I've recently installed an ASA 5505 to connect several sites via site-to-site VPN which is working just fine. I also required remote access VPN for users which has also been configured using L2TP/IPSec. However, I'm having trouble with the configuration to allow the remote access users to access systems on any of the site-VPN connected networks. Here's the general layout in a hub/spoke configuration:
10.100.20.0/24 – central office (hub)
10.100.50.0/24 – remote office 1
10.100.60.0/24 – remote office 2
10.100.70.0/24 – remote office 3
10.200.0.0/24 – remote access pool
The central office can communicate with any remote office and all remote offices can communicate with the central office. The remote access users can communicate only with the central office which is their VPN (L2TP) endpoint.
I'm curious what NAT and/or routing configuration do I need to consider to allow the remote access user to access any of the connected remote offices?
Many thanks in advance!
Chris
HERE IS THE CONFIG (with necessary obfuscation):
ASA Version 8.2(1)
!
hostname ciscoasa
enable password ***** encrypted
passwd ***** encrypted
names
name 208.67.222.222 opendns1
name 208.67.220.220 opendns2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.20.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 200.200.200.2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server opendns2
name-server opendns1
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network opendns-servers
network-object host opendns2
network-object host opendns1
access-list outside_1_cryptomap extended permit ip 10.100.20.0 255.255.255.0 10.100.50.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.100.20.0 255.255.255.0 10.100.60.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.100.20.0 255.255.255.0 10.100.70.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.20.0 255.255.255.0 10.100.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.20.0 255.255.255.0 10.100.60.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.20.0 255.255.255.0 10.100.70.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.20.0 255.255.255.0 10.200.0.0 255.255.255.0
access-list inside_access_in extended permit object-group TCPUDP any object-group opendns-servers eq domain
access-list inside_access_in extended permit object-group TCPUDP host 10.100.20.1 any eq domain
access-list inside_access_in extended deny object-group TCPUDP any any eq domain
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended deny ip any any
access-list outside_nat0_outbound extended permit ip 10.200.0.0 255.255.255.0 10.100.20.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.100.20.0 255.255.255.0
pager lines 24
logging enable
logging asdm-buffer-size 300
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RA-pool 10.200.0.1-10.200.0.50 mask 255.255.255.0
ip local pool test-pool 10.100.20.200-10.100.20.209 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any echo outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (outside) 0 access-list outside_nat0_outbound outside
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 200.200.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.100.20.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 2.2.2.2
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 3.3.3.3
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
ssh version 2
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol IPSec l2tp-ipsec
ip-comp disable
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
webvpn
svc ask enable
username user1 password ***** nt-encrypted privilege 15
username user1 attributes
vpn-group-policy DefaultRAGroup
username user2 password ***** nt-encrypted
username user2 attributes
vpn-group-policy DefaultRAGroup
service-type remote-access
username user3 password ***** encrypted
username user3 attributes
vpn-group-policy DefaultRAGroup
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool RA-pool
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool RA-pool
dhcp-server 10.100.20.254
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:e78f2c61bd1c3b5dea31af3782a04b51
: end
Best Answer
This:
combined with this:
is allowing only traffic on 10.100.20.0 onto the splitTunnel. So a VPN client tries to connect to one of your other private IPs, and actually gets routed outside the tunnel, to the Internet. Not what you want.
Add your other private IPs to the tunnel with:
for all of your other private IPs.