Hi all,
I have about the same problem as this one:
I have a 192.168.40.0 255.255.248.0 network that is accessible through VPN. On the inside network there are a couple of other networks (other locations) eg: 192.168.24.0 255.255.248.0
Now the vpn users should be able to logon to the 40.0 network and connect to the 24.0 network, but I don't seem to get this working. (both netmasks are 255.255.248.0)
The firewall the VPN users connect to is an ASA5010 and we'r currently using a PIX501 as router to the 24.0 network (test setup).
Connecting from within the 40.0 network to the 24.0 network does work, just not from the firewall or from a VPN connection.
this is our setup:
INTERNET - ASA5010 (212.35.X.X/192.168.40.2) - LAN 1 - PIX501 (192.168.40.1/192.168.30.1) - LAN 2
This is our config:
I have about the same problem as this one:
I have a 192.168.40.0 255.255.248.0 network that is accessible through VPN. On the inside network there are a couple of other networks (other locations) eg: 192.168.24.0 255.255.248.0
Now the vpn users should be able to logon to the 40.0 network and connect to the 24.0 network, but I don't seem to get this working. (both netmasks are 255.255.248.0)
The firewall the VPN users connect to is an ASA5010 and we'r currently using a PIX501 as router to the 24.0 network (test setup).
Connecting from within the 40.0 network to the 24.0 network does work, just not from the firewall or from a VPN connection.
this is our setup:
INTERNET - ASA5010 (212.35.X.X/192.168.40.2) - LAN 1 - PIX501 (192.168.40.1/192.168.30.1) - LAN 2
This is our config:
Code:
: Saved
:
ASA Version 7.2(2)
!
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 212.35.x.x 255.255.255.192 standby 212.35.x.x
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.40.2 255.255.248.0 standby 192.168.40.3
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 0
ip address 10.205.1.100 255.255.255.0 standby 10.205.1.101
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.xxx
access-list acl_outside extended permit udp any host 212.35.x.x eq 1701
access-list acl_outside extended permit icmp any any echo
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit icmp any any time-exceeded
access-list nonat extended permit ip 192.168.40.0 255.255.248.0 192.168.40.0 255.255.248.0
access-list nonat extended permit ip 192.168.24.0 255.255.248.0 192.168.40.0 255.255.248.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool clientVPNpool 192.168.44.1-192.168.47.254 mask 255.255.248.0
failover
failover lan unit primary
failover lan interface fo Ethernet0/3
failover link fo Ethernet0/3
failover interface ip fo 10.233.1.2 255.255.255.0 standby 10.233.1.3
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 212.35.x.x 1
route inside 192.168.24.0 255.255.248.0 192.168.40.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.40.5
dns-server value 192.168.40.5
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value xxx.xxx
username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted
username test attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol l2tp-ipsec
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 10.205.1.0 255.255.255.0 management
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group DefaultRAGroup general-attributes
address-pool ClientVPNpool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 192.168.40.6
prompt hostname context
Cryptochecksum:b3bc313bae318d36b171d2ad6a584fdc
: end