[c-nsp] EasyVPN IOS->ASA55xx

Ben Steele ben at internode.com.au
Tue Apr 1 06:40:31 EDT 2008 

I thought I saw earlier a mention of the traffic hair-pinning, yet  
your crypto map is bound to the outside interface.

Is the IPSEC tunnel being established on the outside or the inside  
interface? can you sh the output of a "sh route" also.


On 01/04/2008, at 9:00 PM, William wrote:

> Can't paste the whole thing, but here are the bits:
>
> access-list inside_nat0_outbound extended permit ip 11.11.11.0
> 255.255.255.0 22.22.22.0 255.255.255.0
>
> access-list inside_access_in extended permit ip 11.11.11.0
> 255.255.255.0 22.22.22.0 255.255.255.0
> access-list inside_access_in extended permit icmp any any
>
> access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0
> 22.22.22.0 255.255.255.0
>
> nat (inside) 0 access-list inside_nat0_outbound
> access-group inside_access_in in interface inside
>
> group-policy 800vpn internal
> group-policy 800vpn attributes
> password-storage enable
> pfs enable
> split-tunnel-policy tunnelspecified
> split-tunnel-network-list value Split-Tunnel
> nem enable
>
>
>
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto dynamic-map outside_dyn_map 20 set pfs
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
> crypto dynamic-map outside_dyn_map 40 set pfs
> crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
> crypto dynamic-map outside_dyn_map 60 set pfs
> crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
> crypto dynamic-map outside_dyn_map 80 set pfs
> crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
> crypto dynamic-map outside_dyn_map 100 set pfs
> crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5
> crypto dynamic-map outside_dyn_map 120 set pfs
> crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-MD5
>
>
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
>
> crypto isakmp policy 1
> authentication pre-share
> encryption 3des
> hash md5
> group 2
> lifetime 86400
>
>
> tunnel-group Uname type ipsec-ra
> tunnel-group Uname general-attributes
> default-group-policy 800vpn
> tunnel-group Uname ipsec-attributes
> pre-shared-key *
> isakmp ikev1-user-authentication none
>
> On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
>> Maybe it would be easier if you just pasted your config in rather  
>> than
>> us keep guessing, but I can add to the guess list.. :)
>>
>> do you have nat-control turned on? if so have you got your nat 0
>> statement setup for the IPSEC traffic?
>>
>>
>> Ben
>>
>>
>> On 01/04/2008, at 8:08 PM, William wrote:
>>
>>> Hi Peter,
>>>
>>> I went ahead and enabled it in the end, it stopped the error  
>>> messages
>>> (denys) coming up in the logs but my data still isnt passing  
>>> through.
>>> I'm still abit lost as to whats causing my issue, do you think it
>>> could be to with my ISAKMP/IPSEC settings? I'm not so sure because  
>>> the
>>> logs show PHASE1&2 completed without any problems. :(
>>>
>>> Regards,
>>>
>>>
>>> On 01/04/2008, Peter Rathlev <peter at rathlev.dk> wrote:
>>>> On Tue, 2008-04-01 at 09:05 +0100, William wrote:
>>>>> The command same-security-traffic permit intra-interface is not in
>>>>> the
>>>>> config but am I likely to break anything if I use it?
>>>>
>>>>
>>>> Well, you're likely to break the security that is there from the
>>>> beginning, without this command. You could compare it to "local  
>>>> proxy
>>>> arp". It will not stop any traffic flows that already work, just
>>>> allow
>>>> some more ones.
>>>>
>>>> Reference for the command:
>>>>
>>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167
>>>> http://tinyurl.com/2ateua
>>>>
>>>> Regards,
>>>>
>>>> Peter
>>>>
>>>>
>>>>
>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>

More information about the cisco-nsp mailing list