[c-nsp] EasyVPN IOS->ASA55xx

Ben Steele ben at internode.com.au
Tue Apr 1 07:20:07 EDT 2008


Hmm

>>>> %ASA-3-106014: Deny inbound icmp src inside:11.11.11.1 dst
>>>> inside:22.22.22.2 (type 8, code 0)

Seems to contradict that, any chance of getting more of the config?  
just change the passwords and IP's

Also reply off list, I think this one has congested it enough :)


On 01/04/2008, at 9:43 PM, William wrote:

> Hi Ben,
>
> There is a default route to go via the outside, sorry about the  
> confusion.
>
> Regards,
>
> On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
>> So do you have the route for 22.22.22.0/24 to go via the outside? is
>> it caught by the default route or is there something else in place?
>> hence why I asked for output of "sh route"
>>
>>
>> On 01/04/2008, at 9:31 PM, William wrote:
>>
>>> Network behind the 800 is 22.22.22.0/24
>>>
>>> W
>>>
>>> On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
>>>> Ok just to save me any confusion here, is the network behind the  
>>>> 800
>>>> 11.11.11.0/24 or 22.22.22.0/24?
>>>>
>>>> Either way you need to have your network behind the 800 being  
>>>> routed
>>>> to the outside interface via your outside gateway as thats where  
>>>> the
>>>> crypto terminates, if the network behind the 800 happens to be
>>>> 11.11.11.0/24 then your split tunnel is the wrong way around  
>>>> also, if
>>>> it's 22.22.22.0/24 then try adding "route outside 22.22.22.0
>>>> 255.255.255.0 <OUTSIDE GATEWAY> 1"
>>>>
>>>>
>>>> Ben
>>>>
>>>>
>>>> On 01/04/2008, at 9:16 PM, William wrote:
>>>>
>>>>> Hi Ben,
>>>>>
>>>>> The VPN is establishing, show crypto isakmp sa displays it, the  
>>>>> logs
>>>>> on the ASA show P1&2 and I'm able to communicate only if I  
>>>>> originate
>>>>> the connection from the 800 series router.
>>>>>
>>>>> Routing seems fine from the box also, there are no routes on the  
>>>>> ASA
>>>>> for destinations it reaches via VPN.
>>>>>
>>>>> Routing to the net on my core network:
>>>>>
>>>>> S    11.11.11.0 255.255.255.0 [1/0] via 192.168.0.254, inside
>>>>>
>>>>>
>>>>> On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
>>>>>> I thought I saw earlier a mention of the traffic hair-pinning,  
>>>>>> yet
>>>>>> your crypto map is bound to the outside interface.
>>>>>>
>>>>>> Is the IPSEC tunnel being established on the outside or the  
>>>>>> inside
>>>>>> interface? can you sh the output of a "sh route" also.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 01/04/2008, at 9:00 PM, William wrote:
>>>>>>
>>>>>>> Can't paste the whole thing, but here are the bits:
>>>>>>>
>>>>>>> access-list inside_nat0_outbound extended permit ip 11.11.11.0
>>>>>>> 255.255.255.0 22.22.22.0 255.255.255.0
>>>>>>>
>>>>>>> access-list inside_access_in extended permit ip 11.11.11.0
>>>>>>> 255.255.255.0 22.22.22.0 255.255.255.0
>>>>>>> access-list inside_access_in extended permit icmp any any
>>>>>>>
>>>>>>> access-list Split-Tunnel extended permit ip 11.11.11.0
>>>>>>> 255.255.255.0
>>>>>>> 22.22.22.0 255.255.255.0
>>>>>>>
>>>>>>> nat (inside) 0 access-list inside_nat0_outbound
>>>>>>> access-group inside_access_in in interface inside
>>>>>>>
>>>>>>> group-policy 800vpn internal
>>>>>>> group-policy 800vpn attributes
>>>>>>> password-storage enable
>>>>>>> pfs enable
>>>>>>> split-tunnel-policy tunnelspecified
>>>>>>> split-tunnel-network-list value Split-Tunnel
>>>>>>> nem enable
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
>>>>>>> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
>>>>>>> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>>>>>>> crypto dynamic-map outside_dyn_map 20 set pfs
>>>>>>> crypto dynamic-map outside_dyn_map 20 set transform-set  
>>>>>>> ESP-3DES-
>>>>>>> SHA
>>>>>>> crypto dynamic-map outside_dyn_map 40 set pfs
>>>>>>> crypto dynamic-map outside_dyn_map 40 set transform-set  
>>>>>>> ESP-3DES-
>>>>>>> SHA
>>>>>>> crypto dynamic-map outside_dyn_map 60 set pfs
>>>>>>> crypto dynamic-map outside_dyn_map 60 set transform-set  
>>>>>>> ESP-3DES-
>>>>>>> SHA
>>>>>>> crypto dynamic-map outside_dyn_map 80 set pfs
>>>>>>> crypto dynamic-map outside_dyn_map 80 set transform-set  
>>>>>>> ESP-3DES-
>>>>>>> SHA
>>>>>>> crypto dynamic-map outside_dyn_map 100 set pfs
>>>>>>> crypto dynamic-map outside_dyn_map 100 set transform-set ESP- 
>>>>>>> DES-
>>>>>>> MD5
>>>>>>> crypto dynamic-map outside_dyn_map 120 set pfs
>>>>>>> crypto dynamic-map outside_dyn_map 120 set transform-set  
>>>>>>> ESP-3DES-
>>>>>>> MD5
>>>>>>>
>>>>>>>
>>>>>>> crypto map outside_map 65535 ipsec-isakmp dynamic  
>>>>>>> outside_dyn_map
>>>>>>> crypto map outside_map interface outside
>>>>>>>
>>>>>>> crypto isakmp policy 1
>>>>>>> authentication pre-share
>>>>>>> encryption 3des
>>>>>>> hash md5
>>>>>>> group 2
>>>>>>> lifetime 86400
>>>>>>>
>>>>>>>
>>>>>>> tunnel-group Uname type ipsec-ra
>>>>>>> tunnel-group Uname general-attributes
>>>>>>> default-group-policy 800vpn
>>>>>>> tunnel-group Uname ipsec-attributes
>>>>>>> pre-shared-key *
>>>>>>> isakmp ikev1-user-authentication none
>>>>>>>
>>>>>>> On 01/04/2008, Ben Steele <ben at internode.com.au> wrote:
>>>>>>>> Maybe it would be easier if you just pasted your config in  
>>>>>>>> rather
>>>>>>>> than
>>>>>>>> us keep guessing, but I can add to the guess list.. :)
>>>>>>>>
>>>>>>>> do you have nat-control turned on? if so have you got your  
>>>>>>>> nat 0
>>>>>>>> statement setup for the IPSEC traffic?
>>>>>>>>
>>>>>>>>
>>>>>>>> Ben
>>>>>>>>
>>>>>>>>
>>>>>>>> On 01/04/2008, at 8:08 PM, William wrote:
>>>>>>>>
>>>>>>>>> Hi Peter,
>>>>>>>>>
>>>>>>>>> I went ahead and enabled it in the end, it stopped the error
>>>>>>>>> messages
>>>>>>>>> (denys) coming up in the logs but my data still isnt passing
>>>>>>>>> through.
>>>>>>>>> I'm still abit lost as to whats causing my issue, do you think
>>>>>>>>> it
>>>>>>>>> could be to with my ISAKMP/IPSEC settings? I'm not so sure
>>>>>>>>> because
>>>>>>>>> the
>>>>>>>>> logs show PHASE1&2 completed without any problems. :(
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 01/04/2008, Peter Rathlev <peter at rathlev.dk> wrote:
>>>>>>>>>> On Tue, 2008-04-01 at 09:05 +0100, William wrote:
>>>>>>>>>>> The command same-security-traffic permit intra-interface is
>>>>>>>>>>> not in
>>>>>>>>>>> the
>>>>>>>>>>> config but am I likely to break anything if I use it?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Well, you're likely to break the security that is there from
>>>>>>>>>> the
>>>>>>>>>> beginning, without this command. You could compare it to  
>>>>>>>>>> "local
>>>>>>>>>> proxy
>>>>>>>>>> arp". It will not stop any traffic flows that already work,
>>>>>>>>>> just
>>>>>>>>>> allow
>>>>>>>>>> some more ones.
>>>>>>>>>>
>>>>>>>>>> Reference for the command:
>>>>>>>>>>
>>>>>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167
>>>>>>>>>> http://tinyurl.com/2ateua
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>>
>>>>>>>>>> Peter
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>
>>



More information about the cisco-nsp mailing list