- Posts: 1
- Thank you received: 0
ASA5505, 3rd VLAN and VPN
15 years 1 month ago #31222
by nebukazar
ASA5505, 3rd VLAN and VPN was created by nebukazar
Hello,
I am currently trying to figure out how would I go about setting up the following :
GroupA
Server1,2 and 3 are connected on port 1,2,3 on the ASA
GroupB
Server 4,5 are connected on port 4,5 on the ASA
GroupA uses vlan3 with the 172.16.10.1/24 subnet
GroupB uses vlan2 (inside) with the 192.168.1.1/24 subnet
vlan1 is being nameif outside
I have setup 2 VPN groups.
Group2 is able to access machines on vlan2 with no problems.
However, Group1 is not able to access machines on vlan3.
The assigned IPs pool for Group1 is still 172.16.10.100-200/24
All interfaces are up.
Even if I try to ping, let's say Server1 (172.16.10.12), from the ASA directly I am not getting any responses. Yet, links appear to be up on the ASA.
So, the main issue here is :
VPN users from Group1 are not able to reach any servers from servers GroupA.
As a reference, here is the current config :
[code:1]
!
interface Vlan1
nameif outside
security-level 0
ip address xx.xx.xx.9 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
no nameif
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Ethernet0/0
duplex full
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
domain-name somedomain.com
access-list outside_in extended permit tcp any object-group pool_pub object-group http_mail
access-list outside_in extended permit tcp any host xx.xx.xx.35 object-group services_local
access-list outside_in extended permit tcp any host xx.xx.xx.10 object-group services_local
access-list outside_in extended permit object-group TCPUDP any any eq domain
access-list ACCESS_VPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.16.10.0 255.255.255.0
access-list Split_Tunnel_List remark LAN behind the ASA - NetScreen Migration
access-list outside_cryptomap_65535.20 extended deny ip any any
access-list VPN_Kegan standard permit 192.168.1.0 255.255.255.0
access-list no-nat-concentricVPN-group extended permit ip 172.16.10.0 255.255.255.0 172.16.10.0 255.255.255.0
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
ip local pool concentric_pool 172.16.10.110-172.16.10.254 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_65535.20
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
group-policy ACCESS_VPN internal
group-policy ACCESS_VPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Kegan
group-policy Concentric internal
group-policy Concentric attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
group-lock value Concentric
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
address-pools value concentric_pool
username bret password 89c6itLADBfQaY6y encrypted privilege 0
username bret attributes
vpn-group-policy Concentric
group-lock value Concentric
username bray password .xvXiAnPM4jHoig2 encrypted
username pragya password n9rzmtn2TpgTqwrM encrypted privilege 0
username pragya attributes
vpn-group-policy Concentric
group-lock value Concentric
username prem password JUetPUUsMKFM0vza encrypted
username prem attributes
vpn-group-policy Concentric
group-lock value Concentric
username aweeg password 4uwR/wFnP4rNPtlU encrypted
username erikr password qV2p4f5m/UeIS/9L encrypted privilege 0
username erikr attributes
vpn-group-policy Concentric
group-lock value Concentric
username kstongemay password 3VUqytduwsMNIzAb encrypted
username gowri password o5Pgo2Fv369oJ8/B encrypted privilege 0
username gowri attributes
vpn-group-policy Concentric
group-lock value Concentric
username elesh password nX68sApvuKquQMPU encrypted privilege 0
username elesh attributes
vpn-group-policy Concentric
group-lock value Concentric
username isaac password DWxS4nkj/1/ogfjf encrypted privilege 0
username isaac attributes
vpn-group-policy Concentric
group-lock value Concentric
username jayesh password suKSKbyOUI.JvH79 encrypted privilege 0
username jayesh attributes
vpn-group-policy Concentric
group-lock value Concentric
username rich password xLUpPpKoj7JrEzsI encrypted privilege 0
username rich attributes
vpn-group-policy Concentric
group-lock value Concentric
username cheri password nKBbSPKzyfzMI2uh encrypted privilege 0
username cheri attributes
vpn-group-policy Concentric
group-lock value Concentric
username marina password zKY8FvhQbZlzTGVc encrypted privilege 0
username marina attributes
vpn-group-policy Concentric
group-lock value Concentric
username concentrik password dJf0N2wSqlgQpzMS encrypted privilege 0
username concentrik attributes
vpn-group-policy Concentric
group-lock value Concentric
username yugal password OrDAk1BZoiA8e8I. encrypted privilege 0
username yugal attributes
vpn-group-policy Concentric
group-lock value Concentric
username amit password 6NsbmhucD9V2Va9C encrypted privilege 0
username amit attributes
vpn-group-policy Concentric
group-lock value Concentric
username concentric password MNNGZ1aoFa8BXL2T encrypted privilege 0
username concentric attributes
vpn-group-policy Concentric
group-lock value Concentric
username hfwuser password VFFOSrkWP5p5m3gM encrypted
username hfw1 password 63R4eNpcv496FwxE encrypted privilege 0
username hfw1 attributes
vpn-group-policy Concentric
group-lock value Concentric
username vipin password yZvF9gxzJnG/c4kZ encrypted privilege 0
username vipin attributes
vpn-group-policy Concentric
group-lock value Concentric
tunnel-group ACCESS_VPN type ipsec-ra
tunnel-group ACCESS_VPN general-attributes
address-pool vpnpool
authorization-server-group LOCAL
authorization-server-group (outside) LOCAL
default-group-policy ACCESS_VPN
tunnel-group ACCESS_VPN ipsec-attributes
pre-shared-key *
tunnel-group Concentric type ipsec-ra
tunnel-group Concentric general-attributes
address-pool concentric_pool
authorization-server-group LOCAL
authorization-server-group (outside) LOCAL
default-group-policy Concentric
tunnel-group Concentric ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect netbios
inspect sunrpc
inspect sip
inspect xdmcp
inspect dns
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5343d670c6d26c844876b62f6108fdaa
[/code:1]
I am currently trying to figure out how would I go about setting up the following :
GroupA
Server1,2 and 3 are connected on port 1,2,3 on the ASA
GroupB
Server 4,5 are connected on port 4,5 on the ASA
GroupA uses vlan3 with the 172.16.10.1/24 subnet
GroupB uses vlan2 (inside) with the 192.168.1.1/24 subnet
vlan1 is being nameif outside
I have setup 2 VPN groups.
Group2 is able to access machines on vlan2 with no problems.
However, Group1 is not able to access machines on vlan3.
The assigned IPs pool for Group1 is still 172.16.10.100-200/24
All interfaces are up.
Even if I try to ping, let's say Server1 (172.16.10.12), from the ASA directly I am not getting any responses. Yet, links appear to be up on the ASA.
So, the main issue here is :
VPN users from Group1 are not able to reach any servers from servers GroupA.
As a reference, here is the current config :
[code:1]
!
interface Vlan1
nameif outside
security-level 0
ip address xx.xx.xx.9 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
no nameif
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Ethernet0/0
duplex full
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
domain-name somedomain.com
access-list outside_in extended permit tcp any object-group pool_pub object-group http_mail
access-list outside_in extended permit tcp any host xx.xx.xx.35 object-group services_local
access-list outside_in extended permit tcp any host xx.xx.xx.10 object-group services_local
access-list outside_in extended permit object-group TCPUDP any any eq domain
access-list ACCESS_VPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.16.10.0 255.255.255.0
access-list Split_Tunnel_List remark LAN behind the ASA - NetScreen Migration
access-list outside_cryptomap_65535.20 extended deny ip any any
access-list VPN_Kegan standard permit 192.168.1.0 255.255.255.0
access-list no-nat-concentricVPN-group extended permit ip 172.16.10.0 255.255.255.0 172.16.10.0 255.255.255.0
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
ip local pool concentric_pool 172.16.10.110-172.16.10.254 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_65535.20
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
group-policy ACCESS_VPN internal
group-policy ACCESS_VPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Kegan
group-policy Concentric internal
group-policy Concentric attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
group-lock value Concentric
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
address-pools value concentric_pool
username bret password 89c6itLADBfQaY6y encrypted privilege 0
username bret attributes
vpn-group-policy Concentric
group-lock value Concentric
username bray password .xvXiAnPM4jHoig2 encrypted
username pragya password n9rzmtn2TpgTqwrM encrypted privilege 0
username pragya attributes
vpn-group-policy Concentric
group-lock value Concentric
username prem password JUetPUUsMKFM0vza encrypted
username prem attributes
vpn-group-policy Concentric
group-lock value Concentric
username aweeg password 4uwR/wFnP4rNPtlU encrypted
username erikr password qV2p4f5m/UeIS/9L encrypted privilege 0
username erikr attributes
vpn-group-policy Concentric
group-lock value Concentric
username kstongemay password 3VUqytduwsMNIzAb encrypted
username gowri password o5Pgo2Fv369oJ8/B encrypted privilege 0
username gowri attributes
vpn-group-policy Concentric
group-lock value Concentric
username elesh password nX68sApvuKquQMPU encrypted privilege 0
username elesh attributes
vpn-group-policy Concentric
group-lock value Concentric
username isaac password DWxS4nkj/1/ogfjf encrypted privilege 0
username isaac attributes
vpn-group-policy Concentric
group-lock value Concentric
username jayesh password suKSKbyOUI.JvH79 encrypted privilege 0
username jayesh attributes
vpn-group-policy Concentric
group-lock value Concentric
username rich password xLUpPpKoj7JrEzsI encrypted privilege 0
username rich attributes
vpn-group-policy Concentric
group-lock value Concentric
username cheri password nKBbSPKzyfzMI2uh encrypted privilege 0
username cheri attributes
vpn-group-policy Concentric
group-lock value Concentric
username marina password zKY8FvhQbZlzTGVc encrypted privilege 0
username marina attributes
vpn-group-policy Concentric
group-lock value Concentric
username concentrik password dJf0N2wSqlgQpzMS encrypted privilege 0
username concentrik attributes
vpn-group-policy Concentric
group-lock value Concentric
username yugal password OrDAk1BZoiA8e8I. encrypted privilege 0
username yugal attributes
vpn-group-policy Concentric
group-lock value Concentric
username amit password 6NsbmhucD9V2Va9C encrypted privilege 0
username amit attributes
vpn-group-policy Concentric
group-lock value Concentric
username concentric password MNNGZ1aoFa8BXL2T encrypted privilege 0
username concentric attributes
vpn-group-policy Concentric
group-lock value Concentric
username hfwuser password VFFOSrkWP5p5m3gM encrypted
username hfw1 password 63R4eNpcv496FwxE encrypted privilege 0
username hfw1 attributes
vpn-group-policy Concentric
group-lock value Concentric
username vipin password yZvF9gxzJnG/c4kZ encrypted privilege 0
username vipin attributes
vpn-group-policy Concentric
group-lock value Concentric
tunnel-group ACCESS_VPN type ipsec-ra
tunnel-group ACCESS_VPN general-attributes
address-pool vpnpool
authorization-server-group LOCAL
authorization-server-group (outside) LOCAL
default-group-policy ACCESS_VPN
tunnel-group ACCESS_VPN ipsec-attributes
pre-shared-key *
tunnel-group Concentric type ipsec-ra
tunnel-group Concentric general-attributes
address-pool concentric_pool
authorization-server-group LOCAL
authorization-server-group (outside) LOCAL
default-group-policy Concentric
tunnel-group Concentric ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect netbios
inspect sunrpc
inspect sip
inspect xdmcp
inspect dns
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5343d670c6d26c844876b62f6108fdaa
[/code:1]
Time to create page: 0.109 seconds