01-23-2013 04:33 PM - edited 03-11-2019 05:51 PM
Hi, i have this configuration.
ASA outside 10.13.7.188 inside 192.168.90.0/24
PC1 192.168.90.10
RV042 outside 10.13.177.32 inside 192.168.11.8/29
PC2 192.168.11.10
RV042 outside 10.13.7.189 inside 192.168.91.0/24
PC3 192.168.91.45
VPN tunnel working fine, ihave ping of PC2 to PC1 and PC3 to PC1, but when try to ping PC3 to PC2 don't work.
This my configuration in ASA and next packet-tracert.
ASA Version 9.1(1)
!
hostname ciscoasa
enable password JuueVvrbXbu/dQ1r encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd JuueVvrbXbu/dQ1r encrypted
names
ip local pool vpn_pool_intra 192.168.99.5-192.168.99.10
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.90.1 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 10.13.7.188 255.255.255.192
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa911-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network intra-rdp
host 10.13.7.187
object network rdp-host
host 192.168.90.45
object service rdp_service
service tcp source eq 3389
object service postgresql
service tcp source eq 7777 destination eq 5432
object network vpn_pool_intra
subnet 192.168.99.0 255.255.255.0
object network red-a
subnet 192.168.90.0 255.255.255.0
object network vpn_adl
subnet 192.168.99.0 255.255.255.0
object network VPN_192.168.91.0
subnet 192.168.91.0 255.255.255.0
object network RV10.13.177.30
host 10.13.177.30
object network VPN_192.168.11.8
subnet 192.168.11.8 255.255.255.248
object-group network RED-A
description Red a
network-object 192.168.90.0 255.255.255.0
object-group network INTRANET
description Intranet
network-object 10.13.0.0 255.255.0.0
object-group icmp-type ping
description Ping Group
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object source-quench
icmp-object unreachable
object-group service dnp-services tcp-udp
port-object eq 20000
object-group protocol tcp_udp
protocol-object tcp
protocol-object udp
object-group service rdp-service tcp
port-object eq 3389
object-group service pgsql-service tcp
port-object eq 5432
access-list outside_access_in extended permit icmp any4 any4 object-group ping
access-list outside_access_in extended permit tcp any4 object rdp-host object-group rdp-service
access-list outside_access_in extended permit object-group tcp_udp any4 object rdp-host object-group dnp-services
access-list outside_access_in extended permit tcp any4 object rdp-host object-group pgsql-service
access-list inside_nonat_outbound extended permit ip object red-a object VPN_192.168.91.0
access-list inside_nonat_outbound extended permit ip object red-a object VPN_192.168.11.8
access-list outside_cryptomap_11 extended permit ip object red-a object VPN_192.168.91.0
access-list outside_cryptomap_11 extended permit ip object red-a object VPN_192.168.11.8
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static red-a red-a destination static vpn_adl vpn_adl no-proxy-arp route-lookup
nat (inside,outside) source static red-a red-a destination static VPN_192.168.91.0 VPN_192.168.91.0
nat (inside,outside) source static red-a red-a destination static VPN_192.168.91.0 VPN192.168.11.8
nat (inside,outside) source static red-a red-a destination static VPN192.168.11.8 VPN192.168.11.8
!
object network rdp-host
nat (inside,outside) static intra-rdp
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.13.7.129 1
route inside 192.168.11.8 255.255.255.248 192.168.11.9 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.13.0.0 255.255.0.0 outside
http 192.168.1.0 255.255.255.0 management
http 192.168.90.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set SET esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map TESTVPN 11 match address outside_cryptomap_11
crypto map TESTVPN 11 set pfs
crypto map TESTVPN 11 set peer 10.13.7.189 10.13.177.30
crypto map TESTVPN 11 set ikev1 transform-set SET
crypto map TESTVPN interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh 192.168.90.0 255.255.255.0 inside
ssh 10.13.0.0 255.255.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username XXXX password XXXXXX encrypted privilege 15
tunnel-group soporte type remote-access
tunnel-group soporte general-attributes
address-pool vpn_pool_intra
tunnel-group soporte ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group RV10.13.177.30 type ipsec-l2l
tunnel-group 10.13.7.189 type ipsec-l2l
tunnel-group 10.13.7.189 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 10.13.177.30 type ipsec-l2l
tunnel-group 10.13.177.30 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3dfe9ef236e744db3decd22ab1fc9e58
: end
ciscoasa(config)# packet-tracer input outside icmp 192.168.91.10 255 255 192.168.11.9
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.11.8 255.255.255.248 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa(config)#
This show the Syslog Messages:
Deny icml src outside:192.168.91.10 dot inside 192.168.11.9(type 255, code 255) by access-group "outside_access_in"
Creo que hace falta una regla pero no entiendo como crearla, y tambien veo que no hay nat entre las redes del RV042 pero no se si esto es ncesario.
Thanks.
01-23-2013 07:56 PM
Hola Daniel,
Okay, en este caso este ASA termina 2 tuneles por ende se requiere:
- Nat 0 entre 91.0 y el 11.8 (utside,outside)
- Nat 0 entre 11.8 y 91.0 (outside,outside)
- same-security-traffic permit intra-interface
- en el crypto-acl de cada uno de los vpn tunneles incluya ( 91.0 y entre 11.8) y (11.8 al 91.0) respectivamente
Saludos desde Costa Rica
Julio Carvajal
01-23-2013 09:10 PM
Hola jcarvaja, configure lo siguiente
nat (outside,outside) source static VPN_192.168.91.0 VPN_192.168.91.0 destination static VPN_192.168.11.8 VPN_192.168.11.8
nat (outside,outside) source static VPN_192.168.11.8 VPN_192.168.11.8
destination static VPN_192.168.91.0 VPN_192.168.91.0
access-list inside_nonat_outbound extended permit ip object VPN_192.168.91.0 object VPN_192.168.11.8
access-list inside_nonat_outbound extended permit ip object VPN_192.168.11.8 object VPN_192.168.91.0
access-list outside_cryptomap_11 extended permit ip object VPN_192.168.91.0 object VPN_192.168.11.8
access-list outside_cryptomap_11 extended permit ip object VPN_192.168.11.8object VPN_192.168.91.0
Pero me sigue negando... el resultado del packer-tracer:
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static VPN_192.168.91.0 VPN_192.168.91.0 destination static VPN_Nacozari VPN_Nacozari
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.11.10/0 to 192.168.11.10/0
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Lo rarro que noto aqui es que no me dice cual regla es ?, lo tengo que ver el asdm para saber.
Saludos.
01-23-2013 09:29 PM
No te fies en el packet-tracer,
Pruebalo con trafico real....
Saludos,
01-24-2013 03:39 PM
No funciona, he estado revisando y agrege la siguiente regla
access-list outside_access_in extended permit icmp object VPN_192.168.91.0 object VPN_192.168.11.8
esto por que el syslog me marca que esta regla es la que bloquea el trafico, ahora ya no me da error.
Aun no puedo hacer el ping pero el packet-trace me lanza esto ahora
ciscoasa(config)# packet-tracer input outside icmp 192.168.91.10 255 255 192.1$
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static VPN_192.168.91.0 VPN_192.168.91.0 destination static VPN_Nacozari VPN_Nacozari
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.11.10/0 to 192.168.11.10/0
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit icmp object VPN_192.168.91.0 object VPN_Nacozari
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,outside) source static VPN_192.168.91.0 VPN_192.168.91.0 destination static VPN_Nacozari VPN_Nacozari
Additional Information:
Static translate 192.168.91.10/0 to 192.168.91.10/0
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Alguna idea ?
Gracias.
01-24-2013 03:55 PM
Hola.
La regla no hacia falta... si la pones va a permitir el packet tracer pero para el VPN no es necesario que este ahi ya que el VPN trafico esta permitido tan pronto como tengas el
sysopt connection permit-vpn
Espero que hayas cambiado la configuracion tambien en los RV042 debido a que phase 2 tiene q estar igual ( por ende el NO-NAT y el crypto ACL tiene q ser igual)
Saludos,
Julio
01-24-2013 04:03 PM
Hola, en el RV042 no veo nada que diga asi NO-NAT o el crypto ACL. Otra pregunta en los RV042 lleva una ruta estatica ?
Saludos
01-24-2013 04:05 PM
Hola Daniel,
Bueno me refiero a que debes configurarlos para que encrypten ese trafico..
No hace falta la ruta estatica...
01-24-2013 04:13 PM
Estoy revisando las configuraciones y no veo un lugar donde configurar esto, pero a dar traceroute desde una pc dentro de la red del RV042 veo que sale por el getway de la tarjeta wan1.
Tienes alguan idea de por donde buscarle?
Gracias.
01-24-2013 04:17 PM
Como configuraste el VPN en ese router o mas bien quien lo hizo??
Saludos
01-24-2013 04:26 PM
De echo yo lo hize, dejame subir unas fotos para que veas que solo se le puede configurar muy poco.
Saludos.
01-24-2013 07:44 PM
Me avisas
01-25-2013 12:12 PM
Esta es la configuracion de los RV042. No podia subirlos....
Saludos.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide