06-02-2014 12:10 PM - edited 02-21-2020 07:40 PM
whenever I connect to the Site A with Cisco client VPN, if site A is having Site B and Site C site to site tunnel establishment, I have to access those tunnel subnets also in the single VPN connected to Site A,
Site A : 192.168.0.0./24
Site B : 192.168.1.0/24
Site C : 192.168.2.0/24
I'm able to access Site A with Cisco client VPN with all the devices in SIte A, but I need to access the Site B and Site C also with same VPN connected the Site A.
Please help me on this and provide steps or good documentation to do this configuration.
FW Model : ASA 5515X
Thanks,
Chiranjeevi Panala
06-02-2014 01:55 PM
Yes, this can be done.
The common term is "hairpinning" as the traffic comes in on your remote access VPN via the outside interface and immediately turns around to go out the site-site VPN. The flow is said to resemble a hairpin, thus the term.
There is a good example with diagrams and configuration commands at this external site.
In summary, you just need to define the remote sites in the tunneled network list for the VPN client, permit traffic of the same-security level intra-interface, add the VPN pool addresses to the list of "interesting traffic" at both ends of the site-site VPNs and add it to the list of NAT exemptions.
06-02-2014 11:44 PM
Thank you Marvin
Can you please provide ASDM configuration instead of CLI
i don't have much knowledge in CLI
Thanks for your support!
06-03-2014 07:01 AM
I don't know of any guides that show you exactly these steps in ASDM. You can refer to the ASDM Configuration Guide sections as follows:
Allowing Same-security intra-interface
Personally, I'd suggest trying the cli - it's really not that hard plus you learn more about what's really going on under the GUI.
06-04-2014 12:08 PM
Thank you Marvin
i have followed the same what you have suggested, but some how it was not working, can you help me where i have gone wrong, please see the below show running-config
Result of the command: "show running-config"
: Saved
:
ASA Version 9.1(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool clientpool 192.168.200.0-192.168.200.100 mask 255.255.255.128
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.0.5 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 202.53.82.98 255.255.255.240
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group PW
name-server 202.53.64.202
name-server 202.53.72.13
name-server 192.168.0.16
name-server 192.168.0.8
object network PW-LAN
subnet 192.168.0.0 255.255.255.0
object network USA
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.200.0_25
subnet 192.168.200.0 255.255.255.128
object network 202.53.82.110
host 202.53.82.110
object network PWHYD
subnet 192.168.1.0 255.255.255.0
object network 192.168.0.151
host 192.168.0.151
object network 192.168.0.154
host 192.168.0.154
object network 192.168.0.156
host 192.168.0.156
object network 192.168.0.158
host 192.168.0.158
object network 192.168.0.159
host 192.168.0.159
object network 192.168.0.149
host 192.168.0.149
object network Rackspace
subnet 10.176.0.0 255.240.0.0
object network NETWORK_OBJ_10.176.0.0_12
subnet 10.176.0.0 255.240.0.0
object network 192.168.0.147_http
host 192.168.0.147
object service http
service tcp source eq www destination eq www
object network 192.168.0.14
host 192.168.0.14
object network 192.168.0.14_iCA
host 192.168.0.14
object network 192.168.0.159_http
host 192.168.0.159
object network 192.168.0.159_50100
host 192.168.0.159
object network 202.53.82.101
host 202.53.82.101
object network 192.168.0.159_8001
host 192.168.0.159
object network 192.168.0.192
host 192.168.0.192
object network 192.168.0.159_any
host 192.168.0.159
object-group network PW-All-Sites
network-object 192.168.0.0 255.255.255.0
network-object object PWHYD
network-object object USA
access-list 100 extended permit ip any any
access-list 100 extended permit icmp any any
access-list l2l-list extended permit ip object-group PW-All-Sites 192.168.2.0 255.255.255.0
access-list pw_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list pw_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list pw_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list pw_splitTunnelAcl standard permit 10.176.0.0 255.240.0.0
access-list outside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip object-group PW-All-Sites 192.168.1.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip object-group PW-All-Sites object Rackspace
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static PW-All-Sites PW-All-Sites destination static NETWORK_OBJ_192.168.200.0_25 NETWORK_OBJ_192.168.200.0_25
nat (inside,outside) source static PW-LAN PW-LAN destination static Rackspace Rackspace
nat (inside,outside) source static PW-LAN PW-LAN destination static PWHYD PWHYD
nat (inside,outside) source static PW-LAN PW-LAN destination static USA USA
nat (inside,outside) source dynamic PW-LAN interface
!
object network 192.168.0.151
nat (any,any) static 202.53.82.102 service tcp 3200 3200
object network 192.168.0.154
nat (any,any) static 202.53.82.104 service tcp 3201 3201
object network 192.168.0.156
nat (any,any) static 202.53.82.107 service tcp 3201 3201
object network 192.168.0.158
nat (any,any) static 202.53.82.109 service tcp 3222 3222
object network 192.168.0.159
nat (any,any) static 202.53.82.101 service tcp 3201 3201
object network 192.168.0.149
nat (any,any) static 202.53.82.100 service tcp www www
object network 192.168.0.147_http
nat (any,any) static 202.53.82.110 service tcp www www
object network 192.168.0.14
nat (any,any) static 202.53.82.99 service tcp https https
object network 192.168.0.14_iCA
nat (any,any) static 202.53.82.99 service tcp citrix-ica citrix-ica
object network 192.168.0.159_50100
nat (any,any) static 202.53.82.101 service tcp 50100 50100
object network 192.168.0.159_8001
nat (any,any) static 202.53.82.101 service tcp 8001 8001
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 202.53.82.97 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.5.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set pwset esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set pwsethyd esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set RackspaceSet esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption aes 3des des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal pwhydsetsecure
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal RackSpaceSecure
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec security-association replay disable
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outsidemap 1 match address l2l-list
crypto map outsidemap 1 set peer 63.82.1.98
crypto map outsidemap 1 set ikev1 transform-set pwset
crypto map outsidemap 1 set ikev2 ipsec-proposal secure
crypto map outsidemap 2 match address outside_cryptomap
crypto map outsidemap 2 set pfs
crypto map outsidemap 2 set peer 115.119.186.194
crypto map outsidemap 2 set ikev1 transform-set pwsethyd
crypto map outsidemap 3 match address outside_cryptomap_3
crypto map outsidemap 3 set peer 67.192.250.53
crypto map outsidemap 3 set ikev1 transform-set RackspaceSet
crypto map outsidemap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outsidemap interface outside
crypto ca trustpool policy
crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.5.2-192.168.5.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_115.119.186.194 internal
group-policy GroupPolicy_115.119.186.194 attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_67.192.250.53 internal
group-policy GroupPolicy_67.192.250.53 attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy pw internal
group-policy pw attributes
dns-server value 192.168.0.16
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value pw_splitTunnelAcl
default-domain none
username test password kpa9K76zISdsrYdf encrypted privilege 0
username test attributes
vpn-group-policy pw
username rajuvaradha password 6biM7HbMtaadT82k encrypted
username e172 password E1abOIw/eu.DKO/y encrypted
username e150 password dJMsBQfrQRISuR8n encrypted
username e134 password bLBixKKCoH5Udlk9 encrypted
username e182 password mirFopEi/OG0LT4d encrypted
username e192 password u2P6WXLa1k8.kA1w encrypted
username u033 password pS5QN8QLvYFHJfoK encrypted
username u011 password HGFsDnR5XiFAzrcE encrypted
username u010 password 5R8mktMpyUYPCpTO encrypted
username u032 password rst8O1b/yrXsKVmu encrypted
username u002 password .u2izEtqOIC5D2fT encrypted
username admin password eY/fQXw7Ure8Qrz7 encrypted
username u012 password JClYI3r7x0T/ed26 encrypted
username u015 password 6tNvtB4hPcUNDyhE encrypted
username u014 password Wy6x8dPcSnMcAT1v encrypted
username u017 password xahCXrBaZWzW8aEp encrypted
username u006 password BCEOAmlRL6CbQfTV encrypted
username e006 password DG96SZQ2gBqIXEYv encrypted
username e034 password 1sG72DUjsY7nt81V encrypted
username u007 password vtcK6xerueHvqZJZ encrypted
username u016 password pZgySMnraNBlTTnL encrypted
username u025 password ulAXIX1u2.UD/KvT encrypted
username u008 password G4vmDF.mv3rXWa7h encrypted
username u019 password NxlycJwroZrzCSJ3 encrypted
username e019 password E9NaUPs18c0.PBnd encrypted
username u018 password 33CghGQSMjbWDfdb encrypted
username u009 password uaaSLEu55XXbD5Sr encrypted
username u028 password UMFMzXMs6He7.zR8 encrypted
username e097 password .UawdlGNiYnRHnzF encrypted
username e314 password ye2/LpVufAXvAUJ6 encrypted
username e327 password 6mKef3HGlnyb6hnu encrypted
username e343 password 0g33Wbvzi.NL1PjH encrypted
username e222 password e0.SFEwm1RqC6lLj encrypted
username e289 password /YrO2mEvMUr9zxq3 encrypted
username e265 password fTk7Vxw0Z06AAbHi encrypted
username e251 password 6y7YjKQO1rP3nAQG encrypted
username e219 password p049Lf7jFLisN6UJ encrypted
username e269 password v7oFefIpmPGd307D encrypted
username ipsecvpn nopassword
tunnel-group 63.82.1.98 type ipsec-l2l
tunnel-group 63.82.1.98 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group pw type remote-access
tunnel-group pw general-attributes
address-pool clientpool
default-group-policy pw
tunnel-group pw ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 115.119.186.194 type ipsec-l2l
tunnel-group 115.119.186.194 general-attributes
default-group-policy GroupPolicy_115.119.186.194
tunnel-group 115.119.186.194 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 67.192.250.53 type ipsec-l2l
tunnel-group 67.192.250.53 general-attributes
default-group-policy GroupPolicy_67.192.250.53
tunnel-group 67.192.250.53 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:ed2e14bc3af8bd7748d096cf379bd4c2
: end
06-04-2014 01:20 PM
Chiranjeevi,
So your VPN clients should be getting the necessary routes according to:
access-list pw_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list pw_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list pw_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list pw_splitTunnelAcl standard permit 10.176.0.0 255.240.0.0
The client address comes from:
ip local pool clientpool 192.168.200.0-192.168.200.100 mask 255.255.255.128
However your acls used by the cryptomaps for the LAN-LAN VPN are:
access-list l2l-list extended permit ip object-group PW-All-Sites 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object-group PW-All-Sites 192.168.1.0 255.255.255.0
where PW-All-Sites includes 192.168.<0,1,2>.0 networks. So you need to define clientpool as an object and add it to that object-group to make it match up as interesting traffic.
object network clientpool
range 192.168.200.0 192.168.200.100
object-group network PW-All-Sites
network-object clientpool
You need to also add a NAT exemption for the client pool to each of the remote LANs as follows:
nat (inside,outside) source static clientpool clientpool destination static PWHYD PWHYD
nat (inside,outside) source static clietnpool clientpool destination static USA USA
and the same security traffic command:
same-security-traffic permit intra-interface
06-04-2014 09:25 PM
Hi Marvin
i did the same adjustments what you suggested, but still i'm not getting the traffic.
anything do you want me change in other firewalls devices side?
please look at the show running-config
Result of the command: "show running-config"
: Saved
:
ASA Version 9.1(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool clientpool 192.168.200.0-192.168.200.100 mask 255.255.255.128
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.0.5 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 202.53.82.98 255.255.255.240
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group PW
name-server 202.53.64.202
name-server 202.53.72.13
name-server 192.168.0.16
name-server 192.168.0.8
same-security-traffic permit intra-interface
object network PW-LAN
subnet 192.168.0.0 255.255.255.0
object network USA
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.200.0_25
subnet 192.168.200.0 255.255.255.128
object network 202.53.82.110
host 202.53.82.110
object network PWHYD
subnet 192.168.1.0 255.255.255.0
object network 192.168.0.151
host 192.168.0.151
object network 192.168.0.154
host 192.168.0.154
object network 192.168.0.156
host 192.168.0.156
object network 192.168.0.158
host 192.168.0.158
object network 192.168.0.159
host 192.168.0.159
object network 192.168.0.149
host 192.168.0.149
object network Rackspace
subnet 10.176.0.0 255.240.0.0
object network NETWORK_OBJ_10.176.0.0_12
subnet 10.176.0.0 255.240.0.0
object network 192.168.0.147_http
host 192.168.0.147
object service http
service tcp source eq www destination eq www
object network 192.168.0.14
host 192.168.0.14
object network 192.168.0.14_iCA
host 192.168.0.14
object network 192.168.0.159_http
host 192.168.0.159
object network 192.168.0.159_50100
host 192.168.0.159
object network 202.53.82.101
host 202.53.82.101
object network 192.168.0.159_8001
host 192.168.0.159
object network 192.168.0.192
host 192.168.0.192
object network 192.168.0.159_any
host 192.168.0.159
object network clientpool
range 192.168.200.0 192.168.200.100
object-group network PW-All-Sites
network-object 192.168.0.0 255.255.255.0
network-object object PWHYD
network-object object USA
network-object object clientpool
access-list 100 extended permit ip any any
access-list 100 extended permit icmp any any
access-list l2l-list extended permit ip object-group PW-All-Sites 192.168.2.0 255.255.255.0
access-list pw_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list pw_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list pw_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list pw_splitTunnelAcl standard permit 10.176.0.0 255.240.0.0
access-list outside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip object-group PW-All-Sites 192.168.1.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip object-group PW-All-Sites object Rackspace
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static clientpool clientpool destination static Rackspace Rackspace
nat (inside,outside) source static clientpool clientpool destination static USA USA
nat (inside,outside) source static clientpool clientpool destination static PWHYD PWHYD
nat (inside,outside) source static PW-All-Sites PW-All-Sites destination static NETWORK_OBJ_192.168.200.0_25 NETWORK_OBJ_192.168.200.0_25
nat (inside,outside) source static PW-LAN PW-LAN destination static Rackspace Rackspace
nat (inside,outside) source static PW-LAN PW-LAN destination static PWHYD PWHYD
nat (inside,outside) source static PW-LAN PW-LAN destination static USA USA
nat (inside,outside) source dynamic PW-LAN interface
!
object network 192.168.0.151
nat (any,any) static 202.53.82.102 service tcp 3200 3200
object network 192.168.0.154
nat (any,any) static 202.53.82.104 service tcp 3201 3201
object network 192.168.0.156
nat (any,any) static 202.53.82.107 service tcp 3201 3201
object network 192.168.0.158
nat (any,any) static 202.53.82.109 service tcp 3222 3222
object network 192.168.0.159
nat (any,any) static 202.53.82.101 service tcp 3201 3201
object network 192.168.0.149
nat (any,any) static 202.53.82.100 service tcp www www
object network 192.168.0.147_http
nat (any,any) static 202.53.82.110 service tcp www www
object network 192.168.0.14
nat (any,any) static 202.53.82.99 service tcp https https
object network 192.168.0.14_iCA
nat (any,any) static 202.53.82.99 service tcp citrix-ica citrix-ica
object network 192.168.0.159_50100
nat (any,any) static 202.53.82.101 service tcp 50100 50100
object network 192.168.0.159_8001
nat (any,any) static 202.53.82.101 service tcp 8001 8001
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 202.53.82.97 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.5.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set pwset esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set pwsethyd esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set RackspaceSet esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption aes 3des des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal pwhydsetsecure
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal RackSpaceSecure
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec security-association replay disable
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outsidemap 1 match address l2l-list
crypto map outsidemap 1 set peer 63.82.1.98
crypto map outsidemap 1 set ikev1 transform-set pwset
crypto map outsidemap 1 set ikev2 ipsec-proposal secure
crypto map outsidemap 2 match address outside_cryptomap
crypto map outsidemap 2 set pfs
crypto map outsidemap 2 set peer 115.119.186.194
crypto map outsidemap 2 set ikev1 transform-set pwsethyd
crypto map outsidemap 3 match address outside_cryptomap_3
crypto map outsidemap 3 set peer 67.192.250.53
crypto map outsidemap 3 set ikev1 transform-set RackspaceSet
crypto map outsidemap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outsidemap interface outside
crypto ca trustpool policy
crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.5.2-192.168.5.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_115.119.186.194 internal
group-policy GroupPolicy_115.119.186.194 attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_67.192.250.53 internal
group-policy GroupPolicy_67.192.250.53 attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy pw internal
group-policy pw attributes
dns-server value 192.168.0.16
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value pw_splitTunnelAcl
default-domain none
username test password kpa9K76zISdsrYdf encrypted privilege 0
username test attributes
vpn-group-policy pw
username rajuvaradha password 6biM7HbMtaadT82k encrypted
username e172 password E1abOIw/eu.DKO/y encrypted
username e150 password dJMsBQfrQRISuR8n encrypted
username e134 password bLBixKKCoH5Udlk9 encrypted
username e182 password mirFopEi/OG0LT4d encrypted
username e192 password u2P6WXLa1k8.kA1w encrypted
username u033 password pS5QN8QLvYFHJfoK encrypted
username u011 password HGFsDnR5XiFAzrcE encrypted
username u010 password 5R8mktMpyUYPCpTO encrypted
username u032 password rst8O1b/yrXsKVmu encrypted
username u002 password .u2izEtqOIC5D2fT encrypted
username admin password eY/fQXw7Ure8Qrz7 encrypted
username u012 password JClYI3r7x0T/ed26 encrypted
username u015 password 6tNvtB4hPcUNDyhE encrypted
username u014 password Wy6x8dPcSnMcAT1v encrypted
username u017 password xahCXrBaZWzW8aEp encrypted
username u006 password BCEOAmlRL6CbQfTV encrypted
username e006 password DG96SZQ2gBqIXEYv encrypted
username e034 password 1sG72DUjsY7nt81V encrypted
username u007 password vtcK6xerueHvqZJZ encrypted
username u016 password pZgySMnraNBlTTnL encrypted
username u025 password ulAXIX1u2.UD/KvT encrypted
username u008 password G4vmDF.mv3rXWa7h encrypted
username u019 password NxlycJwroZrzCSJ3 encrypted
username e019 password E9NaUPs18c0.PBnd encrypted
username u018 password 33CghGQSMjbWDfdb encrypted
username u009 password uaaSLEu55XXbD5Sr encrypted
username u028 password UMFMzXMs6He7.zR8 encrypted
username e097 password .UawdlGNiYnRHnzF encrypted
username e314 password ye2/LpVufAXvAUJ6 encrypted
username e327 password 6mKef3HGlnyb6hnu encrypted
username e343 password 0g33Wbvzi.NL1PjH encrypted
username e222 password e0.SFEwm1RqC6lLj encrypted
username e289 password /YrO2mEvMUr9zxq3 encrypted
username e265 password fTk7Vxw0Z06AAbHi encrypted
username e251 password 6y7YjKQO1rP3nAQG encrypted
username e219 password p049Lf7jFLisN6UJ encrypted
username e269 password v7oFefIpmPGd307D encrypted
username ipsecvpn nopassword
tunnel-group 63.82.1.98 type ipsec-l2l
tunnel-group 63.82.1.98 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group pw type remote-access
tunnel-group pw general-attributes
address-pool clientpool
default-group-policy pw
tunnel-group pw ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 115.119.186.194 type ipsec-l2l
tunnel-group 115.119.186.194 general-attributes
default-group-policy GroupPolicy_115.119.186.194
tunnel-group 115.119.186.194 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 67.192.250.53 type ipsec-l2l
tunnel-group 67.192.250.53 general-attributes
default-group-policy GroupPolicy_67.192.250.53
tunnel-group 67.192.250.53 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:7f06e4e80ac6aa0c045a68bba3f7ad54
: end
06-04-2014 10:42 PM
Yes, I neglected to mention to other firewalls at USA and PWHYD would also need similar changes.
They all have to mirror each other with respect to the cryptomap acls and nat exemptions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide