SSLVPN To Cisco 5505 Access To Networks Across IPSec VPN

[TheHead1]

I'm very new to Cisco ASAs and their setup/configuration.

I've setup a basic SSLVPN with both web mode and tunnel mode to demo this for a client we support. It's setup on an ASA in one of their locations.

This ASA5505 has fully-meshed IPSec VPN to their other sites.

Each site has their own IP range configured.

I've successfully got the SSLVPN setup and allowing access to the network where the ASA is setup.

Is there an easy way to set this up to allow the traffic when connected via SSLVPN to allow access to the networks that are accessible over the IPSEC VPN tunnels?

I've tried a few things, like adding networks to allow tunnelling to, etc, but can't seem to make this work.

They are using version 8.2 of the ASA software.

Thanks,
TheHead1

 

[unclerico]

post your scrubbed config

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[TheHead1]

OK - scrubbed config is attached.

: Saved
:
ASA Version 8.2(1)
!
hostname Site1ASA
domain-name Headoffice.com
enable password e7.D8Mt0Gf59hF2M encrypted
passwd e7.D8Mt0Gf59hF2M encrypted
names
name 192.168.30.9 Server1
name 192.168.30.0 Colo-LAN
name 10.0.0.0 HO-LAN
name Site2PublicIP Site2-ASA
name 192.168.50.0 Site2-LAN
name 192.168.20.0 Site3-LAN
name 192.168.40.0 Site4-LAN
name ColoPubIP IPAddress1
name 192.168.30.6 Server2
name 192.168.30.7 Server3
name Site3PublicIP Site3-ASA
name Site4PublicIP Site4-ASA
name 10.1.100.0 SupportLAN
name HOPubIP HO-ASA
name 192.168.30.43 Exchange
name SupportPubIP SupportFW
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.30.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address IPAddress1 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server Server2
domain-name Headoffice.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Exchange tcp
port-object eq www
port-object eq https
port-object eq pop3
port-object eq smtp
port-object eq imap4
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any host ColoPubIP2 eq 3389
access-list outside_access_in extended permit tcp any host IPAddress1 object-group Exchange
access-list outside_access_in extended permit tcp any host IPAddress1 eq 3443
access-list outside_access_in extended permit gre any host ColoPubIP2
access-list outside_access_in extended permit tcp any host ColoPubIP2 eq pptp
access-list outside_access_in extended permit tcp any host ColoPubIP2 eq ftp-data
access-list outside_access_in extended permit tcp any host ColoPubIP2 eq ftp
access-list outside_1_cryptomap extended permit ip Colo-LAN 255.255.255.0 HO-LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip Colo-LAN 255.255.255.0 SupportLAN 255.255.252.0
access-list inside_nat0_outbound extended permit ip Colo-LAN 255.255.255.0 HO-LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip Colo-LAN 255.255.255.0 Site2-LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip Colo-LAN 255.255.255.0 Site3-LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip Colo-LAN 255.255.255.0 Site4-LAN 255.255.255.0
access-list inside_nat0_outbound remark SSLVPN
access-list inside_nat0_outbound extended permit ip Colo-LAN 255.255.255.0 192.168.31.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip Colo-LAN 255.255.255.0 Site2-LAN 255.255.255.0
access-list outside_4_cryptomap extended permit ip Colo-LAN 255.255.255.0 Site3-LAN 255.255.255.0
access-list outside_5_cryptomap extended permit ip Colo-LAN 255.255.255.0 Site4-LAN 255.255.255.0
access-list outside_cryptomap extended permit ip Colo-LAN 255.255.255.0 SupportLAN 255.255.252.0
access-list InternalNet standard permit Colo-LAN 255.255.255.0
access-list InternalNet standard permit HO-LAN 255.255.255.0
access-list InternalNet standard permit Site4-LAN 255.255.255.0
access-list InternalNet standard permit Site2-LAN 255.255.255.0
access-list InternalNet standard permit Site3-LAN 255.255.255.0
access-list NONAT extended permit ip Colo-LAN 255.255.255.0 192.168.31.0 255.255.255.0
access-list NONAT extended permit ip HO-LAN 255.255.255.0 192.168.31.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool test2 192.168.31.1-192.168.31.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface

http://www Exchange

http://www netmask

255.255.255.255
static (inside,outside) tcp interface https Exchange https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Exchange 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Exchange pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 3443 Exchange 3443 netmask 255.255.255.255
static (inside,outside) tcp ColoPubIP2 3389 Server1 3389 netmask 255.255.255.255
static (inside,outside) tcp ColoPubIP2 pptp Server1 pptp netmask 255.255.255.255
static (inside,outside) tcp ColoPubIP2 ftp-data Server2 ftp-data netmask 255.255.255.255
static (inside,outside) tcp ColoPubIP2 ftp Server2 ftp netmask 255.255.255.255
static (inside,outside) tcp ColoPubIP2 3389 Server2 3389 netmask 255.255.255.255
static (inside,outside) tcp ColoPubIP3 3389 Server3 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ColoGW 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 444
http Colo-LAN 255.255.255.0 inside
http PubIP2 255.255.255.255 outside
http 192.168.0.0 255.255.0.0 inside
http HO-ASA 255.255.255.255 outside
http SupportFW 255.255.255.255 outside
snmp-server host outside SNMPPubIP poll community N3wpassw0rd
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer HO-ASA
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer SupportFW
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map 2 set security-association lifetime seconds 86400
crypto map outside_map 2 set nat-t-disable
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer Site2-ASA
crypto map outside_map 3 set transform-set ESP-DES-MD5
crypto map outside_map 3 set nat-t-disable
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer Site3-ASA
crypto map outside_map 4 set transform-set ESP-DES-MD5
crypto map outside_map 4 set nat-t-disable
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer Site4-ASA
crypto map outside_map 5 set transform-set ESP-DES-MD5
crypto map outside_map 5 set nat-t-disable
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.30.226-192.168.30.254 inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server outside PubIP2 Site1ASA.cfg
webvpn
port 10443
enable outside
dtls port 10443
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
internal-password enable
group-policy Test2GrpPolicy internal
group-policy Test2GrpPolicy attributes
dns-server value 192.168.30.6
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NONAT
default-domain value Headoffice.com
webvpn
url-list none
svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
dns-server value 192.168.30.6
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
intercept-dhcp enable
webvpn
svc modules value vpngina
svc ask enable default svc timeout 30
username test2 password OifPFrHBj/hmFdNG encrypted privilege 0
username test2 attributes
vpn-group-policy Test2GrpPolicy
service-type remote-access
username test password OifPFrHBj/hmFdNG encrypted
username test attributes
service-type remote-access
username Support password WFHq2Zm4dLUbCOFB encrypted privilege 15
username dneilan password dP5K2ABaSVFkIH8Q encrypted privilege 15
tunnel-group Site2PublicIP type ipsec-l2l
tunnel-group Site2PublicIP ipsec-attributes
pre-shared-key *
tunnel-group SupportPubIP type ipsec-l2l
tunnel-group SupportPubIP ipsec-attributes
pre-shared-key *
tunnel-group Site3PublicIP type ipsec-l2l
tunnel-group Site3PublicIP ipsec-attributes
pre-shared-key *
tunnel-group Site4PublicIP type ipsec-l2l
tunnel-group Site4PublicIP ipsec-attributes
pre-shared-key *
tunnel-group HOPubIP type ipsec-l2l
tunnel-group HOPubIP ipsec-attributes
pre-shared-key *
tunnel-group Test#2 type remote-access
tunnel-group Test#2 general-attributes
address-pool test2
default-group-policy Test2GrpPolicy
tunnel-group Test#2 webvpn-attributes
group-alias Test2SSLVPN enable
group-url

https://ColoPubIP:10443/Test2SSLVPN

enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3fb98a1673f734d89709abb98624c916
: end