Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1038
Views
0
Helpful
12
Replies

Redirect trafic in VPN connections

danielluz
Level 1
Level 1

‎01-23-2013 04:33 PM - edited ‎03-11-2019 05:51 PM

Hi, i have this configuration.

ASA      outside 10.13.7.188 inside 192.168.90.0/24

PC1 192.168.90.10

RV042  outside 10.13.177.32 inside 192.168.11.8/29

PC2 192.168.11.10

RV042  outside 10.13.7.189 inside 192.168.91.0/24

PC3 192.168.91.45

VPN tunnel working fine, ihave ping of PC2 to PC1 and PC3 to PC1, but when try to ping PC3 to PC2 don't work.

This my configuration in ASA and next packet-tracert.

ASA Version 9.1(1)

!

hostname ciscoasa

enable password JuueVvrbXbu/dQ1r encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd JuueVvrbXbu/dQ1r encrypted

names

ip local pool vpn_pool_intra 192.168.99.5-192.168.99.10

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.90.1 255.255.255.0

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif outside

security-level 0

ip address 10.13.7.188 255.255.255.192

!

interface Management0/0

management-only

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa911-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network intra-rdp

host 10.13.7.187

object network rdp-host

host 192.168.90.45

object service rdp_service

service tcp source eq 3389

object service postgresql

service tcp source eq 7777 destination eq 5432

object network vpn_pool_intra

subnet 192.168.99.0 255.255.255.0

object network red-a

subnet 192.168.90.0 255.255.255.0

object network vpn_adl

subnet 192.168.99.0 255.255.255.0

object network VPN_192.168.91.0

subnet 192.168.91.0 255.255.255.0

object network RV10.13.177.30

host 10.13.177.30

object network VPN_192.168.11.8

subnet 192.168.11.8 255.255.255.248

object-group network RED-A

description Red a

network-object 192.168.90.0 255.255.255.0

object-group network INTRANET

description Intranet

network-object 10.13.0.0 255.255.0.0

object-group icmp-type ping

description Ping Group

icmp-object echo

icmp-object echo-reply

icmp-object time-exceeded

icmp-object traceroute

icmp-object source-quench

icmp-object unreachable

object-group service dnp-services tcp-udp

port-object eq 20000

object-group protocol tcp_udp

protocol-object tcp

protocol-object udp

object-group service rdp-service tcp

port-object eq 3389

object-group service pgsql-service tcp

port-object eq 5432

access-list outside_access_in extended permit icmp any4 any4 object-group ping

access-list outside_access_in extended permit tcp any4 object rdp-host object-group rdp-service

access-list outside_access_in extended permit object-group tcp_udp any4 object rdp-host object-group dnp-services

access-list outside_access_in extended permit tcp any4 object rdp-host object-group pgsql-service

access-list inside_nonat_outbound extended permit ip object red-a object VPN_192.168.91.0

access-list inside_nonat_outbound extended permit ip object red-a object VPN_192.168.11.8

access-list outside_cryptomap_11 extended permit ip object red-a object VPN_192.168.91.0

access-list outside_cryptomap_11 extended permit ip object red-a object VPN_192.168.11.8

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static red-a red-a destination static vpn_adl vpn_adl no-proxy-arp route-lookup

nat (inside,outside) source static red-a red-a destination static VPN_192.168.91.0 VPN_192.168.91.0

nat (inside,outside) source static red-a red-a destination static VPN_192.168.91.0 VPN192.168.11.8

nat (inside,outside) source static red-a red-a destination static VPN192.168.11.8 VPN192.168.11.8

!

object network rdp-host

nat (inside,outside) static intra-rdp

!

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.13.7.129 1

route inside 192.168.11.8 255.255.255.248 192.168.11.9 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.13.0.0 255.255.0.0 outside

http 192.168.1.0 255.255.255.0 management

http 192.168.90.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set SET esp-3des esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map TESTVPN 11 match address outside_cryptomap_11

crypto map TESTVPN 11 set pfs

crypto map TESTVPN 11 set peer 10.13.7.189 10.13.177.30

crypto map TESTVPN 11 set ikev1 transform-set SET

crypto map TESTVPN interface outside

crypto ca trustpool policy

crypto isakmp identity address

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto ikev1 policy 11

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh 192.168.90.0 255.255.255.0 inside

ssh 10.13.0.0 255.255.0.0 outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username XXXX password XXXXXX encrypted privilege 15

tunnel-group soporte type remote-access

tunnel-group soporte general-attributes

address-pool vpn_pool_intra

tunnel-group soporte ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group RV10.13.177.30 type ipsec-l2l

tunnel-group 10.13.7.189 type ipsec-l2l

tunnel-group 10.13.7.189 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 10.13.177.30 type ipsec-l2l

tunnel-group 10.13.177.30 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:3dfe9ef236e744db3decd22ab1fc9e58

: end

ciscoasa(config)# packet-tracer input outside icmp 192.168.91.10 255 255 192.168.11.9

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.11.8    255.255.255.248 inside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa(config)#

This show the Syslog Messages:

Deny icml src  outside:192.168.91.10 dot inside 192.168.11.9(type 255, code 255) by access-group "outside_access_in"

Creo que hace falta una regla pero no entiendo como crearla, y tambien veo que no hay nat entre las redes del RV042 pero no se si esto es ncesario.

Thanks.

Labels:
0 Helpful
12 Replies 12

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-23-2013 07:56 PM

Hola Daniel,

Okay, en este caso este ASA termina 2 tuneles por ende se requiere:

     -    Nat 0 entre 91.0  y el 11.8 (utside,outside)

     -   Nat 0 entre 11.8 y 91.0 (outside,outside)

     -  same-security-traffic permit intra-interface

     - en el crypto-acl de cada uno de los vpn tunneles incluya ( 91.0 y entre 11.8) y (11.8 al 91.0) respectivamente

Saludos desde Costa Rica

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

danielluz
Level 1
Level 1
In response to Julio Carvajal

‎01-23-2013 09:10 PM

Hola jcarvaja, configure lo siguiente

nat (outside,outside) source static VPN_192.168.91.0 VPN_192.168.91.0 destination static VPN_192.168.11.8 VPN_192.168.11.8

nat (outside,outside) source static VPN_192.168.11.8 VPN_192.168.11.8

destination static VPN_192.168.91.0 VPN_192.168.91.0

access-list inside_nonat_outbound extended permit ip object VPN_192.168.91.0 object VPN_192.168.11.8

access-list inside_nonat_outbound extended permit ip object VPN_192.168.11.8 object VPN_192.168.91.0

access-list outside_cryptomap_11 extended permit ip object VPN_192.168.91.0 object VPN_192.168.11.8

access-list outside_cryptomap_11 extended permit ip object VPN_192.168.11.8object VPN_192.168.91.0

Pero me sigue negando... el resultado del packer-tracer:

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (outside,outside) source static VPN_192.168.91.0 VPN_192.168.91.0 destination static VPN_Nacozari VPN_Nacozari

Additional Information:

NAT divert to egress interface outside

Untranslate 192.168.11.10/0 to 192.168.11.10/0

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Lo rarro que noto aqui es que no me dice cual regla es ?, lo tengo que ver el asdm para saber.

Saludos.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to danielluz

‎01-23-2013 09:29 PM

No te fies en el packet-tracer,

Pruebalo con trafico real....

Saludos,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

danielluz
Level 1
Level 1
In response to Julio Carvajal

‎01-24-2013 03:39 PM

No funciona, he estado revisando y agrege la siguiente regla

access-list outside_access_in extended permit icmp object VPN_192.168.91.0 object VPN_192.168.11.8

esto por que el syslog me marca que esta regla es la que bloquea el trafico, ahora ya no me da error. 

Aun no puedo hacer el ping pero el packet-trace me lanza esto ahora

ciscoasa(config)# packet-tracer input outside icmp 192.168.91.10 255 255 192.1$

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (outside,outside) source static VPN_192.168.91.0 VPN_192.168.91.0 destination static VPN_Nacozari VPN_Nacozari

Additional Information:

NAT divert to egress interface outside

Untranslate 192.168.11.10/0 to 192.168.11.10/0

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit icmp object VPN_192.168.91.0 object VPN_Nacozari

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (outside,outside) source static VPN_192.168.91.0 VPN_192.168.91.0 destination static VPN_Nacozari VPN_Nacozari

Additional Information:

Static translate 192.168.91.10/0 to 192.168.91.10/0

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Alguna idea ?

Gracias.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Julio Carvajal

‎01-24-2013 03:55 PM

Hola.

La regla no hacia falta... si la pones va a permitir el packet tracer pero para el VPN no es necesario que este ahi ya que el VPN trafico esta permitido tan pronto como tengas el

sysopt connection permit-vpn

Espero que hayas cambiado la configuracion tambien en los RV042 debido a que phase 2 tiene q estar igual ( por ende el NO-NAT y el crypto ACL tiene q ser igual)

Saludos,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

danielluz
Level 1
Level 1
In response to Julio Carvajal

‎01-24-2013 04:03 PM

Hola, en el  RV042 no veo nada que diga asi NO-NAT o el crypto ACL. Otra pregunta en los RV042 lleva una ruta estatica ?

Saludos

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to danielluz

‎01-24-2013 04:05 PM

Hola Daniel,

Bueno me refiero a que debes configurarlos para que encrypten ese trafico..

No hace falta la ruta estatica...

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

danielluz
Level 1
Level 1
In response to Julio Carvajal

‎01-24-2013 04:13 PM

Estoy revisando las configuraciones y no veo un lugar donde configurar esto, pero a dar traceroute desde una pc dentro de la red del RV042 veo que sale por el getway de la tarjeta wan1.

Tienes alguan idea de por donde buscarle?

Gracias.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to danielluz

‎01-24-2013 04:17 PM

Como configuraste el VPN en ese router o mas bien quien lo hizo??

Saludos

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

danielluz
Level 1
Level 1
In response to Julio Carvajal

‎01-24-2013 04:26 PM

De echo yo lo hize, dejame subir unas fotos para que veas que solo se le puede configurar muy poco.

Saludos.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to danielluz

‎01-24-2013 07:44 PM

Me avisas

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

danielluz
Level 1
Level 1
In response to Julio Carvajal

‎01-25-2013 12:12 PM

       

Esta es la configuracion de los RV042. No podia subirlos....

Saludos.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card