192.168.0.0 255.255.255.0
object network USA
 subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.200.0_25
 subnet 192.168.200.0 255.255.255.128
object network 202.53.82.110
 host 202.53.82.110
object network PWHYD
 subnet 192.168.1.0 255.255.255.0
object network 192.168.0.151
 host 192.168.0.151
object network 192.168.0.154
 host 192.168.0.154
object network 192.168.0.156
 host 192.168.0.156
object network 192.168.0.158
 host 192.168.0.158
object network 192.168.0.159
 host 192.168.0.159
object network 192.168.0.149
 host 192.168.0.149
object network Rackspace
 subnet 10.176.0.0 255.240.0.0
object network NETWORK_OBJ_10.176.0.0_12
 subnet 10.176.0.0 255.240.0.0
object network 192.168.0.147_http
 host 192.168.0.147
object service http
 service tcp source eq www destination eq www 
object network 192.168.0.14
 host 192.168.0.14
object network 192.168.0.14_iCA
 host 192.168.0.14
object network 192.168.0.159_http
 host 192.168.0.159
object network 192.168.0.159_50100
 host 192.168.0.159
object network 202.53.82.101
 host 202.53.82.101
object network 192.168.0.159_8001
 host 192.168.0.159
object network 192.168.0.192
 host 192.168.0.192
object network 192.168.0.159_any
 host 192.168.0.159
object network clientpool
 range 192.168.200.0 192.168.200.100
object-group network PW-All-Sites
 network-object 192.168.0.0 255.255.255.0
 network-object object PWHYD
 network-object object USA
 network-object object clientpool
access-list 100 extended permit ip any any 
access-list 100 extended permit icmp any any 
access-list l2l-list extended permit ip object-group PW-All-Sites 192.168.2.0 255.255.255.0 
access-list pw_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 
access-list pw_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list pw_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list pw_splitTunnelAcl standard permit 10.176.0.0 255.240.0.0 
access-list outside_access_in extended permit ip any any 
access-list outside_cryptomap extended permit ip object-group PW-All-Sites 192.168.1.0 255.255.255.0 
access-list outside_cryptomap_3 extended permit ip object-group PW-All-Sites object Rackspace 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static clientpool clientpool destination static Rackspace Rackspace
nat (inside,outside) source static clientpool clientpool destination static USA USA
nat (inside,outside) source static clientpool clientpool destination static PWHYD PWHYD
nat (inside,outside) source static PW-All-Sites PW-All-Sites destination static NETWORK_OBJ_192.168.200.0_25 NETWORK_OBJ_192.168.200.0_25
nat (inside,outside) source static PW-LAN PW-LAN destination static Rackspace Rackspace
nat (inside,outside) source static PW-LAN PW-LAN destination static PWHYD PWHYD
nat (inside,outside) source static PW-LAN PW-LAN destination static USA USA
nat (inside,outside) source dynamic PW-LAN interface
!
object network 192.168.0.151
 nat (any,any) static 202.53.82.102 service tcp 3200 3200 
object network 192.168.0.154
 nat (any,any) static 202.53.82.104 service tcp 3201 3201 
object network 192.168.0.156
 nat (any,any) static 202.53.82.107 service tcp 3201 3201 
object network 192.168.0.158
 nat (any,any) static 202.53.82.109 service tcp 3222 3222 
object network 192.168.0.159
 nat (any,any) static 202.53.82.101 service tcp 3201 3201 
object network 192.168.0.149
 nat (any,any) static 202.53.82.100 service tcp www www 
object network 192.168.0.147_http
 nat (any,any) static 202.53.82.110 service tcp www www 
object network 192.168.0.14
 nat (any,any) static 202.53.82.99 service tcp https https 
object network 192.168.0.14_iCA
 nat (any,any) static 202.53.82.99 service tcp citrix-ica citrix-ica 
object network 192.168.0.159_50100
 nat (any,any) static 202.53.82.101 service tcp 50100 50100 
object network 192.168.0.159_8001
 nat (any,any) static 202.53.82.101 service tcp 8001 8001 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 202.53.82.97 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.5.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set pwset esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set pwsethyd esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set RackspaceSet esp-3des esp-sha-hmac 
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal secure
 protocol esp encryption aes 3des des
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal pwhydsetsecure
 protocol esp encryption 3des
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal RackSpaceSecure
 protocol esp encryption 3des
 protocol esp integrity sha-1
crypto ipsec security-association replay disable
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outsidemap 1 match address l2l-list
crypto map outsidemap 1 set peer 63.82.1.98 
crypto map outsidemap 1 set ikev1 transform-set pwset
crypto map outsidemap 1 set ikev2 ipsec-proposal secure
crypto map outsidemap 2 match address outside_cryptomap
crypto map outsidemap 2 set pfs 
crypto map outsidemap 2 set peer 115.119.186.194 
crypto map outsidemap 2 set ikev1 transform-set pwsethyd
crypto map outsidemap 3 match address outside_cryptomap_3
crypto map outsidemap 3 set peer 67.192.250.53 
crypto map outsidemap 3 set ikev1 transform-set RackspaceSet
crypto map outsidemap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outsidemap interface outside
crypto ca trustpool policy
crypto ikev2 policy 10
 encryption 3des
 integrity sha
 group 2
 prf sha
 lifetime seconds 28800
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.5.2-192.168.5.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_115.119.186.194 internal
group-policy GroupPolicy_115.119.186.194 attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec 
group-policy GroupPolicy_67.192.250.53 internal
group-policy GroupPolicy_67.192.250.53 attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy pw internal
group-policy pw attributes
 dns-server value 192.168.0.16
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value pw_splitTunnelAcl
 default-domain none
username test password kpa9K76zISdsrYdf encrypted privilege 0
username test attributes
 vpn-group-policy pw
username rajuvaradha password 6biM7HbMtaadT82k encrypted
username e172 password E1abOIw/eu.DKO/y encrypted
username e150 password dJMsBQfrQRISuR8n encrypted
username e134 password bLBixKKCoH5Udlk9 encrypted
username e182 password mirFopEi/OG0LT4d encrypted
username e192 password u2P6WXLa1k8.kA1w encrypted
username u033 password pS5QN8QLvYFHJfoK encrypted
username u011 password HGFsDnR5XiFAzrcE encrypted
username u010 password 5R8mktMpyUYPCpTO encrypted
username u032 password rst8O1b/yrXsKVmu encrypted
username u002 password .u2izEtqOIC5D2fT encrypted
username admin password eY/fQXw7Ure8Qrz7 encrypted
username u012 password JClYI3r7x0T/ed26 encrypted
username u015 password 6tNvtB4hPcUNDyhE encrypted
username u014 password Wy6x8dPcSnMcAT1v encrypted
username u017 password xahCXrBaZWzW8aEp encrypted
username u006 password BCEOAmlRL6CbQfTV encrypted
username e006 password DG96SZQ2gBqIXEYv encrypted
username e034 password 1sG72DUjsY7nt81V encrypted
username u007 password vtcK6xerueHvqZJZ encrypted
username u016 password pZgySMnraNBlTTnL encrypted
username u025 password ulAXIX1u2.UD/KvT encrypted
username u008 password G4vmDF.mv3rXWa7h encrypted
username u019 password NxlycJwroZrzCSJ3 encrypted
username e019 password E9NaUPs18c0.PBnd encrypted
username u018 password 33CghGQSMjbWDfdb encrypted
username u009 password uaaSLEu55XXbD5Sr encrypted
username u028 password UMFMzXMs6He7.zR8 encrypted
username e097 password .UawdlGNiYnRHnzF encrypted
username e314 password ye2/LpVufAXvAUJ6 encrypted
username e327 password 6mKef3HGlnyb6hnu encrypted
username e343 password 0g33Wbvzi.NL1PjH encrypted
username e222 password e0.SFEwm1RqC6lLj encrypted
username e289 password /YrO2mEvMUr9zxq3 encrypted
username e265 password fTk7Vxw0Z06AAbHi encrypted
username e251 password 6y7YjKQO1rP3nAQG encrypted
username e219 password p049Lf7jFLisN6UJ encrypted
username e269 password v7oFefIpmPGd307D encrypted
username ipsecvpn nopassword
tunnel-group 63.82.1.98 type ipsec-l2l
tunnel-group 63.82.1.98 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group pw type remote-access
tunnel-group pw general-attributes
 address-pool clientpool
 default-group-policy pw
tunnel-group pw ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 115.119.186.194 type ipsec-l2l
tunnel-group 115.119.186.194 general-attributes
 default-group-policy GroupPolicy_115.119.186.194
tunnel-group 115.119.186.194 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group 67.192.250.53 type ipsec-l2l
tunnel-group 67.192.250.53 general-attributes
 default-group-policy GroupPolicy_67.192.250.53
tunnel-group 67.192.250.53 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous prompt 1
Cryptochecksum:7f06e4e80ac6aa0c045a68bba3f7ad54
: end

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to processweavertechnologies

‎06-04-2014 10:42 PM

Yes, I neglected to mention to other firewalls at USA and PWHYD would also need similar changes.

They all have to mirror each other with respect to the cryptomap acls and nat exemptions.

0 Helpful
Customers Also Viewed These Support Documents