ASA - Tunnel all traffic, allow rays to communicate with each other

Well, I hope someone can help me with this headache! Switching to employ a PIX and VPN 3005 concentrator Office at home in an ASA5510 for firewall and IPSEC tunnels. It is pretty much a

  • VPN on a stick, multiple rays.
  • All traffic sent by tunnel
  • Internet access through main office (using the web filter) of
  • VOIP to VOIP between rays
  • All departments are using the clients VPN 3005 HW or ASA 5505 s

HEADQUARTERS: 10.0.0.0/24

Speaks 1: 192.168.11.0 / 24

Speaks 2: 192.168.12.0 / 24

Speaks 3: 192.168.13.0 / 24

-continues to 192.168.31.0 / 24

Spoke with the current configuration, 1 can communicate with all the resources in the home, office and Internet integrated properly checked by a tracert. However, the rays cannot communicate with each other. This is required for VOIP traffic, when all TALK TALK calls are made (sites).

Logging information when talk of talks initiated icmp:

  • No group of translation found for icmp src, dst outside: 192.168.31.1 inside: 192.168.11.1 (type 8, code 0)

If I remove the nat (outside) 1 192.168.0.0 255.255.00 - rays will begin to respond to each other, but then the rays cannot tunnel through the Home Office Internet traffic. My brain is so scrambled after the cramming of VPN configurations for these days, so I hope someone has an idea. I've always used concentrators 3005, so it's a little different! In the search for documentation for this configuration, I was surprised that this isn't a most common topology. It seems that this article would (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml), but there is no rays! In any case, I'm sure this has something to do with NAT rules and perhaps who need access for traffic list speaks of talking.

=============================================

ASA Version 8.2 (1)
!
hostname asa5510

interface Ethernet0/0
Speed 100
full duplex
nameif outside
security-level 0
IP address 97.65.x.x 255.255.255.224

interface Ethernet0/1
Speed 100
full duplex
nameif inside
security-level 100
IP 10.0.0.40 255.255.0.0

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

the DM_INLINE_NETWORK_1 object-group network
object-network 10.0.0.0 255.255.0.0

object-network 192.168.0.0 255.255.0.0

access-list sheep extended ip 10.0.0.0 allow 255.255.0.0 192.168.0.0 255.255.0.0

Allow Access-list extended wccp servers ip host 10.0.0.83 a

Redirect traffic extended access-list deny ip any object-group DM_INLINE_NETWORK_1

Redirect traffic scope permitted any one ip access-list

Global 1 interface (outside)
NAT (outside) 1 192.168.0.0 255.255.0.0
NAT (inside) 0 access-list sheep
NAT (inside) 1 10.0.0.0 255.255.0.0

Route outside 0.0.0.0 0.0.0.0 97.65.x.x 1
Route inside 192.168.0.0 255.255.255.0 10.0.0.1 1
Route inside 192.168.2.0 255.255.255.0 10.0.0.1 1
Route inside 192.168.3.0 255.255.255.0 10.0.0.1 1

Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto ipsec df - bit clear-df outdoors

Crypto-map dynamic dynmap 1 transform-set RIGHT

map mymap 65535-isakmp ipsec crypto dynamic dynmap

mymap outside crypto map interface

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400

crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400

crypto ISAKMP ipsec-over-tcp port 10000

management-access inside

a basic threat threat detection

no statistical access list - a threat detection
no statistical threat detection tcp-interception

WCCP web cache redirect-list Redirect-traffic group-list password xxxxxxx wccp-servers
WCCP 90 redirect-list traffic Redirect wccp servers group-list password xxxxxxx

WebVPN

internal MJHIvpn group strategy

attributes of Group Policy MJHIvpn
value of server WINS 10.0.10.1 10.0.10.2
value of 10.0.10.1 DNS server 10.0.10.2
allow password-storage
Split-tunnel-policy tunnelall
mjhi.local value by default-field
allow to NEM

username field-3002 SjfS1Pq2xZGxHicx encrypted password

attributes of username field-3002
VPN-access-hour no
VPN - 250 simultaneous connections
VPN-idle-timeout no
VPN-session-timeout no
Protocol-tunnel-VPN IPSec
allow password-storage
type of remote access service

remote access to field tunnel-group type

General-field tunnel-group attributes
Group Policy - by default-MJHIvpn

IPSec-attributes of tunnel-group field
pre-shared-key *.

class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the they
inspect the icmp
!
global service-policy global_policy

Hello Ala,

In Act got to be with the Nat configuration.

So basically you want to tunnel the traffic on the rays to communicate with each other.

OK, it would be with a nat 0 with the access list with the corresponding traffic outside.

Also on the crypto ACL for each site configuration, you must add an entry for the traffic of other offices.

I hope that I have explained myself.

Have a good

Julio

Note all useful posts!

Tags: Cisco Security

Similar Questions

  • AnyConnect Clients cannot communicate with each other

    I have a problem that I've been pulling my hair out... my teleworkers connect to our network of Corp. via a connection AnyConnect VPN (version 3.1) to a Cisco ASA5520. I have not split tunneling enabled for this profile, so that all traffic should pass through the tunnel and all guests are in the same subnet L3... as far as their IP VPN address goes. The problem is the teleworker PCs cannot communicate with each other (pings/RDP/etc.). When I look at the newspaper I see traffic from one to another, have denied anything, but they do not communicate. My Network Corp., I can communicate with the two PCs Anyconnect very well. When I go to monitoring. ASDM itineraries I see each host that is connected to the ASA via Anyconnect, and the gateway for each is the default gateway of the SAA.

    Am I missing some setting in the VPN profile that prevents the access between these hosts? I think that something come in the newspaper...

    Have you enabled crossed and also a free NAT between AnyConnect users?

    permit same-security-traffic intra-interface

    network of the AnyConnect_users object

    subnet

    public static AnyConnect_users AnyConnect_users destination NAT (outside, outside) static source AnyConnect_users AnyConnect_users

    If this does not resolve your problem, please post a sanitized complete configuration of your ASA.

  • HELP: What router supports VLAN? -I wish both groups cannot communicate with each other.

    Hi all

    I have 5 wireless devices must connect to the router.

    I want to divide it into 2 groups:

    That is to say, 1, device A, B, C, group 2, device D, E.

    I would like two groups cannot communicate with each other.

    I've heard, it can be done by VLAN, is e2500 can adapt to what I need?

    What about EA3500 and EA4500?

    I use G wireless, is what it means that ea4500 is out of choice even if it supports VLAN?

    Thank you all!

    Evil

    Thanks for the clarification for the OP

    FWIW

    is this an alternative to routers that do not support of VLAN, to do what you want

    http://www.SmallNetBuilder.com/lanwan/lanwan-HOWTO/32486-how-to-segment-a-small-LAN-using-tagged-VLA...

  • 2 separated on same ASA VPN tunnels can communicate with each other

    Here's the scenario that I have a VPN tunnel with one of my remote locations.   I also have a VPN Tunnel with a provider that supports the equipment for my organization.   I need to have my supplier able to communicate with equipment that live in my other VPN tunnel.   The two Tunnels are on the same ASA5540.

    1 is it Possible?

    2 How set it up?

    Thank you

    Follow this link for example. Enhanced spoke-to-spoke VPN, allows the two tunnels ending to your asa5540 to connect, using parameter permit intra-interface with configuration accless-list permits traffic of each endpoint of the tunnel.

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

  • How to create two separate networks in ESX that can communicate with each other with 2 x bear?

    Hello
    Just want to know a fundamental question concerning the configuration of my ESX host of singlebox with several vswitch and two teddy bears,
    What is the definition or use of the network Label and ID of Port? Yes VLAN, I know what it's meant for the physical world.
    My goal here is to
    1. create several vSwitch with much 4 VM on the two vswitch and it communicate somehow vswitch0 and vswitch1 happen? I need to plug the switch of pNIC2 for communication can / must travel through the network cable in my ESX?
    2. how to force all traffic Vmthe in a vswitch to enter a virtual machine that runs as a router VM and then talk to the other router vswitch VM? is this possible?
    Thank you.

    I do not know if I understand perfectly, but I often have to create isolated networks.

    In this case, there is only one NETWORK card, but it works with two, one on each switch. vSwitch0 can communicate with the outside world via the vmnic0. vSwitch0 and vSwitch1 are connected by the virtual router of pfsense. The virtual machines on the portgroup private connect to the world outside and any other VM on the portgroup VM network via the pfsense router. To access computers virtual private Portgroup requires a VPN connection via the pfsense router. This is a completely isolated network. With an additional uplink on vSwitch1, you can connect to other physical devices.

  • Issue of school laboratory: setting IPs & VMnet1 so two computers can communicate with each other and to access the internet

    Hello ~

    This question has probably asked a million times in a way or another, but here's my specific: I'm a laboratory for school. I've set up two virtual servers (Windows Server 2012) in VMware Pro 12. The goal is to speak (see others). According to the instructions of the teacher, I set them up as follows:

    "Assign your appropriate servers of IP addresses based on your installation environment.  For example, if your network environment uses the class C address range 192.168.1.x, assign a server IP 192.168.1.10, 255.255.255.0 subnet mask, a default gateway 192.168.1.1 and the other server IP 192.168.1.11, 255.255.255.0 subnet mask, a default gateway 192.168.1.1.  Note: If these IP addresses will conflict with your internal network (provide your virtual machines with access to the internet), please choose a different set of address that will work for you. »


    I need to know what will work addresses. got a domain controller DC1.  Now, I can't see each other. I can't connect to Internet via IE which is one of the 'evidence' that I'm supposed to provide.


    When I go to the Publisher, I see as the guest only parameter (how is it said to set up when you first install the VMs) is 198.162.150.0. I did not who, but I'm a little but I don't want to make things worse by changing things. I guess that's where the problem is, but I'm not sure what to put the IP, default subset mask and DNS for so I'm stuck.

    If it means anything, it is in fact on a borrowed laptop which is connected to the WiFi and wireless. The laptop has internet but I don't know how exactly bringing on the virtual machine when it come to be able to connect. I don't need to become an admin system; This is a compulsory course and I'm just trying to understand enough about it to pass. The problem is that other labs are constructed on it so I can't just ignore it.

    Any advice you can offer would be GREATLY appreciated. By the way, happy new year to you all.

    Sorry, yes it was a typo. It's supposed to be 192.168.150.xxx.

    Although the virtual machine must be able to communicate if they are both configured similarly (i.e. host only in this case), you generally EF IP addresses in the subnet host only for those virtual machines to be able to access it from the host, which - as mentioned earlier - should have an address of VMnet1 IP of 192.168.150.1.

    André

  • Two virtual machines to communicate with each other - intent an SMS Lab for test deployment?

    Hi friends ,.

    I am a new user and would like your help pretty desperately. The scenario is that I want to implement a SMS Lab to deploy the application from the server to a client and test the application. I have all the necessary knowledge to the packaging of application is concerned, and would like to help as much as VMWare is concerned.

    I created two virtual machines and one of them will be configured as a server and the other will be the client. I created a team with these two machines in it. I am trying to ping from one machine to the other and its does not work. I only use the method of configuration host. The idea is simply to make the two systems communicate so that I can finish the entire configuration and use the same SMS deployment lab.

    -First of all, I'm new to all this so I would like to know whther to everything I do is correct and what is the largest possible?

    -What I have to do something else to make sure that those two communicate about someother or any other configuration software is necessary?

    I would like to ask you guys to be a little more specific are you when you help others that I need you guys ore than a person who is used to working on VMWare.

    And just so you know if it helps, I use VMWare Workstation 6.0.

    What you are doing is reasonable.  Both of your virtual machines have an IP address on the same subnet?  In general, the scenarios no-ping, the first thing to check is the firewall in the guest computers.  Have you checked that allows ping traffic?  If it is disabled?

    -KjB

    VMware vExpert

  • 2 - IOS mobile devices can communicate with each other

    I have two Mobile IOS devices, the iPad (3rd generation) and I inherited an IPhone 4S.  I also have a MacBook 2.0 that I use to synchronize the iPad and manage my music in iTunes.   Before inheriting the iPhone, I created a number of events on the calendar on the iPad application.  Can anyone recommend the best way to duplicate the events calendar on the iPad and place them in the iPhone, not manually create events in the iPhone?

    Any help would be greatly appreciated

    Thanks in advance,

    Darrell

    Which versions of iOS are running? If it's iOS, 7, 8 or 9, then you must use iCloud things to sync like calendars, notes, reminders, etc.. See iCloud: overview of the calendar and activate iCloud on your iOS devices.

    Your MacBook sounds very old (what year model is? I can't find any model of MacBook 2.0 2.1 only) probably too old to support OS X with support from iCloud, so it won't work with it.

  • My laptop computer and printer do not communicate with each other.

    I went to "printers and devices in the control panel and my laptop has an icon of troubleshooting beside him. I tried to search for updates/drivers solve the problem and nothing works.  It says ' unknown device is not a driver. My fax, copier and scanner work, but the printer does not work because there is a problem with my laptop. I could not use my printer because I was out of ink for 2 months, then I buy ink and now I can't print! Ink for a Lexmark is not cheap.

    I hope someone can help!

    Karen

    Because my printer is a Lexmark, I had to go to the Lexmark he site and search "Drivers" under which specific printer, you have it downloaded on my computer and loaded this way to connect my laptop with my printer.

  • Can I create a page Web of Muse that it is child Pages could be open on different computers and communicate with each other?


    I want to create a Web site with 4 child pages that interact with each other when opened separately on 4 different computers.

    Is this possible?

    Example:

    Child 3-page Web site open on 3 different computers with triggers and the following objectives:

    PC #1 - child #1 - confirm button (trigger)

    PC #2 - Page #2 - accepted Confirmation Popup, resulting by clicking on 'confirm' page computer/child #1 (target)

    PC #3 - child Page #3 - calendar Popup changed, resulting by clicking on 'confirm' page computer/child #1 (target)

    Any ideas are much appreciated.

    THX.

    No this is not possible with Muse.

  • Configuration of VPN server easy to tunnel ALL traffic?

    Hi guys,.

    Someone at - it a link or a tutorial to point me in the right direction?  Here is the example that I follow:

    http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bdf.PDF

    I would like to than the easy VPN client to tunnel all traffic through the vpn.  This includes internal and external.  Thus, for example, web browsing also would be through the tunnel from the client computer.

    Thanks for the help!

    Jason

    Hi Jason,

    Since no split-tunnels are configured here, yes all traffic will be sent through the tunnel.

    Please evaluate the useful messages

    Best regards

    Eugene

  • How to block a DOS attack while allowing clients to communicate with the server

    I need a temporary solution for a dos attack. I am running Windows 7 Professional and need to block a DOS attack while allowing customers to communicate with the server

    Hi Vinniethetouch,

    Thanks for posting in the Microsoft Community.

    The question you posted would be better suited to the

    TechNet forums; We recommend that you post your question in the TechNet Forums to get help:

    http://social.technet.Microsoft.com/forums/en/category/w7itpro

    If you need Windows guru, do not hesitate to post your questions and we will be happy to help you.

  • Is there a way or a widget in Muse, allowing the objects and images to react with each other?

    Hello. I would make both objects or images imported into Muse react with each other. When I say react, think of a ball bouncing off a wall or a pool ball hitting a bunch of other billiard balls. I searched for a widget that might allow cela and couldn't find one. Is this something that can do Muse, or should I look for something else... edge or the interaction of coding? Thank you.

    You can do using the edge, then publish it in the "animated dashboard deployment package", ".oam".

  • Lexmark X 2600 all-in-one printer cannot communicate with computer

    I'm running a xps dell system with windows edition 32-bit home premium. All of a sudden my printer lexmark x 2600 stop scanning so I uninstalled and reinstalled. Now not only the scanner does not work, but I can't print documents. I uninstalled and reinstalled the printer several times. I also searched drivers more recent lexmarks site and looked for patches and fixes from microsofts Web site. I get the same message 'printer cannont communicate with the computer.' I tried all the solutions that come up with the error message and all have failed. I posted on the Windows 7 forum by chance and gave some ideas to try like the blocking of service lxdncatscustconnect. After doing this, I was able to print once, but then he returned to bein a pain in the A *. I've lost track since I was last able to use my printer and any help to solve this problem would be highly appreciated.

    Also, I am running avast antivirus v 5.o.594 and spin sybot D1 & s. 6.2.46 with the residential Tea-timer off. I don't know if this will help, but any help would be greatly appreciated.

    Hi Firestorm29xt,
     
    1. don't you make changes before the show?
     
    Try these steps and check the result.
    Step 1: Uninstall spybot and check the result
     
    Note: Don't forget to reinstall the software after testing the result.

    Step 2: Run the Microsoft printer Troubleshooter to diagnose the problem
    a see the problems of printing and printing errors
    b. click the "Run now" to run the tool and follow the instructions in the wizard successfully.
    c. restart the computer and see if you can print successfully.
     
    Step 3: If the problem persists, follow the steps mentioned in this article:Communication not available
     
    For additional support, please contact Lexmark technical support team.

     
    Visit our Microsoft answers feedback Forum and let us know what you think.

  • ASA - same-security-traffic allowed inter VS permit/deny access-list interface

    Hi people,

    I wonder if I use the same-security-traffic permits inter-interface order to ASA and I have 2 separate interfaces with the same level of security and ACL with a few rules explicit allow , if not covered by these statements to allow traffic will be blocked by implicit deny at the end of the ACL or am I completely wrong in my thinking?

    That is right.

    But then if you have an interface with an ACL and another interface without an ACL and you want to pass traffic between the two interfaces, then the interface without an ACL will rely on the level of security while configured with the ACL interface will rely on configured ACL entries.

    --

    Please do not forget to select a correct answer and rate useful posts

Maybe you are looking for

  • Compaq Presario CQ56: Try to replace the fan, do I need radiator?

    Hello. I am trying to replace my fan it starts to go. I need to replace the fan AND the heat sink (they appaear to be attached to another)? Is it possible I could buy just the fan itself, simply remove the old fan heatsink and then attach it to a new

  • Windows XP Service Pack 3 help

    Hello I know I'm late with the thing of the installation, but I tried to install the Microsoft Windows XP Service Pack 3 two days ago and my computer has been running a muck. Installation is complete and asked to restart, I restarted my computer and

  • Best software burn for WVC54CGA?

    What is the best software to allow me to record activity on a number of cameras on the internet? I find the included software lame, and I find it difficult to find a software from a third party who takes care of the WVC54CGA. I have also good XP and

  • HP Envy 810-260na - no sound

    Product name: 810-260na Product number: G9C79EA #ABU Windows 8.1, Beats Audio. I just bought this desktop computer, but cannot get the sound to work. I connected a 5.1 speaker set that works fine on another desktop. I use the analog output 3 (orange,

  • Need to file "serscan.sys' windows 7

    I have a laptop HP with windows 7. I just got a HP deskjet and tried to connect wireless with it, but I'm missing the file "serscan.sys. Where can I find this file to resolve the issue or there at - he more recent files which replaces this one?