networking-forum.com
Community BlogCommunity Wiki * Register  * Search  * Login
View unanswered postsView active topics

Board index » Cisco Networking » Cisco Security

All times are UTC - 6 hours [ DST ]


Post new topic Reply to topic  Page 1 of 1
  [ 5 posts ] 
  Print view Previous topic | Next topic 
Author Message
ssikml
 Post subject: ASA VPN Problems
PostPosted: Thu Jun 21, 2012 6:20 am 
Offline
New Member
New Member

Joined: Wed Sep 07, 2011 7:10 am
Posts: 7
Hi all,

The problems is the Site A have the router use MPLS route to other site, is it possible to route the network through vpn, please help, thanks.

e.g.

Remote Site <==> Router <==> ASA5510(Site A) <==> ASA5505(Site B)
10.41.1.0 10.3.1.1 10.3.1.254 10.8.1.254

The Site B PC 10.8.1.2 access the other network 10.41.1.0 through the VPN, i try to add the route "route inside 10.0.41.0 255.255.255.0 10.3.1.1 1" in site B it seems not ok.

ASA5510 config:

!
ASA Version 8.2(5)
!
hostname ASA5510
domain-name
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.3.1.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name
same-security-traffic permit intra-interface
object-group network obj_any
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.3.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.3.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.3.1.0 255.255.255.0 10.0.40.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.3.1.0 255.255.255.0 10.0.41.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.3.1.0 255.255.255.0 10.0.60.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.3.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.0.40.0 255.255.255.0 10.3.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.41.0 255.255.255.0 10.3.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.60.0 255.255.255.0 10.3.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.3.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.3.1.0 255.255.255.0 10.8.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.3.1.0 255.255.255.0 10.8.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm location 10.8.1.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route inside 10.0.40.0 255.255.255.0 10.3.1.1 1
route inside 10.0.41.0 255.255.255.0 10.3.1.1 1
route inside 10.0.60.0 255.255.255.0 10.3.1.1 1
route inside 10.1.0.0 255.255.0.0 10.3.1.1 1
route inside 10.10.0.0 255.255.0.0 10.3.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.3.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 2.2.2.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key test.12
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:38272f37fc9e402e8484146a116dbc15
: end

ASA5505 config:

: Saved
:
ASA Version 8.2(5)
!
hostname ASA5505
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.8.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.252
!
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip 10.8.1.0 255.255.255.0 10.3.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.8.1.0 255.255.255.0 10.3.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.8.1.100-10.8.1.130 inside
dhcpd dns 210.0.128.250 210.0.128.251 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/odd ... DCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6e75e740284c5c6f260194d65413e893
: end


Last edited by ssikml on Thu Jun 21, 2012 6:54 am, edited 1 time in total.

Top
 Profile  
 
WarrenSullivan
 Post subject: Re: ASA VPN Problems
PostPosted: Thu Jun 21, 2012 6:29 am 
Offline
Member
Member

Joined: Wed Jun 22, 2011 6:05 pm
Posts: 128
Certs: CCENT, CCNA, CCNP
Are you getting hits on the acls on both ends?

Sent from my HTC One X using Tapatalk 2
Top
 Profile  
 
ssikml
 Post subject: Re: ASA VPN Problems
PostPosted: Thu Jun 21, 2012 6:54 am 
Offline
New Member
New Member

Joined: Wed Sep 07, 2011 7:10 am
Posts: 7
Thanks, it my mistake.

The other problems is the Site A have the router use MPLS route to other site, is it possible to route the network through vpn

e.g.

Remote Site <==> Router <==> ASA5510(Site A) <==> ASA5505(Site B)
10.41.1.0 10.3.1.1 10.3.1.254 10.8.1.254

The Site B PC 10.8.1.2 access the other network 10.41.1.0 through the VPN, i try to add the route "route inside 10.0.41.0 255.255.255.0 10.3.1.1 1" in site B it seems not ok.
Top
 Profile  
 
ristau5741
 Post subject: Re: ASA VPN Problems
PostPosted: Thu Jun 21, 2012 7:32 am 
Online
Post Whore
Post Whore
User avatar

Joined: Tue Aug 21, 2007 2:15 pm
Posts: 8294
Location: Frederick MD
Certs: Instanity
may be a NAT issue

Code:
NAT Considerations for Intra-Interface Traffic

For the security appliance to send unencrypted traffic back out through the interface, you must enable NAT for the interface so that publicly routable addresses replace your private IP addresses (unless you already use public IP addresses in your local IP address pool). The following example applies an interface PAT rule to traffic sourced from the client IP pool:

hostname(config)# ip local pool clientpool 192.168.0.10-192.168.0.100
hostname(config)# global (outside) 1 interface
hostname(config)# nat (outside) 1 192.168.0.0 255.255.255.0


When the security appliance sends encrypted VPN traffic back out this same interface, however, NAT is optional. The VPN-to-VPN hairpinning works with or without NAT. To apply NAT to all outgoing traffic, implement only the commands above. To exempt the VPN-to-VPN traffic from NAT, add commands (to the example above) that implement NAT exemption for VPN-to-VPN traffic, such as:

hostname(config)# access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.0.0
255.255.255.0
hostname(config)# nat (outside) 0 access-list nonat

For more information on NAT rules, see the "Applying NAT" chapter of this guide.


ref: http://www.cisco.com/en/US/docs/securit ... #wp1042114

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw
Top
 Profile  
 
stroemblad
 Post subject: Re: ASA VPN Problems
PostPosted: Thu Jun 21, 2012 8:20 am 
Offline
New Member
New Member

Joined: Tue Nov 23, 2010 9:24 am
Posts: 19
Location: Gothenburg, Sweden
Certs: CCNP
You have to set up the tunnel between those networks aswell, otherwise the firewalls wont know that the traffic is supposed to go through the tunnel.

So you have to include it in the crypto map match ACL and the nonat ACL. No need for that "route" statement on the ASAs. Though the router will have to know how to get to the site B network (route it to the 5510)
On the 5510 site:

access-list inside_nat0_outbound extended permit ip 10.41.1.0 255.255.255.0 10.8.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.41.1.0 255.255.255.0 10.8.1.0 255.255.255.0

and reverse on the other side.
Hope it helps
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 5 posts ] 

Board index » Cisco Networking » Cisco Security

All times are UTC - 6 hours [ DST ]

Who is online

Users browsing this forum: Google Feedfetcher and 20 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group