Remote 1841 VPN to HQ ASA 5520 with VPN Client.

[l33byt1980]

Hello,

Wondering if some one can assist.
From a remote VPN client I need to ping my HQ and stuff on the Remote site.

Here is most of my setup.

VPN Client HQ Remote
172.16.100.0 192.168.0.0 192.168.55.0

If i build the VPN Client access on the HQ and add the IP SEC rules for both
192.168.0.0 - 192.168.55.0
172.16.100.0 - 172.16.100.0 Networks on the firewall


And on the remote 1841 add and access list
192.168.55.0 - 192.168.0.0
192.168.55.0 - 172.16.100.0

I can work on HQ resources fine, but cannot access any thing on the remote site.

Is what I am doing possible?
What am i missing?



ACA - IPOffice implement
ACA - IP Telephony
CCNA - Passed at last

 

[unclerico]

It would be more helpful to see your full configs, but I'm just guessing that you aren't bypassing NAT from either the 1841 or the ASA for the IP Pool. If you could post your scrubbed configs from both devices we can verify.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[l33byt1980]

My 1841 Rules.

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key **** address aaa.aaa.aaa.aaa
crypto isakmp identity hostname
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
crypto map main_map 10 ipsec-isakmp
set peer aaa.aaa.aaa.aaa
set transform-set set1
match address 102

ip nat inside source route-map nonat interface Multilink1 overload


access-list 102 remark ### Traffic Match for VPN ###
access-list 102 permit ip LOCAL 0.0.0.255 HQ SUB 0.0.0.255
access-list 102 remark ### Traffic Match RUVPN - CAMERAS ###
access-list 102 permit ip LOCAL 0.0.0.255 REMOTE VPN SUB 0.0.0.255
access-list 102 remark ### Traffic Match for VPN ###
access-list 102 remark ### Traffic Match RUVPN - CAMERAS ###
access-list 103 remark ### Nat exemption for VPN ###
access-list 103 deny ip LOCAL 0.0.0.255 HQ SUB 0.0.0.255
access-list 103 deny ip LOCAL 0.0.0.255 REMOTE VPN SUB 0.0.0.255
access-list 103 permit ip LOCAL 0.0.0.255 any
access-list 103 remark ### Nat exemption for VPN ###

route-map nonat permit 10
match ip address 103



ACA - IPOffice implement
ACA - IP Telephony
CCNA - Passed at last

 

[l33byt1980]

pix


!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address aaa.aaa.aaa.aaa 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address iii.iii.iii.iii 255.255.255.0
!
!

same-security-traffic permit inter-interface
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.55.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 192.168.55.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.56.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.100.0 255.255.255.0
access-list outside_cryptomap_20_2 extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0
access-list outside_cryptomap_20_2 extended permit ip 172.16.100.0 255.255.255.0 192.168.55.0 255.255.255.0
access-list outside_cryptomap_20_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.55.0 255.255.255.0
access-list outside_cryptomap_20_2 extended permit ip 192.168.23.0 255.255.255.0 192.168.55.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPNPool 172.16.100.1-172.16.100.255 mask 255.255.255.0
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.100.0 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.23.0 255.255.255.0
static (inside,outside) ccc.ccc.ccc.ccc 192.168.0.41 netmask 255.255.255.255
static (inside,outside) ddd.ddd.ddd.ddd 192.168.0.46 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 ggg.ggg.ggg.ggg 1
route inside 192.168.1.0 255.255.255.0 192.168.0.41 1
route inside 192.168.23.0 255.255.255.0 192.168.0.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_cryptomap_20_2
crypto map outside_map 20 set peer remote 1841
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group remote 1841 type ipsec-l2l
tunnel-group remote 1841 ipsec-attributes
pre-shared-key xxxxxxxxxxxxx
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp

ACA - IPOffice implement
ACA - IP Telephony
CCNA - Passed at last

 

[unclerico]

On the 1841, is the 172.16.100.x/24 network listed in your routing table??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[l33byt1980]

it is via a default route 0.0.0.0 0.0.0.0 to the dialler.
Does this need to change?

ACA - IPOffice implement
ACA - IP Telephony
CCNA - Passed at last

 

[unclerico]

I always like to enable reverse-route injection for L2L tunnels. On the PIX, add:

crypto map outside_map 20 set reverse-route

On the 1841 add:

crypto map main_map 10 ipsec-isakmp
  reverse-route

This way I know that the proper routes are installed. Also, can you include sh crypto isakmp sa and sh crypto ipsec sa on both devices?? I'd like to see the statistics.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)