[c-nsp] EasyVPN IOS->ASA55xx

Ben Steele ben at internode.com.au
Tue Apr 1 07:03:38 EDT 2008


So do you have the route for 22.22.22.0/24 to go via the outside? is  
it caught by the default route or is there something else in place?  
hence why I asked for output of "sh route"

On 01/04/2008, at 9:31 PM, William wrote:

> Network behind the 800 is 22.22.22.0/24
>
> W
>
> On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
>> Ok just to save me any confusion here, is the network behind the 800
>> 11.11.11.0/24 or 22.22.22.0/24?
>>
>> Either way you need to have your network behind the 800 being routed
>> to the outside interface via your outside gateway as thats where the
>> crypto terminates, if the network behind the 800 happens to be
>> 11.11.11.0/24 then your split tunnel is the wrong way around also, if
>> it's 22.22.22.0/24 then try adding "route outside 22.22.22.0
>> 255.255.255.0 <OUTSIDE GATEWAY> 1"
>>
>>
>> Ben
>>
>>
>> On 01/04/2008, at 9:16 PM, William wrote:
>>
>>> Hi Ben,
>>>
>>> The VPN is establishing, show crypto isakmp sa displays it, the logs
>>> on the ASA show P1&2 and I'm able to communicate only if I originate
>>> the connection from the 800 series router.
>>>
>>> Routing seems fine from the box also, there are no routes on the ASA
>>> for destinations it reaches via VPN.
>>>
>>> Routing to the net on my core network:
>>>
>>> S    11.11.11.0 255.255.255.0 [1/0] via 192.168.0.254, inside
>>>
>>>
>>> On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
>>>> I thought I saw earlier a mention of the traffic hair-pinning, yet
>>>> your crypto map is bound to the outside interface.
>>>>
>>>> Is the IPSEC tunnel being established on the outside or the inside
>>>> interface? can you sh the output of a "sh route" also.
>>>>
>>>>
>>>>
>>>> On 01/04/2008, at 9:00 PM, William wrote:
>>>>
>>>>> Can't paste the whole thing, but here are the bits:
>>>>>
>>>>> access-list inside_nat0_outbound extended permit ip 11.11.11.0
>>>>> 255.255.255.0 22.22.22.0 255.255.255.0
>>>>>
>>>>> access-list inside_access_in extended permit ip 11.11.11.0
>>>>> 255.255.255.0 22.22.22.0 255.255.255.0
>>>>> access-list inside_access_in extended permit icmp any any
>>>>>
>>>>> access-list Split-Tunnel extended permit ip 11.11.11.0  
>>>>> 255.255.255.0
>>>>> 22.22.22.0 255.255.255.0
>>>>>
>>>>> nat (inside) 0 access-list inside_nat0_outbound
>>>>> access-group inside_access_in in interface inside
>>>>>
>>>>> group-policy 800vpn internal
>>>>> group-policy 800vpn attributes
>>>>> password-storage enable
>>>>> pfs enable
>>>>> split-tunnel-policy tunnelspecified
>>>>> split-tunnel-network-list value Split-Tunnel
>>>>> nem enable
>>>>>
>>>>>
>>>>>
>>>>> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
>>>>> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
>>>>> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>>>>> crypto dynamic-map outside_dyn_map 20 set pfs
>>>>> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES- 
>>>>> SHA
>>>>> crypto dynamic-map outside_dyn_map 40 set pfs
>>>>> crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES- 
>>>>> SHA
>>>>> crypto dynamic-map outside_dyn_map 60 set pfs
>>>>> crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES- 
>>>>> SHA
>>>>> crypto dynamic-map outside_dyn_map 80 set pfs
>>>>> crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES- 
>>>>> SHA
>>>>> crypto dynamic-map outside_dyn_map 100 set pfs
>>>>> crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES- 
>>>>> MD5
>>>>> crypto dynamic-map outside_dyn_map 120 set pfs
>>>>> crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-
>>>>> MD5
>>>>>
>>>>>
>>>>> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
>>>>> crypto map outside_map interface outside
>>>>>
>>>>> crypto isakmp policy 1
>>>>> authentication pre-share
>>>>> encryption 3des
>>>>> hash md5
>>>>> group 2
>>>>> lifetime 86400
>>>>>
>>>>>
>>>>> tunnel-group Uname type ipsec-ra
>>>>> tunnel-group Uname general-attributes
>>>>> default-group-policy 800vpn
>>>>> tunnel-group Uname ipsec-attributes
>>>>> pre-shared-key *
>>>>> isakmp ikev1-user-authentication none
>>>>>
>>>>> On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
>>>>>> Maybe it would be easier if you just pasted your config in rather
>>>>>> than
>>>>>> us keep guessing, but I can add to the guess list.. :)
>>>>>>
>>>>>> do you have nat-control turned on? if so have you got your nat 0
>>>>>> statement setup for the IPSEC traffic?
>>>>>>
>>>>>>
>>>>>> Ben
>>>>>>
>>>>>>
>>>>>> On 01/04/2008, at 8:08 PM, William wrote:
>>>>>>
>>>>>>> Hi Peter,
>>>>>>>
>>>>>>> I went ahead and enabled it in the end, it stopped the error
>>>>>>> messages
>>>>>>> (denys) coming up in the logs but my data still isnt passing
>>>>>>> through.
>>>>>>> I'm still abit lost as to whats causing my issue, do you think  
>>>>>>> it
>>>>>>> could be to with my ISAKMP/IPSEC settings? I'm not so sure  
>>>>>>> because
>>>>>>> the
>>>>>>> logs show PHASE1&2 completed without any problems. :(
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>>
>>>>>>> On 01/04/2008, Peter Rathlev <peter at rathlev.dk> wrote:
>>>>>>>> On Tue, 2008-04-01 at 09:05 +0100, William wrote:
>>>>>>>>> The command same-security-traffic permit intra-interface is
>>>>>>>>> not in
>>>>>>>>> the
>>>>>>>>> config but am I likely to break anything if I use it?
>>>>>>>>
>>>>>>>>
>>>>>>>> Well, you're likely to break the security that is there from  
>>>>>>>> the
>>>>>>>> beginning, without this command. You could compare it to "local
>>>>>>>> proxy
>>>>>>>> arp". It will not stop any traffic flows that already work,  
>>>>>>>> just
>>>>>>>> allow
>>>>>>>> some more ones.
>>>>>>>>
>>>>>>>> Reference for the command:
>>>>>>>>
>>>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167
>>>>>>>> http://tinyurl.com/2ateua
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>> Peter
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>> _______________________________________________
>>>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>
>>>>>>
>>>>
>>>>
>>
>>



More information about the cisco-nsp mailing list