Hello,
I'm having problems setting up a Remote access and Site to Site VPN at the exact same time. If I have RA configured then my site to site stopped even trying to connect and working. If i have site to site configured then the RA stops working. I want to be able to access from all locations all subnets to other sites. One big circle of traffic. So if i'm at the Primary Site i want to be able to talk to remote access devices and DR Site. If i remote access to the Primary site i want access to 10.1.2.0/24 at Primary Site & 10.1.3.0/24 at the DR site.
Topology:
Remote Access <-> Primary ASA device (Primary Site) <-> Site to Site VPN <-> DR Site
Remote Access:
10.3.2.0/24 to Primary ASA Device (Primary Site)
Priamry ASA Device (Primary Site):
10.1.2.0/24 Behind ASA Device
DR Site:
10.1.3.0/24 Behind ASA Device
Priamry ASA Device (Primary Site) Cisco Configuration:
asdm image disk0:/asdm-508.bin
asdm location 10.3.2.0 255.255.255.0 Outside
asdm location 10.1.3.0 255.255.255.0 Outside
asdm location 10.3.2.0 255.255.255.0 Inside
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname PCAT-FW-HW-CP
domain-name XXXX
enable password xxx encrypted
passwd xxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 10.2.2.4 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif VRRP
security-level 100
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Inside
dns name-server 205.171.3.65
dns name-server 4.2.2.2
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 100 extended permit tcp any host 10.2.2.10 eq https
access-list 100 extended permit tcp any host 10.2.2.10 eq smtp
access-list 100 extended permit tcp any host 10.2.2.10 eq www
access-list 100 extended permit tcp any host 10.2.2.10 eq 3389
access-list 100 extended permit tcp any host 10.2.2.10 eq pptp
access-list 100 extended permit icmp any any
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit tcp any any eq ssh
access-list 100 extended permit icmp any any traceroute
access-list 100 extended permit icmp any any echo
access-list Inside_nat0_outbound extended permit ip 10.3.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.3.2.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.3.2.0 255.255.255.0
access-list Outside_cryptomap_40 extended permit ip 10.3.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list Outside_cryptomap_40 extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 10.3.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 10.3.2.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list pcat-staff_splitTunnelAcl standard permit 10.1.2.0 255.255.255.0
access-list pcat-staff_splitTunnelAcl standard permit 10.1.3.0 255.255.255.0
access-list VRRP_access_in extended permit icmp any any unreachable
access-list 1 standard permit any
access-list 101 extended permit icmp any any echo
access-list Outside_cryptomap_20 extended permit ip 10.3.2.0 255.255.255.0 10.1.3.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging list logwarning level warnings
logging list logall level debugging
logging console emergencies
logging buffered debugging
logging trap notifications
logging asdm logall
mtu Outside 1500
mtu Inside 1500
mtu VRRP 1500
mtu management 1500
ip local pool VPN_USERS 10.3.2.2-10.3.2.254 mask 255.255.255.0
icmp permit any Outside
icmp permit any echo Outside
icmp permit any echo-reply Outside
icmp permit any Inside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 10.2.2.10 smtp 10.1.2.18 smtp netmask 255.255.255.255
static (Inside,Outside) tcp 10.2.2.10 https 10.1.2.19 https netmask 255.255.255.255
static (Inside,Outside) tcp 10.2.2.10 255.255.255.255
static (Inside,Outside) tcp 10.2.2.10 3389 10.1.2.19 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.2.2.10 pptp 10.1.2.19 pptp netmask 255.255.255.255
access-group 100 in interface Outside
access-group VRRP_access_in in interface VRRP
route Outside 0.0.0.0 0.0.0.0 10.2.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy pcat-staff internal
group-policy pcat-staff attributes
dns-server value 205.171.3.65 205.171.2.65
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value pcat-staff_splitTunnelAcl
default-domain value XXXX
webvpn
username pcatmaster password xxx encrypted privilege 15
username pcatmaster attributes
vpn-group-policy pcat-staff
vpn-tunnel-protocol IPSec webvpn
webvpn
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map DYNAMIC-MAP 20 set transform-set ESP-3DES-SHA
crypto dynamic-map DYNAMIC-MAP 20 set security-association lifetime seconds 28800
crypto dynamic-map DYNAMIC-MAP 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map DYNAMIC-MAP 20 set reverse-route
crypto dynamic-map Outside_dyn_map_1 60 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map_1 60 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map_1 60 set security-association lifetime kilobytes 4608000
crypto map VPN-MAP 40 set transform-set ESP-3DES-SHA
crypto map VPN-MAP 40 set security-association lifetime seconds 28800
crypto map VPN-MAP 40 set security-association lifetime kilobytes 4608000
crypto map VPN-MAP 65535 set transform-set ESP-3DES-SHA
crypto map VPN-MAP 65535 set security-association lifetime seconds 28800
crypto map VPN-MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map_1 20 set transform-set ESP-3DES-SHA
crypto map Outside_map_1 20 set security-association lifetime seconds 28800
crypto map Outside_map_1 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 20 set peer xxx.xxx.xxx.197
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 set security-association lifetime seconds 28800
crypto map Outside_map 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto map outside_map 20 match address Outside_20_cryptomap
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
tunnel-group xxx.xxx.xxx.197 type ipsec-l2l
tunnel-group xxx.xxx.xxx.197 ipsec-attributes
pre-shared-key *
tunnel-group pcat-staff type ipsec-ra
tunnel-group pcat-staff general-attributes
address-pool VPN_USERS
default-group-policy pcat-staff
tunnel-group pcat-staff ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 Outside
telnet 10.1.2.0 255.255.255.0 Inside
telnet 10.2.2.0 255.255.255.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
console timeout 0
management-access Inside
dhcpd address 10.1.2.200-10.1.2.249 Inside
dhcpd dns 10.1.2.19 4.2.2.2
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain XXXX
dhcpd auto_config Inside
dhcpd enable Inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:56150a205fc7e2a753d528fc5da86e06
: end
I'm having problems setting up a Remote access and Site to Site VPN at the exact same time. If I have RA configured then my site to site stopped even trying to connect and working. If i have site to site configured then the RA stops working. I want to be able to access from all locations all subnets to other sites. One big circle of traffic. So if i'm at the Primary Site i want to be able to talk to remote access devices and DR Site. If i remote access to the Primary site i want access to 10.1.2.0/24 at Primary Site & 10.1.3.0/24 at the DR site.
Topology:
Remote Access <-> Primary ASA device (Primary Site) <-> Site to Site VPN <-> DR Site
Remote Access:
10.3.2.0/24 to Primary ASA Device (Primary Site)
Priamry ASA Device (Primary Site):
10.1.2.0/24 Behind ASA Device
DR Site:
10.1.3.0/24 Behind ASA Device
Priamry ASA Device (Primary Site) Cisco Configuration:
asdm image disk0:/asdm-508.bin
asdm location 10.3.2.0 255.255.255.0 Outside
asdm location 10.1.3.0 255.255.255.0 Outside
asdm location 10.3.2.0 255.255.255.0 Inside
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname PCAT-FW-HW-CP
domain-name XXXX
enable password xxx encrypted
passwd xxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 10.2.2.4 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif VRRP
security-level 100
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Inside
dns name-server 205.171.3.65
dns name-server 4.2.2.2
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 100 extended permit tcp any host 10.2.2.10 eq https
access-list 100 extended permit tcp any host 10.2.2.10 eq smtp
access-list 100 extended permit tcp any host 10.2.2.10 eq www
access-list 100 extended permit tcp any host 10.2.2.10 eq 3389
access-list 100 extended permit tcp any host 10.2.2.10 eq pptp
access-list 100 extended permit icmp any any
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit tcp any any eq ssh
access-list 100 extended permit icmp any any traceroute
access-list 100 extended permit icmp any any echo
access-list Inside_nat0_outbound extended permit ip 10.3.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.3.2.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.3.2.0 255.255.255.0
access-list Outside_cryptomap_40 extended permit ip 10.3.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list Outside_cryptomap_40 extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 10.3.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 10.3.2.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list pcat-staff_splitTunnelAcl standard permit 10.1.2.0 255.255.255.0
access-list pcat-staff_splitTunnelAcl standard permit 10.1.3.0 255.255.255.0
access-list VRRP_access_in extended permit icmp any any unreachable
access-list 1 standard permit any
access-list 101 extended permit icmp any any echo
access-list Outside_cryptomap_20 extended permit ip 10.3.2.0 255.255.255.0 10.1.3.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging list logwarning level warnings
logging list logall level debugging
logging console emergencies
logging buffered debugging
logging trap notifications
logging asdm logall
mtu Outside 1500
mtu Inside 1500
mtu VRRP 1500
mtu management 1500
ip local pool VPN_USERS 10.3.2.2-10.3.2.254 mask 255.255.255.0
icmp permit any Outside
icmp permit any echo Outside
icmp permit any echo-reply Outside
icmp permit any Inside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 10.2.2.10 smtp 10.1.2.18 smtp netmask 255.255.255.255
static (Inside,Outside) tcp 10.2.2.10 https 10.1.2.19 https netmask 255.255.255.255
static (Inside,Outside) tcp 10.2.2.10 255.255.255.255
static (Inside,Outside) tcp 10.2.2.10 3389 10.1.2.19 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 10.2.2.10 pptp 10.1.2.19 pptp netmask 255.255.255.255
access-group 100 in interface Outside
access-group VRRP_access_in in interface VRRP
route Outside 0.0.0.0 0.0.0.0 10.2.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy pcat-staff internal
group-policy pcat-staff attributes
dns-server value 205.171.3.65 205.171.2.65
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value pcat-staff_splitTunnelAcl
default-domain value XXXX
webvpn
username pcatmaster password xxx encrypted privilege 15
username pcatmaster attributes
vpn-group-policy pcat-staff
vpn-tunnel-protocol IPSec webvpn
webvpn
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map DYNAMIC-MAP 20 set transform-set ESP-3DES-SHA
crypto dynamic-map DYNAMIC-MAP 20 set security-association lifetime seconds 28800
crypto dynamic-map DYNAMIC-MAP 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map DYNAMIC-MAP 20 set reverse-route
crypto dynamic-map Outside_dyn_map_1 60 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map_1 60 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map_1 60 set security-association lifetime kilobytes 4608000
crypto map VPN-MAP 40 set transform-set ESP-3DES-SHA
crypto map VPN-MAP 40 set security-association lifetime seconds 28800
crypto map VPN-MAP 40 set security-association lifetime kilobytes 4608000
crypto map VPN-MAP 65535 set transform-set ESP-3DES-SHA
crypto map VPN-MAP 65535 set security-association lifetime seconds 28800
crypto map VPN-MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map_1 20 set transform-set ESP-3DES-SHA
crypto map Outside_map_1 20 set security-association lifetime seconds 28800
crypto map Outside_map_1 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 20 set peer xxx.xxx.xxx.197
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 set security-association lifetime seconds 28800
crypto map Outside_map 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto map outside_map 20 match address Outside_20_cryptomap
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
tunnel-group xxx.xxx.xxx.197 type ipsec-l2l
tunnel-group xxx.xxx.xxx.197 ipsec-attributes
pre-shared-key *
tunnel-group pcat-staff type ipsec-ra
tunnel-group pcat-staff general-attributes
address-pool VPN_USERS
default-group-policy pcat-staff
tunnel-group pcat-staff ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 Outside
telnet 10.1.2.0 255.255.255.0 Inside
telnet 10.2.2.0 255.255.255.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
console timeout 0
management-access Inside
dhcpd address 10.1.2.200-10.1.2.249 Inside
dhcpd dns 10.1.2.19 4.2.2.2
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain XXXX
dhcpd auto_config Inside
dhcpd enable Inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:56150a205fc7e2a753d528fc5da86e06
: end
So currently does both the RA and the L2L vpn work except for you cant route back up the L2L?