Re: Configuration crypto ipsec client router & ASA

eperezb · ‎01-28-2020

I currently have a vpn from a site A to a Site B, Site A has internet access locally but the internet modem was placed in bridge mode, now all navigation should go through site B,

But it is not like that, there is no navigation on site A, but the private network of both ends is reached, they will know if there is any configuration that is happening to me on the router, annex config

crypto ipsec security-association de por vida segundos 86400
!
!
!
!
crypto ipsec client ezvpn crws-client
connect auto
group VPNBackup key ******
mode network-extension
peer 187.141.226.35
username **** password ******
xauth userid mode local

interface FastEthernet4
descripción LINK to WAN
no ip dirección
ip flujo ingreso
duplex
velocidad automática auto
pppoe-client dial-pool-number 1
!
interfaz Vlan1
dirección ip 172.16.223.1 255.255.255.0
ip access-group 101 out
ip helper-address 172.16.21.44
ingreso de flujo ip
ip virtual-reesembly
ip tcp ajuste-mss 1412
crypto ipsec client ezvpn crws-client inside
!
interfaz Marcador0
dirección IP negociada
grupo de acceso ip 102 en
ip mtu 1452
ingreso de flujo de
ip montaje virtual ip
encapsulación ppp
intervalo de carga 30
grupo de
marcadores 1 grupo de marcadores 1
autenticación de ppp chap pap callin
ppp cap nombre de host ventaschihuahua
ppp chap contraseña 0 *** ******
ppp pap nombre de usuario enviado ******** contraseña ********* ¡
no hay cdp habilitado el
cliente cripto ipsec ezvpn crws-client
!
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
lista de acceso 101 permiso ip cualquiera cualquier
lista de acceso 102 permiso ip cualquiera cualquiera
access-list 103 permiso ip 172.16.223.0 0.0.0.255 cualquier
marcador-list 1 protocolo ip permit
route-map SDM_RMAP_1 permiso 1
coincidencia ip address 103
!
snmp-server community alen RO
!
plano de control
!
!

Georg Pauwen · ‎01-28-2020

Hello,

add the lines marked in bold to your configuration:

crypto ipsec client ezvpn crws-client
connect auto
group VPNBackup key ******
mode network-extension
peer 187.141.226.35
acl VPN_TRAFFIC
username **** password ******
xauth userid mode local
!
ip access-list extended VPN_TRAFFIC
permit ip 172.16.223.0 0.0.0.255 any

eperezb · ‎01-28-2020

add the ACL as I request it but it remains the same without internet access

crypto ipsec client ezvpn crws-client
connect auto
group VPNBackup key *******
mode network-extension
peer 187.141.226.35
acl VPN_TRAFFIC
username ******* password ********
xauth userid mode local

VPN_ofchi# sh access-lists
Extended IP access list 101
10 permit ip any any (105559 matches)
Extended IP access list 102
10 permit ip any any (133441 matches)
Extended IP access list 103
10 permit ip 172.16.223.0 0.0.0.255 any
Extended IP access list VPN_TRAFFIC
10 permit ip 172.16.223.0 0.0.0.255 any
VPN_ofchi#

Georg Pauwen · ‎01-28-2020

Hello,

is the ASA allowing traffic from 172.16.223.0/24 to be natted towards the Internet ?

Post the configuration of the ASA as well...

eperezb · ‎01-28-2020

Yes

MTYVPNASA# sh run | i 172.16.223.0
network-object 172.16.223.0 255.255.255.0
network-object 172.16.223.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_30 172.16.223.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 172.16.223.0 255.255.255.0
access-list VPN_CHI extended permit ip 172.16.44.0 255.255.252.0 172.16.223.0 255.255.255.0
access-list VPN_CHI extended permit ip any 172.16.223.0 255.255.255.0
access-list VPN_CHIHUAHUA extended permit ip any 172.16.223.0 255.255.255.0
route Outside 172.16.223.0 255.255.255.0 187.141.226.33 1
route Outside 172.16.223.0 255.255.255.0 187.141.226.35 1

Router

VPN_ofchi#sh crypto ipsec sa

interface: Dialer0
Crypto map tag: Dialer0-head-0, local addr 189.237.131.214

protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.223.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 187.141.226.35 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1702, #pkts encrypt: 1702, #pkts digest: 1702
#pkts decaps: 1143, #pkts decrypt: 1143, #pkts verify: 1143
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 189.237.131.214, remote crypto endpt.: 187.141.226.35
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0xF5EF2FA6(4126093222)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xE33CFA5C(3812424284)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: Dialer0-head-0
sa timing: remaining key lifetime (k/sec): (4390726/28564)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

Georg Pauwen · ‎01-28-2020

Hello,

you posted only access lists, post the entire running configuration so I can see the NAT statements...