[c-nsp] EasyVPN IOS->ASA55xx
William
willay at gmail.com
Tue Apr 1 06:30:44 EDT 2008
Can't paste the whole thing, but here are the bits:
access-list inside_nat0_outbound extended permit ip 11.11.11.0
255.255.255.0 22.22.22.0 255.255.255.0
access-list inside_access_in extended permit ip 11.11.11.0
255.255.255.0 22.22.22.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0
22.22.22.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
group-policy 800vpn internal
group-policy 800vpn attributes
password-storage enable
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel
nem enable
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group Uname type ipsec-ra
tunnel-group Uname general-attributes
default-group-policy 800vpn
tunnel-group Uname ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
> Maybe it would be easier if you just pasted your config in rather than
> us keep guessing, but I can add to the guess list.. :)
>
> do you have nat-control turned on? if so have you got your nat 0
> statement setup for the IPSEC traffic?
>
>
> Ben
>
>
> On 01/04/2008, at 8:08 PM, William wrote:
>
> > Hi Peter,
> >
> > I went ahead and enabled it in the end, it stopped the error messages
> > (denys) coming up in the logs but my data still isnt passing through.
> > I'm still abit lost as to whats causing my issue, do you think it
> > could be to with my ISAKMP/IPSEC settings? I'm not so sure because the
> > logs show PHASE1&2 completed without any problems. :(
> >
> > Regards,
> >
> >
> > On 01/04/2008, Peter Rathlev <peter at rathlev.dk> wrote:
> >> On Tue, 2008-04-01 at 09:05 +0100, William wrote:
> >>> The command same-security-traffic permit intra-interface is not in
> >>> the
> >>> config but am I likely to break anything if I use it?
> >>
> >>
> >> Well, you're likely to break the security that is there from the
> >> beginning, without this command. You could compare it to "local proxy
> >> arp". It will not stop any traffic flows that already work, just
> >> allow
> >> some more ones.
> >>
> >> Reference for the command:
> >>
> >> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167
> >> http://tinyurl.com/2ateua
> >>
> >> Regards,
> >>
> >> Peter
> >>
> >>
> >>
>
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list