1. Home
  2. Cisco Systems
  3. Remote VPN users access to site to site networks (mostly configured)

Remote VPN users access to site to site networks (mostly configured)

I?m not sure which piece I am missing but I think I am almost there.

set up is:

---------------- ----------------- ----------------- |PIX | |ASA | |VPN | |506E |---works-----|5520 |--works---|connections | |inside IP | |inside IP | |IP range | |192.168.4.0/24| |192.168.26.0/24| |192.168.27.0/24| ---------------- ----------------- ----------------- | | -----------no communication between VPN and PIX-----------

The ASA ASDM?s packet trace says both directions from the PIX to the VPN connections should work (192.168.27.x 192.168.4.x). I think there is still something on the pix that is not saying that the tunnel to

192.168.26.x also contains 192.168.27.x.

Can anyone see where I am missing an entry? or making a mistake?

thanks in advance.

John

------- PIX configuration ----------

: Saved : Written by enable_15 at 08:23:34.545 MST Wed Feb 17 2010 PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password XXX encrypted passwd XXX encrypted hostname PIX domain-name domain.com clock timezone CST -6 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.26.0 colo name 192.168.27.0 colo-vpns access-list inside_access_in permit ip any any access-list inside_access_in permit icmp any any access-list inside_access_in permit gre any any access-list outside_access_in permit tcp any any eq www access-list outside_access_in permit tcp any any eq https access-list outside_access_in permit tcp any any eq pop3 access-list outside_access_in permit tcp any any eq pptp access-list outside_access_in permit icmp any any access-list outside_access_in deny ip any any access-list 100 permit ip 192.168.4.0 255.255.255.0 colo 255.255.255.0 access-list 100 permit ip 192.168.4.0 255.255.255.0 colo-vpns

255.255.255.0 access-list access1 permit ip 192.168.4.0 255.255.255.0 colo-vpns 255.255.255.0 access-list access1 permit ip 192.168.4.0 255.255.255.0 colo 255.255.255.0 pager lines 1000 logging on logging history informational icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside 10.10.10.4 255.255.255.248 ip address inside 192.168.4.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnrange 192.168.5.50-192.168.5.100 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 100 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 10.10.10.161 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa-server partnerauth protocol radius aaa-server partnerauth max-failed-attempts 3 aaa-server partnerauth deadtime 10 http server enable http 192.168.4.0 255.255.255.0 inside snmp-server host inside 192.168.4.184 snmp-server host inside 192.168.4.50 snmp-server location earth snmp-server contact admin snmp-server community community snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set transform-set esp-3des-md5 crypto map newmap 40 ipsec-isakmp crypto map newmap 40 match address access1 crypto map newmap 40 set peer 10.10.10.166 crypto map newmap 40 set transform-set esp-3des-md5 crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map crypto map newmap interface outside isakmp enable outside isakmp key XXX address 10.10.10.166 netmask 255.255.255.255 no-xauth no- config-mode isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup vpngroup1 address-pool vpnrange vpngroup vpngroup1 dns-server 192.168.4.12 vpngroup vpngroup1 default-domain domain.com vpngroup vpngroup1 split-tunnel vpngroup1_splitTunnelAcl vpngroup vpngroup1 idle-time 7200 vpngroup vpngroup1 password XXX telnet 192.168.4.0 255.255.255.0 inside telnet timeout 5 ssh timeout 60 management-access inside console timeout 0 dhcpd address 192.168.4.155-192.168.4.230 inside dhcpd dns 192.168.4.12 dhcpd wins 192.168.4.12 dhcpd lease 14400 dhcpd ping_timeout 750 dhcpd domain domain.com dhcpd auto_config outside dhcpd enable inside username admin password XXX encrypted privilege 15 terminal width 80 Cryptochecksum:e3903383e5abec6f52cf29db4e87d29c : end

------ ASA configuration --------- : Saved : Written by enable_15 at 04:30:22.421 UTC Thu Feb 18 2010 ! ASA Version 8.2(2) ! hostname ASA-5520 domain-name domain.com enable password XXX encrypted passwd XXX encrypted no names ! interface GigabitEthernet0/0 nameif internet security-level 0 ip address 10.10.10.166 255.255.255.248 ! interface GigabitEthernet0/1 nameif inside security-level 75 ip address 192.168.26.1 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! boot system disk0:/asa822-k8.bin ftp mode passive dns domain-lookup internet dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.26.103 name-server 192.168.4.19 domain-name domain.com object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group network DM_INLINE_NETWORK_1 network-object host 10.10.10.164 access-list inside_access_in extended permit ip 192.168.26.0

255.255.255.0 any access-list inside_access_in extended permit ip 192.168.26.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list inside_access_in extended permit ip 192.168.4.0 255.255.255.0 192.168.26.0 255.255.255.0 access-list inside_access_in extended permit ip 192.168.27.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list inside_access_in extended permit ip 192.168.4.0 255.255.255.0 192.168.27.0 255.255.255.0 access-list internet_access_in extended permit object-group TCPUDP any host 10.10.10.166 eq www access-list internet_access_in extended permit tcp any host 10.10.10.166 eq https access-list internet_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host 10.10.10.166 eq smtp access-list internap_access extended permit ip 192.168.26.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list 100 extended permit ip 192.168.26.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list internet_1_cryptomap extended permit ip 192.168.26.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list vpns extended permit ip 192.168.26.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list vpns extended permit ip 192.168.27.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list vpns extended permit ip any 192.168.27.0 255.255.255.0 access-list Split_tunnel_list standard permit 192.168.26.0 255.255.255.0 access-list Split_tunnel_list standard permit 192.168.4.0 255.255.255.0 pager lines 24 logging enable logging buffer-size 100000 logging buffered debugging logging asdm informational mtu internet 1500 mtu inside 1500 mtu management 1500 ip local pool CLIENT_VPNS 192.168.27.100-192.168.27.250 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside asdm image disk0:/asdm-625.bin asdm history enable arp timeout 14400 nat-control global (internet) 101 192.168.26.2-192.168.26.254 netmask 255.255.255.0 global (internet) 102 interface nat (internet) 102 192.168.26.0 255.255.255.0 nat (inside) 0 access-list vpns nat (inside) 102 192.168.26.0 255.255.255.0 nat (management) 102 0.0.0.0 0.0.0.0 static (inside,internet) tcp interface www 192.168.26.107 www netmask 255.255.255.255 static (inside,internet) udp interface www 192.168.26.107 www netmask 255.255.255.255 static (inside,internet) tcp interface https 192.168.26.102 https netmask 255.255.255.255 static (inside,internet) tcp interface smtp 192.168.26.102 smtp netmask 255.255.255.255 access-group internet_access_in in interface internet access-group inside_access_in in interface inside route internet 0.0.0.0 0.0.0.0 10.10.10.161 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa-server DOMAIN protocol nt aaa-server DOMAIN (inside) host 192.168.26.103 nt-auth-domain-controller 192.168.26.103 aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 management http 192.168.26.111 255.255.255.255 inside http 192.168.26.101 255.255.255.255 inside http 192.168.4.0 255.255.255.0 inside snmp-server host inside 192.168.4.184 poll community community snmp-server location mars snmp-server contact admin snmp-server community community snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP- AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256- SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map internet_map 1 match address vpns crypto map internet_map 1 set pfs crypto map internet_map 1 set peer 10.10.10.164 crypto map internet_map 1 set transform-set ESP-3DES-MD5 crypto map internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map internet_map interface internet crypto isakmp enable internet crypto isakmp enable inside crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 telnet 192.168.26.0 255.255.255.0 inside telnet 192.168.4.0 255.255.255.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 internet ssh 192.168.26.101 255.255.255.255 inside ssh 192.168.26.111 255.255.255.255 inside ssh timeout 5 console timeout 0 dhcpd address 192.168.26.25-192.168.26.50 inside dhcpd dns 192.168.26.103 192.168.4.19 interface inside dhcpd domain domain.com interface inside dhcpd enable inside ! dhcpd address 192.168.1.50-192.168.1.75 management dhcpd dns 192.168.26.103 192.168.4.19 interface management dhcpd wins 192.168.26.103 192.168.4.19 interface management dhcpd domain domain.com interface management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept tftp-server inside 192.168.26.111 / webvpn port 4443 enable internet dtls port 4443 svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 1 svc enable tunnel-group-list enable group-policy DfltGrpPolicy attributes wins-server value 192.168.26.103 dns-server value 192.168.26.103 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn split-dns value domain.com group-policy phonehome internal group-policy phonehome attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn group-policy VP internal group-policy VP attributes wins-server value 192.168.26.103 192.168.4.19 dns-server value 192.168.26.103 192.168.4.19 vpn-tunnel-protocol IPSec l2tp-ipsec svc split-tunnel-policy tunnelspecified split-tunnel-network-list value Split_tunnel_list default-domain value domain.com group-policy TAC internal group-policy TAC attributes vpn-tunnel-protocol svc username user1 password XXX encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes authentication-server-group DOMAIN tunnel-group DefaultWEBVPNGroup general-attributes authentication-server-group none tunnel-group 10.10.10.164 type ipsec-l2l tunnel-group 10.10.10.164 ipsec-attributes pre-shared-key r0@D@pp1L3 tunnel-group CLIENT_VPN type remote-access tunnel-group CLIENT_VPN general-attributes authentication-server-group DOMAIN default-group-policy VP tunnel-group CLIENT_VPN ipsec-attributes pre-shared-key junction tunnel-group VP type remote-access tunnel-group VP general-attributes address-pool CLIENT_VPNS authentication-server-group DOMAIN authentication-server-group (inside) DOMAIN default-group-policy VP tunnel-group VP webvpn-attributes group-alias VP enable group-url https://10.10.10.166:4443/VP enable tunnel-group VP ipsec-attributes pre-shared-key key1 tunnel-group VP ppp-attributes authentication ms-chap-v2 ! ! prompt hostname context call-home profile CiscoTAC-1 no active destination address http
formatting link
destination address email snipped-for-privacy@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:7c7ead81dc4b832a83e584386eb556a4 : end
Reply to
John Smyth
Loading thread data ...

And just because I hate seeing these months and years later with no solution.

the only thing I needed to do was add a CLI entry stating "same-security- traffic permit intra-interface" and traffic magically started routing to where it needed to go.

good luck to anyone else experiencing this.

Reply to
John Smyth

And just becuase I hate seeing these months and years later with no solution:

all I needed to do to get traffic flowing was enter the command "same- security-traffic permit intra-interface" from the CLI in configure mode.

good luck to all that have this similar problem.

Reply to
John Smyth

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.