Cisco ASA (Client VPN) to LAN - through second VPN to second LAN

Posted by user50855 on Server Fault See other posts from Server Fault or by user50855
Published on 2010-08-11T17:54:01Z Indexed on 2012/11/05 5:04 UTC
Read the original article Hit count: 620

Filed under:
|
|

We have 2 site that is linked by an IPSEC VPN to remote Cisco ASAs:

Site 1 1.5Mb T1 Connection Cisco(1) 2841

Site 2 1.5Mb T1 Connection Cisco 2841

In addition:

Site 1 has a 2nd WAN 3Mb bonded T1 Connection Cisco 5510 that connects to same LAN as Cisco(1) 2841.

Basically, Remote Access (VPN) users connecting through Cisco ASA 5510 needs access to a service at the end of Site 2. This is due to the way the service is sold - Cisco 2841 routers are not under our management and it is setup to allow connection from local LAN VLAN 1 IP address 10.20.0.0/24. My idea is to have all traffic from Remote Users through Cisco ASA destined for Site 2 to go via the VPN between Site 1 and Site 2. The end result being all traffic that hits Site 2 has come via Site 1.

I'm struggling to find a great deal of information on how this is setup. So, firstly, can anyone confirm that what I'm trying to achieve is possible? Secondly, can anyone help me to correct the configuration bellow or point me in the direction of an example of such a configuration?

Many Thanks.

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 7.7.7.19 255.255.255.240  


interface Ethernet0/1    
 nameif inside    
 security-level 100    
 ip address 10.20.0.249 255.255.255.0    


object-group network group-inside-vpnclient  
 description All inside networks accessible to vpn clients  
 network-object 10.20.0.0 255.255.255.0  
 network-object 10.20.1.0 255.255.255.0    
object-group network group-adp-network  
 description ADP IP Address or network accessible to vpn clients  
 network-object 207.207.207.173 255.255.255.255  

access-list outside_access_in extended permit icmp any any echo-reply  
access-list outside_access_in extended permit icmp any any source-quench  
access-list outside_access_in extended permit icmp any any unreachable  
access-list outside_access_in extended permit icmp any any time-exceeded  
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq smtp  
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq https  
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq pop3  
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq www  
access-list outside_access_in extended permit tcp any host 7.7.7.21 eq www  
access-list outside_access_in extended permit tcp any host 7.7.7.21 eq https  
access-list outside_access_in extended permit tcp any host 7.7.7.21 eq 5721  
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient any  
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient object-group group-adp-network  
access-list acl-vpnclient extended permit ip object-group group-adp-network object-group group-inside-vpnclient  
access-list PinesFLVPNTunnel_splitTunnelAcl standard permit 10.20.0.0 255.255.255.0  
access-list inside_nat0_outbound_1 extended permit ip 10.20.0.0 255.255.255.0 10.20.1.0 255.255.255.0  
access-list inside_nat0_outbound_1 extended permit ip 10.20.0.0 255.255.255.0 host 207.207.207.173  
access-list inside_nat0_outbound_1 extended permit ip 10.20.1.0 255.255.255.0 host 207.207.207.173  

ip local pool VPNPool 10.20.1.100-10.20.1.200 mask 255.255.255.0  

route outside 0.0.0.0 0.0.0.0 7.7.7.17 1  
route inside 207.207.207.173 255.255.255.255 10.20.0.3 1  

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac  
crypto ipsec security-association lifetime seconds 28800  
crypto ipsec security-association lifetime kilobytes 4608000  
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA  
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 288000  
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000  
crypto dynamic-map outside_dyn_map 20 set reverse-route  
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map  
crypto map outside_map interface outside  
crypto map outside_dyn_map 20 match address acl-vpnclient  
crypto map outside_dyn_map 20 set security-association lifetime seconds 28800  
crypto map outside_dyn_map 20 set security-association lifetime kilobytes 4608000  
crypto isakmp identity address  
crypto isakmp enable outside  
crypto isakmp policy 20  
 authentication pre-share  
 encryption 3des  
 hash sha  
 group 2  
 lifetime 86400  

group-policy YeahRightflVPNTunnel internal  
group-policy YeahRightflVPNTunnel attributes    
 wins-server value 10.20.0.9  
 dns-server value 10.20.0.9  
 vpn-tunnel-protocol IPSec  
 password-storage disable  
 pfs disable  
 split-tunnel-policy tunnelspecified  
 split-tunnel-network-list value acl-vpnclient  
 default-domain value YeahRight.com  
group-policy YeahRightFLVPNTunnel internal  
group-policy YeahRightFLVPNTunnel attributes  
 wins-server value 10.20.0.9  
 dns-server value 10.20.0.9 10.20.0.7  
 vpn-tunnel-protocol IPSec  
 split-tunnel-policy tunnelspecified  
 split-tunnel-network-list value YeahRightFLVPNTunnel_splitTunnelAcl  
 default-domain value yeahright.com  

tunnel-group YeahRightFLVPN type remote-access  
tunnel-group YeahRightFLVPN general-attributes  
 address-pool VPNPool  

tunnel-group YeahRightFLVPNTunnel type remote-access  
tunnel-group YeahRightFLVPNTunnel general-attributes  
 address-pool VPNPool  
 authentication-server-group WinRadius  
 default-group-policy YeahRightFLVPNTunnel  
tunnel-group YeahRightFLVPNTunnel ipsec-attributes  
 pre-shared-key *  

© Server Fault or respective owner

Related posts about vpn

Related posts about cisco