[c-nsp] EasyVPN IOS->ASA55xx
Ben Steele
ben at internode.com.au
Tue Apr 1 06:58:34 EDT 2008
Ok just to save me any confusion here, is the network behind the 800
11.11.11.0/24 or 22.22.22.0/24?
Either way you need to have your network behind the 800 being routed
to the outside interface via your outside gateway as thats where the
crypto terminates, if the network behind the 800 happens to be
11.11.11.0/24 then your split tunnel is the wrong way around also, if
it's 22.22.22.0/24 then try adding "route outside 22.22.22.0
255.255.255.0 <OUTSIDE GATEWAY> 1"
Ben
On 01/04/2008, at 9:16 PM, William wrote:
> Hi Ben,
>
> The VPN is establishing, show crypto isakmp sa displays it, the logs
> on the ASA show P1&2 and I'm able to communicate only if I originate
> the connection from the 800 series router.
>
> Routing seems fine from the box also, there are no routes on the ASA
> for destinations it reaches via VPN.
>
> Routing to the net on my core network:
>
> S 11.11.11.0 255.255.255.0 [1/0] via 192.168.0.254, inside
>
>
> On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
>> I thought I saw earlier a mention of the traffic hair-pinning, yet
>> your crypto map is bound to the outside interface.
>>
>> Is the IPSEC tunnel being established on the outside or the inside
>> interface? can you sh the output of a "sh route" also.
>>
>>
>>
>> On 01/04/2008, at 9:00 PM, William wrote:
>>
>>> Can't paste the whole thing, but here are the bits:
>>>
>>> access-list inside_nat0_outbound extended permit ip 11.11.11.0
>>> 255.255.255.0 22.22.22.0 255.255.255.0
>>>
>>> access-list inside_access_in extended permit ip 11.11.11.0
>>> 255.255.255.0 22.22.22.0 255.255.255.0
>>> access-list inside_access_in extended permit icmp any any
>>>
>>> access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0
>>> 22.22.22.0 255.255.255.0
>>>
>>> nat (inside) 0 access-list inside_nat0_outbound
>>> access-group inside_access_in in interface inside
>>>
>>> group-policy 800vpn internal
>>> group-policy 800vpn attributes
>>> password-storage enable
>>> pfs enable
>>> split-tunnel-policy tunnelspecified
>>> split-tunnel-network-list value Split-Tunnel
>>> nem enable
>>>
>>>
>>>
>>> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
>>> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
>>> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>>> crypto dynamic-map outside_dyn_map 20 set pfs
>>> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
>>> crypto dynamic-map outside_dyn_map 40 set pfs
>>> crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
>>> crypto dynamic-map outside_dyn_map 60 set pfs
>>> crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
>>> crypto dynamic-map outside_dyn_map 80 set pfs
>>> crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
>>> crypto dynamic-map outside_dyn_map 100 set pfs
>>> crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5
>>> crypto dynamic-map outside_dyn_map 120 set pfs
>>> crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-
>>> MD5
>>>
>>>
>>> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
>>> crypto map outside_map interface outside
>>>
>>> crypto isakmp policy 1
>>> authentication pre-share
>>> encryption 3des
>>> hash md5
>>> group 2
>>> lifetime 86400
>>>
>>>
>>> tunnel-group Uname type ipsec-ra
>>> tunnel-group Uname general-attributes
>>> default-group-policy 800vpn
>>> tunnel-group Uname ipsec-attributes
>>> pre-shared-key *
>>> isakmp ikev1-user-authentication none
>>>
>>> On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
>>>> Maybe it would be easier if you just pasted your config in rather
>>>> than
>>>> us keep guessing, but I can add to the guess list.. :)
>>>>
>>>> do you have nat-control turned on? if so have you got your nat 0
>>>> statement setup for the IPSEC traffic?
>>>>
>>>>
>>>> Ben
>>>>
>>>>
>>>> On 01/04/2008, at 8:08 PM, William wrote:
>>>>
>>>>> Hi Peter,
>>>>>
>>>>> I went ahead and enabled it in the end, it stopped the error
>>>>> messages
>>>>> (denys) coming up in the logs but my data still isnt passing
>>>>> through.
>>>>> I'm still abit lost as to whats causing my issue, do you think it
>>>>> could be to with my ISAKMP/IPSEC settings? I'm not so sure because
>>>>> the
>>>>> logs show PHASE1&2 completed without any problems. :(
>>>>>
>>>>> Regards,
>>>>>
>>>>>
>>>>> On 01/04/2008, Peter Rathlev <peter at rathlev.dk> wrote:
>>>>>> On Tue, 2008-04-01 at 09:05 +0100, William wrote:
>>>>>>> The command same-security-traffic permit intra-interface is
>>>>>>> not in
>>>>>>> the
>>>>>>> config but am I likely to break anything if I use it?
>>>>>>
>>>>>>
>>>>>> Well, you're likely to break the security that is there from the
>>>>>> beginning, without this command. You could compare it to "local
>>>>>> proxy
>>>>>> arp". It will not stop any traffic flows that already work, just
>>>>>> allow
>>>>>> some more ones.
>>>>>>
>>>>>> Reference for the command:
>>>>>>
>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167
>>>>>> http://tinyurl.com/2ateua
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Peter
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>>
>>
>>
More information about the cisco-nsp
mailing list