Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

SSL VPN traffic over site 2 site

I have an issue I am trying to resolve,

Two sites Office and Colo,

Site 2 Site VPN between the two sites works great. And ssl vpn at either site works great. But if you connect via SSL to either site you can only see devices local to the site, you cannot see anything across the site 2 site connection. The ssl and site 2 site connections are on the same asa firewalls.

Anyone seen this before ?

2 REPLIES
New Member

SSL VPN traffic over site 2 site

Office site config

:

ASA Version 8.3(2)

!

hostname ciscoasa

domain-name usb.local

enable password XXXXXXXXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXXXXXXXXXX encrypted

names

name 192.168.10.0 VPN_Subnet description VPN_Subnet

name 192.168.1.20 Samsung_Phone_System_int

name 192.168.1.111 USB_int

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 209.119.188.98 255.255.255.224

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa832-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.1.115

name-server 4.2.2.2

domain-name usb.local

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network VPN_Subnet

subnet 192.168.10.0 255.255.255.0

object network Samsung_Phone_System_int

host 192.168.1.20

object network Samsung_Phone_System_ext

host 209.119.188.100

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-10.0.1.0

subnet 10.0.1.0 255.255.255.0

description Dallas Colo inside      

object network obj-172.16.1.0

subnet 172.16.1.0 255.255.255.0

description Dallas Colo DMZ      

object network Exchange_Server_Int

host 192.168.1.115

object network Exchange_Server_Ext

host 209.119.188.101

object network obj-192.168.10.0

subnet 192.168.10.0 255.255.255.0

object network obj-192.168.11.0

subnet 192.168.11.0 255.255.255.0

object-group network DM_INLINE_NETWORK_1

network-object object obj-192.168.1.0

network-object object obj-192.168.10.0

object-group network DM_INLINE_NETWORK_2

network-object object obj-10.0.1.0

network-object object obj-172.16.1.0

network-object object obj-192.168.11.0

object-group service Sophos tcp

port-object eq 10443

port-object eq 444

object-group service IKE_NAT_traversal tcp

port-object eq 4500

object-group service SBS_987 tcp

port-object eq 987

access-list Split_Tunnel standard permit 192.168.1.0 255.255.255.0

access-list Split_Tunnel standard permit 10.0.1.0 255.255.255.0

access-list Split_Tunnel standard permit 172.16.1.0 255.255.255.0

access-list Split_Tunnel standard permit 192.168.11.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object VPN_Subnet

access-list capture extended permit ip object Samsung_Phone_System_int any

access-list capture extended permit ip any object Samsung_Phone_System_int

access-list capture_out extended permit ip object Samsung_Phone_System_ext any

access-list capture_out extended permit ip any object Samsung_Phone_System_ext

access-list outside_in extended permit icmp any any inactive

access-list outside_in extended permit gre any any

access-list outside_in extended permit tcp any object Exchange_Server_Int eq www

access-list outside_in extended permit tcp any object Exchange_Server_Int eq https

access-list outside_in extended permit tcp any object Exchange_Server_Int eq 444

access-list outside_in extended permit tcp any object Exchange_Server_Int eq imap4

access-list outside_in extended permit tcp any object Exchange_Server_Int eq pop3

access-list outside_in extended permit tcp any object Exchange_Server_Int eq 4125

access-list outside_in extended permit tcp any object Exchange_Server_Int eq pptp

access-list outside_in extended permit udp any object Exchange_Server_Int eq isakmp

access-list outside_in extended permit tcp any object Exchange_Server_Int object-group IKE_NAT_traversal

access-list outside_in extended permit tcp any object Exchange_Server_Int object-group SBS_987

access-list outside_in extended permit tcp any object Exchange_Server_Int eq 993

access-list outside_in extended permit tcp any object Exchange_Server_Int eq smtp

access-list outside_in extended permit tcp any object Exchange_Server_Int eq 3389 inactive

access-list outside_in extended permit tcp any object Exchange_Server_Int eq telnet inactive

access-list outside_in extended permit tcp any object Exchange_Server_Int eq ftp inactive

access-list outside_in extended permit ip any object Samsung_Phone_System_int

access-list outside_in remark To test telnet over SMTP

access-list outside_in extended permit tcp any object Samsung_Phone_System_int eq 6100

access-list outside_in extended permit tcp any object Samsung_Phone_System_int eq 6000

access-list outside_in extended permit udp any object Samsung_Phone_System_int eq 6000

access-list outside_in extended permit udp any object Samsung_Phone_System_int eq sip

access-list outside_in extended permit udp any object Samsung_Phone_System_int range 30000 30031

access-list outside_in extended permit udp any object Samsung_Phone_System_int eq 9000

access-list outside_in extended permit udp any object Samsung_Phone_System_int eq 9001

access-list outside_in extended permit tcp any object Samsung_Phone_System_int eq 5090

access-list outside_in extended permit tcp any object Samsung_Phone_System_int eq 5003

access-list outside_in extended permit udp any object Exchange_Server_Int eq ntp

access-list outside_mpc extended permit ip object Samsung_Phone_System_int any inactive

access-list acl-conn-param-tcp-01 extended permit tcp object Samsung_Phone_System_int any inactive

access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2

pager lines 24

logging enable

logging trap warnings

logging history errors

logging asdm informational

logging mail critical

logging from-address 5505@in-roll.com

logging recipient-address alerts@in-roll.com level critical

mtu inside 1500

mtu outside 1500

ip local pool VPNPool 192.168.10.1-192.168.10.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-634-53.bin

asdm history enable

arp timeout 14400

nat (any,outside) source static any any destination static obj-10.0.1.0 obj-10.0.1.0 description NO NAT FOR VPN TRAFFIC

nat (any,outside) source static any any destination static obj-172.16.1.0 obj-172.16.1.0 description NO NAT FOR VPN TRAFFIC

nat (any,outside) source static any any destination static obj-192.168.10.0 obj-192.168.10.0 description NO NAT FOR VPN TRAFFIC

nat (any,outside) source static any any destination static obj-192.168.11.0 obj-192.168.11.0 description NO NAT FOR VPN TRAFFIC

!

object network Samsung_Phone_System_int

nat (inside,outside) static Samsung_Phone_System_ext dns

object network obj_any

nat (inside,outside) dynamic interface

object network Exchange_Server_Int

nat (inside,outside) static Exchange_Server_Ext dns

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 209.119.188.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server ActiveDirectory protocol nt

aaa-server ActiveDirectory (inside) host 192.168.1.115

timeout 5

nt-auth-domain-controller usb.local

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

snmp-server host inside 10.0.1.21 community *****

snmp-server host inside 192.168.1.101 community *****

snmp-server location HO

snmp-server contact Admin

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 207.210.214.194

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca server

shutdown

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

ssh version 2

console timeout 0

management-access inside

priority-queue outside

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.1025-k9.pkg 2 regex "Windows NT"

svc image disk0:/anyconnect-macosx-i386-2.5.1025-k9.pkg 3 regex "Intel Mac OS X"

svc enable

tunnel-group-list enable

group-policy SSLVPN internal

group-policy SSLVPN attributes

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel

webvpn

  svc ask none default svc

group-policy DfltGrpPolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel

group-policy VPN internal

group-policy VPN attributes

wins-server value 192.168.1.115

dns-server value 192.168.1.115

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel

default-domain value USB.local

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group ActiveDirectory LOCAL

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool VPNPool

authentication-server-group ActiveDirectory LOCAL

default-group-policy VPN

tunnel-group VPN ipsec-attributes

pre-shared-key *****

tunnel-group 207.210.214.194 type ipsec-l2l

tunnel-group 207.210.214.194 ipsec-attributes

pre-shared-key *****

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

address-pool VPNPool

default-group-policy SSLVPN

tunnel-group SSLVPN webvpn-attributes

group-alias USB enable

!

class-map inspection_default

match default-inspection-traffic

class-map class-conn-param-tcp-01

match access-list acl-conn-param-tcp-01

class-map outside-class

match access-list outside_mpc

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map policy-conn-param-inside

class class-conn-param-tcp-01

  set connection random-sequence-number disable

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

  inspect icmp

  inspect ip-options

  inspect pptp

policy-map outside-policy

class outside-class

  priority

!

service-policy global_policy global

service-policy policy-conn-param-inside interface inside

service-policy outside-policy interface outside

smtp-server 10.0.1.30 10.0.1.120

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:fb2346a3e18ff8a28dfcf98154336bdd

: end

Colo site config

Result of the command: "show run"

: Saved

:

ASA Version 8.3(2)

!

hostname ASA5510

domain-name usbtx.local

enable password XXXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXXXXXXX encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 207.210.214.194 255.255.255.240 standby 207.210.214.195

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.0.1.1 255.255.255.0 standby 10.0.1.9

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.16.1.1 255.255.255.0 standby 172.16.1.9

!

interface Ethernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa832-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name usbtx.local

object network obj-10.0.1.0

subnet 10.0.1.0 255.255.255.0

description Allow Internal Out

object network obj-192.168.11.0-SSLVPN

subnet 192.168.11.0 255.255.255.0

object network Utility

host 10.0.1.10

description Utility

object network obj-172.16.1.0

subnet 172.16.1.0 255.255.255.0

description Allow DMZ Out

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

description Bedford Office

object network Web

host 10.0.1.120

description FTP,SMTP,POP3

object network Web101

host 10.0.1.101

description HTTP/HTTPS In-Roll.us

object service ServUHttp

service tcp destination eq 8080

description ServU Http

object network Web80

host 10.0.1.80

description HTTP/HTTPS In-Roll.com App1

object network Web81

host 10.0.1.81

description HTTP/HTTPS In-Roll.com App2

object network obj-192.168.10.0

subnet 192.168.10.0 255.255.255.0

object network Gump

host 10.0.1.30

description Gump.In-Roll.com

object network Web102

host 10.0.1.102

object service PingFederate

service tcp source range 1 65535 destination eq 9031

description PingFederate

object network 207.210.214.203

host 207.210.214.203

object network Web103

host 10.0.1.103

description go2myba.com

object service ServU5160

service tcp source eq 5160 destination eq 5160

description ServU HTTPS

object-group service rdp tcp

description rdp

port-object eq 3389

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_3

network-object object obj-192.168.1.0

network-object object obj-192.168.10.0

object-group service DM_INLINE_TCP_3 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_SERVICE_1

service-object object ServUHttp

service-object tcp destination eq ftp

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq pop3

service-object tcp destination eq ssh

service-object object ServU5160

object-group service DM_INLINE_TCP_4 tcp

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_2

network-object object obj-10.0.1.0

network-object object obj-172.16.1.0

network-object object obj-192.168.11.0-SSLVPN

object-group service DM_INLINE_SERVICE_2

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq smtp

service-object tcp destination eq ssh

service-object udp destination eq ntp

object-group service SophosAppliance tcp

description SophosAppliance

port-object eq 10443

port-object eq 444

object-group service DM_INLINE_TCP_0 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_5 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_SERVICE_3

service-object object PingFederate

service-object tcp destination eq www

service-object tcp destination eq https

access-list SplitTunnell standard permit 10.0.1.0 255.255.255.0

access-list SplitTunnell standard permit 172.16.1.0 255.255.255.0

access-list SplitTunnell standard permit 192.168.1.0 255.255.255.0

access-list SplitTunnell standard permit 192.168.10.0 255.255.255.0

access-list outside_access remark Web - In-Roll.com App1

access-list outside_access extended permit tcp any object Web81 object-group DM_INLINE_TCP_4

access-list outside_access extended permit object-group DM_INLINE_SERVICE_3 any object Web80

access-list outside_access remark Web - In-Roll.com App2

access-list outside_access remark Web - USBTX.com / Support

access-list outside_access extended permit tcp any object Web102 object-group DM_INLINE_TCP_0

access-list outside_access remark Misc - HTTP/HTTPS/FTP/Pop3

access-list outside_access extended permit object-group DM_INLINE_SERVICE_1 any object Web

access-list outside_access remark Sophos

access-list outside_access extended permit object-group DM_INLINE_SERVICE_2 any object Gump

access-list outside_access remark Sophos

access-list outside_access extended permit tcp any object Gump object-group SophosAppliance

access-list outside_access remark staging.in-roll.com

access-list outside_access extended permit tcp any object Web101 object-group DM_INLINE_TCP_5

access-list outside_access remark go2myba.com Redirect

access-list outside_access extended permit tcp any object Web103 object-group DM_INLINE_TCP_3

access-list outside_access extended permit ip any object obj-192.168.1.0

access-list dmz_access_in extended permit icmp any any

access-list dmz_access_in remark Allow ANY traffic from DMZ to Internal

access-list dmz_access_in extended permit ip any object obj-10.0.1.0

access-list dmz_access_in remark Allow HTTP/S traffic from DMZ to Internet

access-list dmz_access_in extended permit tcp any any object-group DM_INLINE_TCP_1

access-list outside_mpc extended permit tcp host 10.0.1.30 host 192.168.1.115 eq smtp

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_3

pager lines 24

logging enable

logging trap warnings

logging history errors

logging asdm informational

logging mail critical

logging from-address 5510@in-roll.com

logging recipient-address alerts@in-roll.com level critical

logging host inside 10.0.1.10

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool SSLVPN_Pool 192.168.11.1-192.168.11.254 mask 255.255.255.0

failover

failover lan unit secondary

failover lan interface FAILOVER Ethernet0/3

failover key *****

failover link FAILOVER Ethernet0/3

failover interface ip FAILOVER 192.168.99.253 255.255.255.252 standby 192.168.99.254

icmp unreachable rate-limit 1 burst-size 1

icmp permit 10.0.1.0 255.255.255.0 inside

icmp permit 192.168.1.0 255.255.255.0 inside

asdm image disk0:/asdm-634-53.bin

no asdm history enable

arp timeout 14400

nat (dmz,inside) source static any any destination static obj-172.16.1.0 obj-172.16.1.0 description DMZ to Internal NAT

nat (any,outside) source static any any destination static obj-192.168.11.0-SSLVPN obj-192.168.11.0-SSLVPN description NO NAT FOR VPN TRAFFIC

nat (any,outside) source static any any destination static obj-192.168.1.0 obj-192.168.1.0 description NO NAT FOR VPN TRAFFIC

nat (any,outside) source static any any destination static obj-192.168.10.0 obj-192.168.10.0 description NO NAT FOR VPN TRAFFIC

!

object network obj-10.0.1.0

nat (inside,outside) dynamic interface

object network Utility

nat (inside,outside) static 207.210.214.196

object network obj-172.16.1.0

nat (dmz,outside) dynamic interface

object network Web

nat (inside,outside) static 207.210.214.200

object network Web101

nat (inside,outside) static 207.210.214.197

object network Web80

nat (any,any) static 207.210.214.199

object network Web81

nat (any,any) static 207.210.214.198

object network Gump

nat (any,any) static 207.210.214.202

object network Web102

nat (inside,outside) static 207.210.214.201

object network Web103

nat (any,any) static 207.210.214.203

access-group outside_access in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 207.210.214.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

http redirect outside 80

snmp-server host inside 10.0.1.10 community ***** version 2c

snmp-server location Datacenter

snmp-server contact Admin

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change

snmp-server enable traps remote-access session-threshold-exceeded

service resetoutside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 2 match address outside_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer 209.119.188.98

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SSLVPN_GP internal

group-policy SSLVPN_GP attributes

dns-server value 10.0.1.10

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnell

default-domain value in-roll.com

webvpn

  svc ask none default svc

group-policy DfltGrpPolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnell

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

address-pool SSLVPN_Pool

default-group-policy SSLVPN_GP

tunnel-group SSLVPN webvpn-attributes

group-alias Datacenter enable

group-url https://207.210.214.194/Datacenter enable

tunnel-group 209.119.188.98 type ipsec-l2l

tunnel-group 209.119.188.98 ipsec-attributes

pre-shared-key *****

!

class-map IPS-traffic

match any

class-map inspection_default

match default-inspection-traffic

class-map outside-class

match access-list outside_mpc

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

class IPS-traffic

  ips inline fail-open

policy-map outside-policy

class outside-class

  police output 2000000 1500

!

service-policy global_policy global

service-policy outside-policy interface outside

smtp-server 10.0.1.30 10.0.1.120

prompt hostname priority state

service call-home

call-home

mail-server 10.0.1.30 priority 1

profile CiscoTAC-1

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:26057aab6c34681bc8447da19decea7d

: end

SSL VPN traffic over site 2 site

Hi,

Please add "same-security-traffic permit intra-interface" on both the firewalls and try ?

Thanks

Ajay

666
Views
0
Helpful
2
Replies
CreatePlease to create content