Cisco Remote client access to LAN2LAN

Discussion in 'General Computer Support' started by bumblefoot, Feb 13, 2010.

  1. bumblefoot

    bumblefoot

    Joined:
    Feb 13, 2010
    Messages:
    1
    Hi

    I have a site to site tunnel:
    172.25.25.0 > 10.77.1.0

    I am trying to get my VPN client network 172.25.24.64/27 to access the 10.77.1.0 network. The remote end is configured to accept access but I am not having much luck getting access.
    Can someone help?


    Result of the command: "show run"

    : Saved
    :
    ASA Version 7.2(2)
    !
    hostname ASA
    domain-name COMPANY.local
    enable password encrypted
    names

    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 92.70.x.x 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 172.25.25.3 255.255.255.0
    !
    interface Ethernet0/2
    nameif oldnet
    security-level 80
    ip address 10.31.0.9 255.255.255.0
    !
    interface Ethernet0/3
    description Customer router
    nameif Customers
    security-level 80
    ip address 10.194.4.18 255.255.255.240
    !
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    !
    passwd encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name COMPANY.local
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group service ERM tcp
    port-object range 5001 5008
    port-object eq 5021
    port-object eq 5025
    port-object eq 5080
    object-group service FTP_Access tcp
    port-object range 5010 5020
    port-object eq 6245
    access-list oldnet_acl extended permit icmp any any
    access-list outside_30_cryptomap extended permit ip VPN-NL-Network 255.255.255.224 10.77.1.0 255.255.255.0
    access-list outside_30_cryptomap extended permit ip 172.25.25.0 255.255.255.0 10.77.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 172.25.25.0 255.255.255.0 VPN-NL-Network 255.255.255.224
    access-list inside_nat0_outbound extended permit ip 172.25.25.0 255.255.255.0 172.25.26.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 172.25.25.0 255.255.255.0 10.77.1.0 255.255.255.0
    access-list outside_acl extended permit icmp any any echo-reply
    access-list outside_acl extended permit icmp any any unreachable
    access-list outside_acl extended permit icmp any any time-exceeded
    access-list outside_acl extended permit tcp any host 92.70.x.x object-group ERM
    access-list outside_acl extended permit tcp any host 92.70.x.x object-group FTP_Access
    access-list outside_acl extended permit ip VPN-NL-Network 255.255.255.224 172.25.25.0 255.255.255.0
    access-list outside_acl extended permit ip VPN-NL-Network 255.255.255.224 10.77.1.0 255.255.255.0
    access-list outside_acl extended permit ip VPN-NL-Network 255.255.255.224 10.13.0.0 255.255.0.0
    access-list outside_acl extended permit ip VPN-NL-Network 255.255.255.224 172.25.26.0 255.255.255.0
    access-list outside_acl extended deny ip any any log
    access-list outside_cryptomap_10 extended permit ip VPN-NL-Network 255.255.255.224 172.25.26.0 255.255.255.0
    access-list outside_cryptomap_10 extended permit ip 172.25.25.0 255.255.255.0 172.25.26.0 255.255.255.0
    access-list Customers_access_in remark Allow incoming ICMP traffic from Customers network
    access-list Customers_access_in extended permit icmp any any
    access-list Customers_access_in extended permit ip any any
    access-list Customers_access_in extended permit icmp any any
    access-list outside_nat0_outbound extended permit ip VPN-NL-Network 255.255.255.240 10.77.1.0 255.255.255.0
    access-list outside_nat0_outbound extended permit ip VPN-NL-Network 255.255.255.224 172.25.26.0 255.255.255.0
    access-list NL-VPN-POLICY standard permit 172.25.25.0 255.255.255.0
    access-list NL-VPN-POLICY standard permit 10.77.1.0 255.255.255.0
    access-list NL-VPN-POLICY standard permit 172.25.26.0 255.255.255.0
    access-list NL-VPN-POLICY standard permit 10.13.0.0 255.255.0.0
    access-list NL-VPN-POLICY standard permit 10.194.4.0 255.255.255.240
    pager lines 48
    logging enable
    logging asdm notifications
    mtu outside 1500
    mtu inside 1500
    mtu oldnet 1500
    mtu Customers 1500
    ip local pool RASVPN-POOL 172.25.24.65-172.25.24.94 mask 255.255.255.224
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any oldnet
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (inside) 1 interface
    global (oldnet) 1 interface
    global (Customers) 1 interface
    nat (outside) 0 access-list outside_nat0_outbound
    nat (outside) 1 VPN-NL-Network 255.255.255.224 outside
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 172.25.25.0 255.255.255.0
    static (inside,outside) tcp interface 6245 apps_server 6245 netmask 255.255.255.255
    static (inside,outside) tcp interface 5010 apps_server 5010 netmask 255.255.255.255
    static (inside,outside) tcp interface ftp-data apps_server ftp-data netmask 255.255.255.255
    static (inside,outside) tcp interface 5011 apps_server 5011 netmask 255.255.255.255
    static (inside,outside) tcp interface 5012 apps_server 5012 netmask 255.255.255.255
    static (inside,outside) tcp interface 5013 apps_server 5013 netmask 255.255.255.255
    static (inside,outside) tcp interface 5014 apps_server 5014 netmask 255.255.255.255
    static (inside,outside) tcp interface 5015 apps_server 5015 netmask 255.255.255.255
    static (inside,outside) 92.70.x.x 172.25.25.205 netmask 255.255.255.255
    access-group outside_acl in interface outside
    access-group oldnet_acl in interface oldnet
    access-group Customers_access_in in interface Customers
    route outside 0.0.0.0 0.0.0.0 92.70.82.x.x
    route oldnet 10.31.0.0 255.255.0.0 10.31.0.3 1
    route oldnet 152.141.0.0 255.255.0.0 10.31.0.3 1
    route oldnet 10.254.0.0 255.255.0.0 10.31.0.3 1
    route oldnet 10.13.0.0 255.255.0.0 10.31.0.3 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server RADIUS protocol radius
    aaa-server RADIUS host 172.25.25.209
    key
    group-policy COMPANY-NL-RASVPN internal
    group-policy COMPANY-NL-RASVPN attributes
    dns-server value 172.25.25.209
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value NL-VPN-POLICY
    default-domain value COMPANY.group
    username admin password encrypted
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 10.31.0.0 255.255.255.0 oldnet
    http 213.136.x.x 255.255.255.255 outside
    http 90.152.x.x255.255.255.255 outside
    http 83.206.x.x 255.255.255.255 outside
    http 172.25.25.0 255.255.255.0 inside
    http 82.29.x.x 255.255.255.255 outside
    http VPN-NL-Network 255.255.255.224 outside
    http 79.174.x.x 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sysopt connection tcpmss 1300
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 10 match address outside_cryptomap_10
    crypto map outside_map 10 set pfs
    crypto map outside_map 10 set peer 90.152.x.x
    crypto map outside_map 10 set transform-set ESP-3DES-SHA
    crypto map outside_map 30 match address outside_30_cryptomap
    crypto map outside_map 30 set pfs
    crypto map outside_map 30 set peer 79.174.x.x
    crypto map outside_map 30 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp nat-traversal 20
    tunnel-group 90.152.x.xtype ipsec-l2l
    tunnel-group 90.152.x.xipsec-attributes
    pre-shared-key *
    tunnel-group 79.174.x.x type ipsec-l2l
    tunnel-group 79.174.x.x ipsec-attributes
    pre-shared-key *
    tunnel-group COMPANY-NL-RASVPN type ipsec-ra
    tunnel-group COMPANY-NL-RASVPN general-attributes
    address-pool RASVPN-POOL
    authentication-server-group RADIUS
    default-group-policy COMPANY-NL-RASVPN
    tunnel-group COMPANY-NL-RASVPN ipsec-attributes
    pre-shared-key *
    telnet timeout 5
    ssh 213.136.x.x 255.255.255.255 outside
    ssh 83.83.131.100 255.255.255.255 outside
    ssh 83.206.x.x 255.255.255.255 outside
    ssh 90.152.x.x255.255.255.255 outside
    ssh 172.25.25.0 255.255.255.0 inside
    ssh 10.31.0.0 255.255.255.0 oldnet
    ssh timeout 15
    ssh version 2
    console timeout 0
    priority-queue outside
    !
    class-map sw-class
    description S traffic selector
    match tunnel-group 79.174.x.x
    !
    prompt hostname context
    Cryptochecksum:907178d79f484540b3d5f0fde532758e
    : end
     
    bumblefoot, Feb 13, 2010
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Frank Fegert

    LAN2LAN and Client VPN to PIX

    Frank Fegert, Sep 2, 2004, in forum: Cisco
    Replies:
    0
    Views:
    514
    Frank Fegert
    Sep 2, 2004
  2. Rohan
    Replies:
    1
    Views:
    1,391
    tweety
    Nov 29, 2006
  3. Laurent
    Replies:
    2
    Views:
    584
    Laurent
    Mar 1, 2008
  4. BF
    Replies:
    2
    Views:
    766
  5. m0bilitee
    Replies:
    0
    Views:
    1,129
    m0bilitee
    Sep 19, 2011
Loading...

Share This Page