Allow routing via Site-Site VPN for VPN clients

[JF1980]

I need to force dial-in VPN clients dialing in to site1 to access a certain range of IP addresses (external addresses, part of a DMZ on site2) via the site-site VPN tunnel to site2 rather than via the Internet. Local users on site1 can do this but users connected to site1 via a dial-in VPN connection cannot.

I tried to add the rule:

access-list test_acl extended permit ip KFC-VPN-Clients 255.255.255.0 object-group KFC-hk-vlans

This doesn't seem to have worked. Full config is attached below.

: Saved
: Written by enable_15 at 20:31:36.677 UTC Fri Oct 31 2008
!
ASA Version 7.1(2)
!
hostname KFC-KST-ASA-001
domain-name kfc.local
enable password xxx encrypted
names
name 172.16.11.252 INT_KFC-KST-ASA-001
name 79.111.222.333 EXT_KFC-KST-ASA-001
name 193.111.222.333 EXT_KFC-CRO-ASA-001
name 85.111.222.333 EXT_SUP-Remote
name 172.16.10.0 INT_Server-VLAN
name 2.2.10.0 WAP-DMZ-Net
name 79.111.222.331 EXT_KFC-KST-VCC-001
name 172.16.11.110 INT_KFC-KST-VCC-001
name 211.127.166.330 EXT_KFC-HKO-VCC-001
name 193.111.222.334 EXT_KFC-CRO-VCC-001
name 208.111.222.333 EXT_KFC-USA-FW
name 10.21.0.0 EXT_KFC-USA-Servers
name 79.111.222.332 webmail.domain1.com
name 79.111.222.334 webmail.domain2.com
name 192.168.10.249 INT_KFC-CRO-BAR-001
name 79.111.222.335 EXT_KFC-CRO-BAR-001
name 193.111.222.333 EXT_KFC_CRO-ASA-001
name 1.1.10.0 KFC-VPN-Clients
!
interface Ethernet0/0
nameif outside
security-level 0
ip address EXT_KFC-KST-ASA-001 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address INT_KFC-KST-ASA-001 255.255.254.0
!
interface Ethernet0/2
nameif WAP_DMZ
security-level 4
ip address 2.2.10.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx.xxx encrypted
banner login ----------------------------------------------
banner login ! THIS DEVICE IS PART OF A PRIVATE NETWORK !
banner login !----------------------------------------------!
banner login ! Unauthorised access or use of this equipment !
banner login ! is prohibited and constitutes an offence !
banner login ! under the Computer Misuse Act 1990. !
banner login ! If you are not authorised to use this !
banner login ! system, terminate this session now. !
banner login !----------------------------------------------!
banner login ! All Access to this system is logged for !
banner login ! Security purposes !
banner login !----------------------------------------------!
ftp mode passive
dns server-group DefaultDNS
domain-name kfc.local
object-group network KFC-kst-vlans
network-object INT_Server-VLAN 255.255.254.0
network-object 172.16.12.0 255.255.254.0
network-object 172.16.14.0 255.255.254.0
network-object 192.168.10.0 255.255.255.0
network-object 172.16.0.0 255.255.254.0
network-object 172.16.2.0 255.255.254.0
object-group network KFC-cro-vlans
network-object 172.16.4.0 255.255.254.0
network-object 192.168.2.0 255.255.255.0
object-group network KFC-hk-vlans
network-object 10.0.167.0 255.255.255.0
network-object 211.127.166.145 255.255.255.255
network-object 211.127.166.146 255.255.255.255
network-object 211.127.166.147 255.255.255.255
network-object 211.127.166.148 255.255.255.255
network-object 211.127.166.149 255.255.255.255
network-object 211.127.166.150 255.255.255.255
network-object 211.127.166.152 255.255.255.255
network-object 211.127.166.153 255.255.255.255
network-object 211.127.166.155 255.255.255.255
network-object 211.127.166.156 255.255.255.255
network-object 211.127.166.157 255.255.255.255
network-object 211.127.166.158 255.255.255.255
object-group service KFC-vcc-services tcp
port-object range 3230 3235
port-object eq h323
object-group service KFC-vcc-services_udp udp
port-object range 3230 3258
object-group network webmail_servers
network-object webmail.domain2.com 255.255.255.255
network-object webmail.domain1.com 255.255.255.255
object-group service webmail_services_tcp tcp
port-object eq https
object-group service rdp_services_tcp tcp
port-object range 65001 65010
object-group network webmail_servers_real
network-object 172.16.0.103 255.255.255.255
network-object 172.16.0.108 255.255.255.255
access-list inside_out_acl extended permit ip object-group KFC-kst-vlans any
access-list nonat_acl extended permit ip object-group KFC-kst-vlans object-group KFC-cro-vlans
access-list nonat_acl extended permit ip object-group KFC-kst-vlans object-group KFC-hk-vlans
access-list nonat_acl extended permit ip object-group KFC-kst-vlans WAP-DMZ-Net 255.255.255.0
access-list nonat_acl extended permit ip object-group KFC-kst-vlans EXT_KFC-USA-Servers 255.255.0.0
access-list nonat_acl extended permit ip object-group KFC-kst-vlans KFC-VPN-Clients 255.255.255.0
access-list outside_in_acl extended permit icmp any 79.111.222.333 255.255.255.128 echo-reply
access-list outside_in_acl extended permit icmp any 79.111.222.333 255.255.255.128 traceroute
access-list outside_in_acl extended permit icmp any 79.111.222.333 255.255.255.128 unreachable
access-list outside_in_acl extended permit tcp host EXT_KFC-HKO-VCC-001 host EXT_KFC-KST-VCC-001 object-group KFC-vcc-services
access-list outside_in_acl extended permit udp host EXT_KFC-HKO-VCC-001 host EXT_KFC-KST-VCC-001 object-group KFC-vcc-services_udp
access-list outside_in_acl extended permit tcp host EXT_KFC-CRO-VCC-001 host EXT_KFC-KST-VCC-001 object-group KFC-vcc-services
access-list outside_in_acl extended permit udp host EXT_KFC-CRO-VCC-001 host EXT_KFC-KST-VCC-001 object-group KFC-vcc-services_udp
access-list outside_in_acl extended permit tcp any object-group webmail_servers object-group webmail_services_tcp
access-list outside_in_acl extended permit tcp any host EXT_KFC-CRO-BAR-001 eq smtp
access-list outside_in_acl extended permit tcp host EXT_SUP-Remote host EXT_KFC-KST-ASA-001 object-group rdp_services_tcp
access-list outside_in_acl extended permit tcp any host EXT_KFC-CRO-BAR-001 eq https
access-list kst_cro_vpn_acl extended permit ip object-group KFC-kst-vlans object-group KFC-cro-vlans
access-list kst_hk_vpn_acl extended permit ip object-group KFC-kst-vlans object-group KFC-hk-vlans
access-list wap_dmz_out_acl extended permit udp WAP-DMZ-Net 255.255.255.0 host 172.16.10.101 eq domain
access-list wap_dmz_out_acl extended permit tcp WAP-DMZ-Net 255.255.255.0 host 172.16.0.108 eq https
access-list wap_dmz_out_acl extended permit tcp WAP-DMZ-Net 255.255.255.0 host 172.16.0.103 eq https
access-list wap_dmz_out_acl extended deny ip WAP-DMZ-Net 255.255.255.0 object-group KFC-kst-vlans
access-list wap_dmz_out_acl extended permit ip WAP-DMZ-Net 255.255.255.0 any
access-list wap_dmz_nonat_acl extended permit ip WAP-DMZ-Net 255.255.255.0 object-group KFC-kst-vlans
access-list vpn_split_tunnel_acl extended permit ip object-group KFC-kst-vlans KFC-VPN-Clients 255.255.255.0
access-list kst-usa_acl extended permit ip object-group KFC-kst-vlans EXT_KFC-USA-Servers 255.255.0.0
pager lines 24
logging enable
logging console warnings
logging trap debugging
logging asdm warnings
logging host inside 172.16.10.101
logging message 100000 level debugging
mtu outside 1500
mtu inside 1500
mtu WAP_DMZ 1500
mtu management 1500
ip local pool VPN-DHCPPool 1.1.10.1-1.1.10.254 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp permit any outside
asdm image disk0:/asdm-512.bin
asdm location EXT_KFC-USA-Servers 255.255.0.0 outside
asdm group KFC-kst-vlans inside
asdm group KFC-cro-vlans outside
asdm group KFC-hk-vlans outside
asdm group webmail_servers_real inside
asdm group webmail_servers outside reference webmail_servers_real
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat_acl
nat (inside) 1 0.0.0.0 0.0.0.0
nat (WAP_DMZ) 0 access-list wap_dmz_nonat_acl
nat (WAP_DMZ) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp EXT_KFC-KST-ASA-001 65001 172.16.0.101 3389 netmask 255.255.255.255
static (inside,outside) tcp EXT_KFC-KST-ASA-001 65002 172.16.0.102 3389 netmask 255.255.255.255
static (inside,outside) tcp EXT_KFC-KST-ASA-001 65004 172.16.0.104 3389 netmask 255.255.255.255
static (inside,outside) tcp EXT_KFC-KST-ASA-001 65005 172.16.0.105 3389 netmask 255.255.255.255
static (inside,outside) tcp EXT_KFC-KST-ASA-001 65006 172.16.0.106 3389 netmask 255.255.255.255
static (inside,outside) tcp EXT_KFC-KST-ASA-001 65007 172.16.0.107 3389 netmask 255.255.255.255
static (inside,outside) tcp EXT_KFC-KST-ASA-001 65009 172.16.10.101 3389 netmask 255.255.255.255
static (inside,outside) EXT_KFC-KST-VCC-001 INT_KFC-KST-VCC-001 netmask 255.255.255.255
static (inside,outside) webmail.domain1.com 172.16.0.108 netmask 255.255.255.255
static (inside,outside) webmail.domain2.com 172.16.0.103 netmask 255.255.255.255
static (inside,outside) EXT_KFC-CRO-BAR-001 INT_KFC-CRO-BAR-001 netmask 255.255.255.255
access-group outside_in_acl in interface outside
access-group inside_out_acl in interface inside
access-group wap_dmz_out_acl in interface WAP_DMZ
route outside 0.0.0.0 0.0.0.0 79.173.146.129 1
route inside 192.168.10.0 255.255.255.0 172.16.11.254 1
route inside 172.16.2.0 255.255.254.0 172.16.11.254 1
route inside 172.16.0.0 255.255.254.0 172.16.11.254 1
route inside 172.16.12.0 255.255.254.0 172.16.11.254 1
route inside 172.16.14.0 255.255.254.0 172.16.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server SDI protocol sdi
aaa-server SDI host 192.168.10.250
retry-interval 3
timeout 13
group-policy VPN-Client internal
group-policy VPN-Client attributes
dns-server value 172.16.0.101 172.16.0.102
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_split_tunnel_acl
default-domain value KFC.local
split-dns value KFC.local
username Admin password xxx encrypted
username VPNUser password xxx encrypted privilege 1
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http INT_Server-VLAN 255.255.254.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map VPN-DYNMap 10 set transform-set AES-128-MD5
crypto map VPNMap 10 match address kst_cro_vpn_acl
crypto map VPNMap 10 set peer EXT_KFC_CRO-ASA-001
crypto map VPNMap 10 set transform-set AES-128-MD5
crypto map VPNMap 20 match address kst-usa_acl
crypto map VPNMap 20 set peer EXT_KFC-USA-FW
crypto map VPNMap 20 set transform-set 3DES-MD5
crypto map VPNMap 30 match address kst_hk_vpn_acl
crypto map VPNMap 30 set peer 211.111.222.333
crypto map VPNMap 30 set transform-set 3DES-MD5
crypto map VPNMap 65535 ipsec-isakmp dynamic VPN-DYNMap
crypto map VPNMap interface outside
crypto ca trustpoint CA1
enrollment self
fqdn vpn.domain2.com
subject-name CN=KFC-KST-ASA-001
crl configure
crypto ca certificate chain CA1
certificate 31
xxx
quit
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
tunnel-group 193.111.222.333 type ipsec-l2l
tunnel-group 193.111.222.333 ipsec-attributes
pre-shared-key croxxx
tunnel-group 211.111.222.333 type ipsec-l2l
tunnel-group 211.111.222.333 ipsec-attributes
pre-shared-key hkxxx
tunnel-group VPN-Client type ipsec-ra
tunnel-group VPN-Client general-attributes
address-pool VPN-DHCPPool
authentication-server-group SDI
default-group-policy VPN-Client
tunnel-group VPN-Client ipsec-attributes
pre-shared-key xxx
tunnel-group 208.111.222.333 type ipsec-l2l
tunnel-group 208.111.222.333 ipsec-attributes
pre-shared-key xxx
telnet timeout 5
ssh EXT_SUP-Remote 255.255.255.255 outside
ssh EXT_KFC_CRO-ASA-001 255.255.255.255 outside
ssh INT_Server-VLAN 255.255.254.0 inside
ssh 172.16.12.0 255.255.254.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
priority-queue inside
tx-ring-limit 256
!
class-map inside-class
match dscp ef
match tunnel-group 193.111.222.333
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect h323 ras
inspect h323 h225
policy-map inside-QoS
class inside-class
priority
!
service-policy global_policy global
service-policy inside-QoS interface inside
Cryptochecksum:xxx
: end

Open in New Window Select All

 

[NetworkGhost]

Make sure you have this command on the ASA and also ass the VPN Client traffic to the site to site match acl

same-security-traffic permit intra-interface

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#t3

http://www.wr-mem.com

 

[Supergrrover]

Try adding the traffic between those networks to the no-nat ACL.

Question - are you trying to access them by their public ip's?

Brent
Systems Engineer / Consultant
CCNP, CCSP