[c-nsp] EasyVPN IOS->ASA55xx

William willay at gmail.com
Tue Apr 1 07:13:33 EDT 2008 

Hi Ben,

There is a default route to go via the outside, sorry about the confusion.

Regards,

On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
> So do you have the route for 22.22.22.0/24 to go via the outside? is
>  it caught by the default route or is there something else in place?
>  hence why I asked for output of "sh route"
>
>
>  On 01/04/2008, at 9:31 PM, William wrote:
>
>  > Network behind the 800 is 22.22.22.0/24
>  >
>  > W
>  >
>  > On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
>  >> Ok just to save me any confusion here, is the network behind the 800
>  >> 11.11.11.0/24 or 22.22.22.0/24?
>  >>
>  >> Either way you need to have your network behind the 800 being routed
>  >> to the outside interface via your outside gateway as thats where the
>  >> crypto terminates, if the network behind the 800 happens to be
>  >> 11.11.11.0/24 then your split tunnel is the wrong way around also, if
>  >> it's 22.22.22.0/24 then try adding "route outside 22.22.22.0
>  >> 255.255.255.0 <OUTSIDE GATEWAY> 1"
>  >>
>  >>
>  >> Ben
>  >>
>  >>
>  >> On 01/04/2008, at 9:16 PM, William wrote:
>  >>
>  >>> Hi Ben,
>  >>>
>  >>> The VPN is establishing, show crypto isakmp sa displays it, the logs
>  >>> on the ASA show P1&2 and I'm able to communicate only if I originate
>  >>> the connection from the 800 series router.
>  >>>
>  >>> Routing seems fine from the box also, there are no routes on the ASA
>  >>> for destinations it reaches via VPN.
>  >>>
>  >>> Routing to the net on my core network:
>  >>>
>  >>> S    11.11.11.0 255.255.255.0 [1/0] via 192.168.0.254, inside
>  >>>
>  >>>
>  >>> On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
>  >>>> I thought I saw earlier a mention of the traffic hair-pinning, yet
>  >>>> your crypto map is bound to the outside interface.
>  >>>>
>  >>>> Is the IPSEC tunnel being established on the outside or the inside
>  >>>> interface? can you sh the output of a "sh route" also.
>  >>>>
>  >>>>
>  >>>>
>  >>>> On 01/04/2008, at 9:00 PM, William wrote:
>  >>>>
>  >>>>> Can't paste the whole thing, but here are the bits:
>  >>>>>
>  >>>>> access-list inside_nat0_outbound extended permit ip 11.11.11.0
>  >>>>> 255.255.255.0 22.22.22.0 255.255.255.0
>  >>>>>
>  >>>>> access-list inside_access_in extended permit ip 11.11.11.0
>  >>>>> 255.255.255.0 22.22.22.0 255.255.255.0
>  >>>>> access-list inside_access_in extended permit icmp any any
>  >>>>>
>  >>>>> access-list Split-Tunnel extended permit ip 11.11.11.0
>  >>>>> 255.255.255.0
>  >>>>> 22.22.22.0 255.255.255.0
>  >>>>>
>  >>>>> nat (inside) 0 access-list inside_nat0_outbound
>  >>>>> access-group inside_access_in in interface inside
>  >>>>>
>  >>>>> group-policy 800vpn internal
>  >>>>> group-policy 800vpn attributes
>  >>>>> password-storage enable
>  >>>>> pfs enable
>  >>>>> split-tunnel-policy tunnelspecified
>  >>>>> split-tunnel-network-list value Split-Tunnel
>  >>>>> nem enable
>  >>>>>
>  >>>>>
>  >>>>>
>  >>>>> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
>  >>>>> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
>  >>>>> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>  >>>>> crypto dynamic-map outside_dyn_map 20 set pfs
>  >>>>> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-
>  >>>>> SHA
>  >>>>> crypto dynamic-map outside_dyn_map 40 set pfs
>  >>>>> crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-
>  >>>>> SHA
>  >>>>> crypto dynamic-map outside_dyn_map 60 set pfs
>  >>>>> crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-
>  >>>>> SHA
>  >>>>> crypto dynamic-map outside_dyn_map 80 set pfs
>  >>>>> crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-
>  >>>>> SHA
>  >>>>> crypto dynamic-map outside_dyn_map 100 set pfs
>  >>>>> crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-
>  >>>>> MD5
>  >>>>> crypto dynamic-map outside_dyn_map 120 set pfs
>  >>>>> crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-
>  >>>>> MD5
>  >>>>>
>  >>>>>
>  >>>>> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
>  >>>>> crypto map outside_map interface outside
>  >>>>>
>  >>>>> crypto isakmp policy 1
>  >>>>> authentication pre-share
>  >>>>> encryption 3des
>  >>>>> hash md5
>  >>>>> group 2
>  >>>>> lifetime 86400
>  >>>>>
>  >>>>>
>  >>>>> tunnel-group Uname type ipsec-ra
>  >>>>> tunnel-group Uname general-attributes
>  >>>>> default-group-policy 800vpn
>  >>>>> tunnel-group Uname ipsec-attributes
>  >>>>> pre-shared-key *
>  >>>>> isakmp ikev1-user-authentication none
>  >>>>>
>  >>>>> On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
>  >>>>>> Maybe it would be easier if you just pasted your config in rather
>  >>>>>> than
>  >>>>>> us keep guessing, but I can add to the guess list.. :)
>  >>>>>>
>  >>>>>> do you have nat-control turned on? if so have you got your nat 0
>  >>>>>> statement setup for the IPSEC traffic?
>  >>>>>>
>  >>>>>>
>  >>>>>> Ben
>  >>>>>>
>  >>>>>>
>  >>>>>> On 01/04/2008, at 8:08 PM, William wrote:
>  >>>>>>
>  >>>>>>> Hi Peter,
>  >>>>>>>
>  >>>>>>> I went ahead and enabled it in the end, it stopped the error
>  >>>>>>> messages
>  >>>>>>> (denys) coming up in the logs but my data still isnt passing
>  >>>>>>> through.
>  >>>>>>> I'm still abit lost as to whats causing my issue, do you think
>  >>>>>>> it
>  >>>>>>> could be to with my ISAKMP/IPSEC settings? I'm not so sure
>  >>>>>>> because
>  >>>>>>> the
>  >>>>>>> logs show PHASE1&2 completed without any problems. :(
>  >>>>>>>
>  >>>>>>> Regards,
>  >>>>>>>
>  >>>>>>>
>  >>>>>>> On 01/04/2008, Peter Rathlev <peter at rathlev.dk> wrote:
>  >>>>>>>> On Tue, 2008-04-01 at 09:05 +0100, William wrote:
>  >>>>>>>>> The command same-security-traffic permit intra-interface is
>  >>>>>>>>> not in
>  >>>>>>>>> the
>  >>>>>>>>> config but am I likely to break anything if I use it?
>  >>>>>>>>
>  >>>>>>>>
>  >>>>>>>> Well, you're likely to break the security that is there from
>  >>>>>>>> the
>  >>>>>>>> beginning, without this command. You could compare it to "local
>  >>>>>>>> proxy
>  >>>>>>>> arp". It will not stop any traffic flows that already work,
>  >>>>>>>> just
>  >>>>>>>> allow
>  >>>>>>>> some more ones.
>  >>>>>>>>
>  >>>>>>>> Reference for the command:
>  >>>>>>>>
>  >>>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167
>  >>>>>>>> http://tinyurl.com/2ateua
>  >>>>>>>>
>  >>>>>>>> Regards,
>  >>>>>>>>
>  >>>>>>>> Peter
>  >>>>>>>>
>  >>>>>>>>
>  >>>>>>>>
>  >>>>>>
>  >>>>>>> _______________________________________________
>  >>>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>  >>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>  >>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>  >>>>>>
>  >>>>>>
>  >>>>
>  >>>>
>  >>
>  >>
>
>

More information about the cisco-nsp mailing list