Cisco ASA 5500 to Router site to site VPN
in [Cisco]
|
From: Brian V on 12 Nov 2008 21:30 "Stephen Reese" <rsreese(a)gmail.com> wrote in message news:8080f346-9dde-42c9-9d07-4e70222660b5(a)a29g2000pra.googlegroups.com... > I believe I have added the correct deny statements for NAT > > ip nat inside source list 150 interface FastEthernet0/0 overload > > access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255 > access-list 150 permit ip 172.16.2.0 0.0.0.255 any > access-list 150 permit ip 172.16.3.0 0.0.0.255 any > > 172.31.12.0 being the remote site I would like to let into the network. Do I need to do something similar to this for the ASA? Absolutely, the exact oposite, should be a nat 0 list of the local to the remote, 172.31.12.0/24 to 172.16.2.0/24. You'll need to do a clear xlate on the ASA after adding it to clear the active translation table
From: Stephen Reese on 12 Nov 2008 23:00 > Absolutely, the exact oposite, should be a nat 0 list of the local to the > remote, 172.31.12.0/24 to 172.16.2.0/24. You'll need to do a clear xlate on > the ASA after adding it to clear the active translation table I'm reluctant to touch anything at this point because I added the 'set pfs group1' to 'crypto map CLIENTMAP 1 ipsec-isakmp' and everything started working like clock work. Then I made a change and poof it stopped working :-(. Should the deny statement fall somewhere in here? Do I need it because I believe I made it work without it. It was something I changed on the router, not the ASA... nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 access-list outside_1_cryptomap extended permit ip 172.31.1.0 255.255.255.0 172.31.12.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.0.0 255.255.0.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.16.2.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.1.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 192.168.10.96 255.255.255.240 access-list nonat extended permit ip any 192.168.10.96 255.255.255.240 access-list nonat extended permit ip 172.31.1.0 255.255.255.0 172.31.12.0 255.255.255.0 access-list nonat extended permit ip 172.16.2.0 255.255.255.0 172.31.12.0 255.255.255.0 access-list VPNUSERS_splitTunnelAcl standard permit 172.31.12.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 172.16.2.0 255.255.255.0 172.31.12.0 255.255.255.0 access-list VPNUSERS_splitTunnelAcl_1 standard permit 172.31.12.0 255.255.255.0
From: Brian V on 13 Nov 2008 07:21 "Stephen Reese" <rsreese(a)gmail.com> wrote in message news:3f621e98-6b0e-4da4-94b0-1c11e8d76293(a)n10g2000yqm.googlegroups.com... > Absolutely, the exact oposite, should be a nat 0 list of the local to the > remote, 172.31.12.0/24 to 172.16.2.0/24. You'll need to do a clear xlate > on > the ASA after adding it to clear the active translation table I'm reluctant to touch anything at this point because I added the 'set pfs group1' to 'crypto map CLIENTMAP 1 ipsec-isakmp' and everything started working like clock work. Then I made a change and poof it stopped working :-(. Should the deny statement fall somewhere in here? Do I need it because I believe I made it work without it. It was something I changed on the router, not the ASA... nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 access-list outside_1_cryptomap extended permit ip 172.31.1.0 255.255.255.0 172.31.12.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.0.0 255.255.0.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.16.2.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.1.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 192.168.10.96 255.255.255.240 access-list nonat extended permit ip any 192.168.10.96 255.255.255.240 access-list nonat extended permit ip 172.31.1.0 255.255.255.0 172.31.12.0 255.255.255.0 access-list nonat extended permit ip 172.16.2.0 255.255.255.0 172.31.12.0 255.255.255.0 access-list VPNUSERS_splitTunnelAcl standard permit 172.31.12.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 172.16.2.0 255.255.255.0 172.31.12.0 255.255.255.0 access-list VPNUSERS_splitTunnelAcl_1 standard permit 172.31.12.0 255.255.255.0 The ASA doesn't use a deny in the NAT 0, it uses a permit. You have it in there already, nonat list looks right to me.
From: Stephen Reese on 13 Nov 2008 10:03 > The ASA doesn't use a deny in the NAT 0, it uses a permit. You have it in > there already, nonat list looks right to me. > The ASA doesn't use a deny in the NAT 0, it uses a permit. You have it in > there already, nonat list looks right to me. I figured it had to be right since the tunnel did come up and start working at some point. It seems to be dying at the key exchange: #sh crypto isakmp sa dst src state conn-id slot status 1.1.1.1 2.2.2.2 MM_KEY_EXCH 1 0 ACTIVE #sh crypto isakmp sa dst src state conn-id slot status 1.1.1.1 2.2.2.2 MM_NO_STATE 1 0 ACTIVE (deleted) When it worked I believe the state would go into IDLE. I would like to thank everyone that's helping out with this thread.
From: Stephen Reese on 13 Nov 2008 10:17 > The ASA doesn't use a deny in the NAT 0, it uses a permit. You have it in > there already, nonat list looks right to me. Also here is a updated configuration for the router since the hasn't been changed since it worked. version 12.4 service timestamps debug datetime msec service timestamps log datetime service password-encryption ! hostname 3725router ! boot-start-marker boot system flash:/c3725-adventerprisek9-mz.124-21.bin boot-end-marker ! logging buffered 8192 debugging logging console informational enable secret 5 $1$BUZ8$sNjxnHHht1NP3co5Vkj2o0 ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local aaa authorization exec default local aaa authorization network default local ! aaa session-id common clock timezone EST -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 network-clock-participate slot 1 network-clock-participate slot 2 no ip source-route ! ip traffic-export profile IDS-SNORT interface FastEthernet0/0 bidirectional mac-address 000c.2989.f93a ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 172.16.2.1 ip dhcp excluded-address 172.16.3.1 ! ip dhcp pool VLAN2clients network 172.16.2.0 255.255.255.0 default-router 172.16.2.1 option 66 ip 172.16.2.10 option 150 ip 172.16.2.10 dns-server 68.87.74.162 68.87.68.162 68.87.73.242 ! ip dhcp pool VLAN3clients network 172.16.3.0 255.255.255.0 default-router 172.16.3.1 dns-server 68.87.74.162 68.87.68.162 68.87.73.242 ! ip dhcp pool DEBIAN host 172.16.2.6 255.255.255.0 hardware-address 0004.e29c.4345 ! ! ip domain name neocipher.net ip name-server 68.87.74.162 ip name-server 68.87.68.162 ip inspect udp idle-time 900 ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW esmtp ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ip ips sdf location flash://256MB.sdf ip ips notify SDEE ip ips name sdm_ips_rule vpdn enable ! ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp policy 10 authentication pre-share crypto isakmp key key address 2.2.2.2 no-xauth crypto isakmp key key address 10.0.0.2 no-xauth ! crypto isakmp client configuration group VPN-Users key key dns 68.87.74.162 68.87.68.162 domain neocipher.net pool VPN_POOL acl 115 include-local-lan netmask 255.255.255.0 crypto isakmp profile IKE-PROFILE match identity group VPN-Users client authentication list default isakmp authorization list default client configuration address initiate client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport ! crypto ipsec profile IPSEC_PROFILE1 set transform-set ESP-3DES-SHA set isakmp-profile IKE-PROFILE ! ! crypto dynamic-map DYNMAP 10 set transform-set ESP-3DES-SHA ! ! crypto map CLIENTMAP client authentication list default crypto map CLIENTMAP isakmp authorization list default crypto map CLIENTMAP client configuration address respond crypto map CLIENTMAP 1 ipsec-isakmp set peer 2.2.2.2 set transform-set ESP-3DES-SHA set pfs group1 match address 100 crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP ! ! ! ! interface Loopback0 ip address 192.168.0.1 255.255.255.0 no ip unreachables ip virtual-reassembly ! interface Tunnel0 description HE.net no ip address ipv6 address 2001:470:1F06:3B6::2/64 ipv6 enable tunnel source 78.18.222.115 tunnel destination 209.51.161.14 tunnel mode ipv6ip ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description $ETH-WAN$$FW_OUTSIDE$ ip address dhcp client-id FastEthernet0/0 hostname 3725router ip access-group 104 in no ip unreachables ip nat outside ip inspect SDM_LOW out ip ips sdm_ips_rule in ip virtual-reassembly duplex auto speed auto crypto map CLIENTMAP ! interface Serial0/0 description $FW_OUTSIDE$ ip address 10.0.0.1 255.255.240.0 ip access-group 105 in ip verify unicast reverse-path no ip unreachables ip inspect SDM_LOW out ip virtual-reassembly clock rate 2000000 crypto map CLIENTMAP ! interface FastEthernet0/1 no ip address no ip unreachables ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1.2 description $FW_INSIDE$ encapsulation dot1Q 2 ip address 172.16.2.1 255.255.255.0 ip access-group 101 in no ip unreachables ip nat inside ip virtual-reassembly ipv6 address 2001:470:880D::1/64 ipv6 enable ! interface FastEthernet0/1.3 description $FW_INSIDE$ encapsulation dot1Q 3 ip address 172.16.3.1 255.255.255.0 ip access-group 102 in no ip unreachables ip virtual-reassembly ! interface FastEthernet0/1.10 ! interface Serial0/1 no ip address no ip unreachables shutdown clock rate 2000000 ! interface Virtual-Template1 type tunnel description $FW_INSIDE$ ip unnumbered Loopback0 ip access-group 103 in no ip unreachables ip virtual-reassembly tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC_PROFILE1 ! ip local pool VPN_POOL 192.168.0.100 192.168.0.105 ip forward-protocol nd ip route 172.16.10.0 255.255.255.0 10.0.0.2 ip route 172.31.12.0 255.255.255.0 74.245.61.45 ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat translation udp-timeout 900 ip nat inside source list 150 interface FastEthernet0/0 overload ! logging trap debugging logging origin-id hostname logging 172.16.2.6 access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255 access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255 access-list 101 remark SDM_ACL Category=17 access-list 101 permit ahp any host 172.16.2.1 access-list 101 permit esp any host 172.16.2.1 access-list 101 permit udp any host 172.16.2.1 eq isakmp access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 101 permit ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 101 deny ip 10.0.0.0 0.0.15.255 any log access-list 101 deny ip 192.168.0.0 0.0.0.255 any log access-list 101 deny ip 172.16.3.0 0.0.0.255 any log access-list 101 deny ip host 255.255.255.255 any log access-list 101 deny ip 127.0.0.0 0.255.255.255 any log access-list 101 deny tcp any any range 1 chargen log access-list 101 deny tcp any any eq whois log access-list 101 deny tcp any any eq 93 log access-list 101 deny tcp any any range 135 139 log access-list 101 deny tcp any any eq 445 log access-list 101 deny tcp any any range exec 518 log access-list 101 deny tcp any any eq uucp log access-list 101 permit ip any any access-list 102 deny ip 172.16.2.0 0.0.0.255 any log access-list 102 deny ip 10.0.0.0 0.0.15.255 any log access-list 102 deny ip 192.168.0.0 0.0.0.255 any log access-list 102 deny ip host 255.255.255.255 any log access-list 102 deny ip 127.0.0.0 0.255.255.255 any log access-list 102 permit ip any any access-list 103 deny ip 172.16.2.0 0.0.0.255 any access-list 103 deny ip 10.0.0.0 0.0.15.255 any access-list 103 deny ip 172.16.3.0 0.0.0.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 permit ip any any access-list 104 remark SDM_ACL Category=17 access-list 104 permit udp host 205.152.132.23 eq domain any access-list 104 permit udp host 205.152.144.23 eq domain any access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29 access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp access-list 104 permit ahp any any access-list 104 permit esp any any access-list 104 permit 41 any any access-list 104 permit udp any any eq isakmp access-list 104 permit udp any any eq non500-isakmp access-list 104 deny ip 10.0.0.0 0.0.15.255 any log access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 104 deny ip 172.16.2.0 0.0.0.255 any log access-list 104 deny ip 192.168.0.0 0.0.0.255 any log access-list 104 deny ip 172.16.3.0 0.0.0.255 any log access-list 104 permit udp any eq bootps any eq bootpc access-list 104 permit icmp any any echo-reply access-list 104 permit icmp any any time-exceeded access-list 104 permit icmp any any unreachable access-list 104 permit icmp any any echo access-list 104 deny icmp any any mask-request log access-list 104 deny icmp any any redirect log access-list 104 deny ip 10.0.0.0 0.255.255.255 any log access-list 104 deny ip 172.16.0.0 0.15.255.255 any log access-list 104 deny ip 192.168.0.0 0.0.255.255 any log access-list 104 deny ip 127.0.0.0 0.255.255.255 any log access-list 104 deny ip 224.0.0.0 15.255.255.255 any log access-list 104 deny ip host 255.255.255.255 any log access-list 104 deny tcp any any range 6000 6063 log access-list 104 deny tcp any any eq 6667 log access-list 104 deny tcp any any range 12345 12346 log access-list 104 deny tcp any any eq 31337 log access-list 104 deny udp any any eq 2049 log access-list 104 deny udp any any eq 31337 log access-list 104 deny udp any any range 33400 34400 log access-list 104 deny ip any any log access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntp access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1 access-list 105 permit esp host 10.0.0.2 host 10.0.0.1 access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500- isakmp access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog access-list 105 deny ip 172.16.2.0 0.0.0.255 any access-list 105 deny ip 192.168.0.0 0.0.0.255 any access-list 105 deny ip 172.16.3.0 0.0.0.255 any access-list 105 permit icmp any host 10.0.0.1 echo-reply access-list 105 permit icmp any host 10.0.0.1 time-exceeded access-list 105 permit icmp any host 10.0.0.1 unreachable access-list 105 deny ip 10.0.0.0 0.255.255.255 any access-list 105 deny ip 172.16.0.0 0.15.255.255 any access-list 105 deny ip 192.168.0.0 0.0.255.255 any access-list 105 deny ip 127.0.0.0 0.255.255.255 any access-list 105 deny ip host 255.255.255.255 any access-list 105 deny ip host 0.0.0.0 any access-list 105 deny ip any any log access-list 115 permit ip 172.16.0.0 0.0.255.255 any access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255 access-list 120 permit ip 172.16.0.0 0.0.255.255 any access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255 access-list 150 permit ip 172.16.2.0 0.0.0.255 any access-list 150 permit ip 172.16.3.0 0.0.0.255 any
First
|
Prev
|
Pages: 1 2 3 Prev: 802.11 b/g wireless lan pc card driver??? Next: 2960 Ethernet interfaces going down |