[c-nsp] EasyVPN IOS->ASA55xx

Tue Apr 1 07:01:44 EDT 2008

Network behind the 800 is 22.22.22.0/24

W

On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
> Ok just to save me any confusion here, is the network behind the 800
>  11.11.11.0/24 or 22.22.22.0/24?
>
>  Either way you need to have your network behind the 800 being routed
>  to the outside interface via your outside gateway as thats where the
>  crypto terminates, if the network behind the 800 happens to be
>  11.11.11.0/24 then your split tunnel is the wrong way around also, if
>  it's 22.22.22.0/24 then try adding "route outside 22.22.22.0
>  255.255.255.0 <OUTSIDE GATEWAY> 1"
>
>
>  Ben
>
>
>  On 01/04/2008, at 9:16 PM, William wrote:
>
>  > Hi Ben,
>  >
>  > The VPN is establishing, show crypto isakmp sa displays it, the logs
>  > on the ASA show P1&2 and I'm able to communicate only if I originate
>  > the connection from the 800 series router.
>  >
>  > Routing seems fine from the box also, there are no routes on the ASA
>  > for destinations it reaches via VPN.
>  >
>  > Routing to the net on my core network:
>  >
>  > S    11.11.11.0 255.255.255.0 [1/0] via 192.168.0.254, inside
>  >
>  >
>  > On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
>  >> I thought I saw earlier a mention of the traffic hair-pinning, yet
>  >> your crypto map is bound to the outside interface.
>  >>
>  >> Is the IPSEC tunnel being established on the outside or the inside
>  >> interface? can you sh the output of a "sh route" also.
>  >>
>  >>
>  >>
>  >> On 01/04/2008, at 9:00 PM, William wrote:
>  >>
>  >>> Can't paste the whole thing, but here are the bits:
>  >>>
>  >>> access-list inside_nat0_outbound extended permit ip 11.11.11.0
>  >>> 255.255.255.0 22.22.22.0 255.255.255.0
>  >>>
>  >>> access-list inside_access_in extended permit ip 11.11.11.0
>  >>> 255.255.255.0 22.22.22.0 255.255.255.0
>  >>> access-list inside_access_in extended permit icmp any any
>  >>>
>  >>> access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0
>  >>> 22.22.22.0 255.255.255.0
>  >>>
>  >>> nat (inside) 0 access-list inside_nat0_outbound
>  >>> access-group inside_access_in in interface inside
>  >>>
>  >>> group-policy 800vpn internal
>  >>> group-policy 800vpn attributes
>  >>> password-storage enable
>  >>> pfs enable
>  >>> split-tunnel-policy tunnelspecified
>  >>> split-tunnel-network-list value Split-Tunnel
>  >>> nem enable
>  >>>
>  >>>
>  >>>
>  >>> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
>  >>> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
>  >>> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>  >>> crypto dynamic-map outside_dyn_map 20 set pfs
>  >>> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
>  >>> crypto dynamic-map outside_dyn_map 40 set pfs
>  >>> crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
>  >>> crypto dynamic-map outside_dyn_map 60 set pfs
>  >>> crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
>  >>> crypto dynamic-map outside_dyn_map 80 set pfs
>  >>> crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
>  >>> crypto dynamic-map outside_dyn_map 100 set pfs
>  >>> crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5
>  >>> crypto dynamic-map outside_dyn_map 120 set pfs
>  >>> crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-
>  >>> MD5
>  >>>
>  >>>
>  >>> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
>  >>> crypto map outside_map interface outside
>  >>>
>  >>> crypto isakmp policy 1
>  >>> authentication pre-share
>  >>> encryption 3des
>  >>> hash md5
>  >>> group 2
>  >>> lifetime 86400
>  >>>
>  >>>
>  >>> tunnel-group Uname type ipsec-ra
>  >>> tunnel-group Uname general-attributes
>  >>> default-group-policy 800vpn
>  >>> tunnel-group Uname ipsec-attributes
>  >>> pre-shared-key *
>  >>> isakmp ikev1-user-authentication none
>  >>>
>  >>> On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
>  >>>> Maybe it would be easier if you just pasted your config in rather
>  >>>> than
>  >>>> us keep guessing, but I can add to the guess list.. :)
>  >>>>
>  >>>> do you have nat-control turned on? if so have you got your nat 0
>  >>>> statement setup for the IPSEC traffic?
>  >>>>
>  >>>>
>  >>>> Ben
>  >>>>
>  >>>>
>  >>>> On 01/04/2008, at 8:08 PM, William wrote:
>  >>>>
>  >>>>> Hi Peter,
>  >>>>>
>  >>>>> I went ahead and enabled it in the end, it stopped the error
>  >>>>> messages
>  >>>>> (denys) coming up in the logs but my data still isnt passing
>  >>>>> through.
>  >>>>> I'm still abit lost as to whats causing my issue, do you think it
>  >>>>> could be to with my ISAKMP/IPSEC settings? I'm not so sure because
>  >>>>> the
>  >>>>> logs show PHASE1&2 completed without any problems. :(
>  >>>>>
>  >>>>> Regards,
>  >>>>>
>  >>>>>
>  >>>>> On 01/04/2008, Peter Rathlev <peter at rathlev.dk> wrote:
>  >>>>>> On Tue, 2008-04-01 at 09:05 +0100, William wrote:
>  >>>>>>> The command same-security-traffic permit intra-interface is
>  >>>>>>> not in
>  >>>>>>> the
>  >>>>>>> config but am I likely to break anything if I use it?
>  >>>>>>
>  >>>>>>
>  >>>>>> Well, you're likely to break the security that is there from the
>  >>>>>> beginning, without this command. You could compare it to "local
>  >>>>>> proxy
>  >>>>>> arp". It will not stop any traffic flows that already work, just
>  >>>>>> allow
>  >>>>>> some more ones.
>  >>>>>>
>  >>>>>> Reference for the command:
>  >>>>>>
>  >>>>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167
>  >>>>>> http://tinyurl.com/2ateua
>  >>>>>>
>  >>>>>> Regards,
>  >>>>>>
>  >>>>>> Peter
>  >>>>>>
>  >>>>>>
>  >>>>>>
>  >>>>
>  >>>>> _______________________________________________
>  >>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>  >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>  >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>  >>>>
>  >>>>
>  >>
>  >>
>
>