10-16-2016 12:52 AM
Hi,
Currently I blocked Internet traffic (www and http) on the whole network but I want to allow a part of the network (192.168.1.1 - 192.168.1.20) to access the internet.
What order should be added to allow this range to go on the internet
This is my config:
interface GigabitEthernet0/1
description LAN
ip address 192.168.1.8 255.255.255.0
ip access-group 111 in
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq www
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 111 permit ip any any
10-16-2016 11:04 AM
Hi said.ritel,
The reason why is not coming up will be a mismatch on the configuration for example on the asa the ikev1 policy is:
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
and on the router you have:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
The second error you have there will be the interesting traffic, on the asa you have:
crypto map MAPSITE 10 match address site1
access-list site1 extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255
and on the router you have:
match address VPN
ip access-list extended VPN
permit ip 10.7.10.0 0.0.0.255 192.168.1.0 0.0.0.255
So i will recommend you to check all the configuration and make sure everything is matching, in case you need documentation about this you can take a look to this guide:
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html
Hope this info helps!!
Rate if helps you!!
-JP-
10-18-2016 02:36 PM
Hi JP Miranda Z
Thank you very much for your help, now the tunnel is UP , but I can not join the server , the routing is not working
1 IKE Peer: ZZZ.ZZZ.ZZZ.ZZZ
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: TTT.TTT.TTT.TTT
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Asa#
10-18-2016 08:06 PM
Hi said.ritel,
That's awesome!!!
Now the issue that you have i believe is nat related please take a look to your configuration and my suggestions:
ASA:
Current:
nat (inside,outside) source static LAN LAN destination static VPN-site1 VPN-site1 no-proxy-arp route-lookup
New:
nat (inside,outside) source static LAN LAN destination static VPN-site2 VPN-site2 no-proxy-arp route-lookup
Router:
In your current config you have a permit first and then a deny like this:
ip access-list extended Natlist
permit ip 10.7.10.0 0.0.0.255 any
deny ip 10.7.10.0 0.0.0.255 192.168.1.0 0.0.0.255
and you should have this:
ip access-list extended Natlist
deny ip 10.7.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.7.10.0 0.0.0.255 any
ip nat inside source route-map nonat interface ATM0.1 overload
Hope this info helps!!
Rate if helps you!!
-JP-
10-18-2016 10:25 PM
10-19-2016 07:29 PM
When trying to send traffic, can you share the output sh crypto ipsec sa peer <peerip>?
You can also take a capture on the inside interface of the ASA to find out if you are getting a reply or if the request is reaching the server:
capture test interface inside match ip host <sourceip> host <destinationip>
sh cap test
Hope this info helps!!
Rate if helps you!!
-JP-
10-22-2016 02:05 PM
Hi JP
Good news , i can join the server, it works fine
tahks JP!!!!!!
Now i want to enable routing betwen two internal in the ASA(9.1) but is not working i can not ping .
this is my conf:
interface GigabitEthernet0/1
description Lan
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
!
interface GigabitEthernet0/3
description LS
nameif LS
security-level 100
ip address 10.10.10.1 255.255.255.248
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LS
subnet 10.10.10.0 255.255.255.248
object network LAN
subnet 192.168.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list LS extended permit ip 10.10.10.0 255.255.255.248 any
access-list INSIDE-LS extended permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu LS 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network LAN
nat (inside,LS) static 10.10.10.0
object network LS
nat (LS,inside) static 10.10.10.0
object network obj_any
nat (inside,outside) dynamic interface
access-group INSIDE-LS in interface inside
access-group LS in interface LS
!
router eigrp 500
network 10.10.10.0 255.255.255.248
network 192.168.1.0 255.255.255.0
passive-interface outside
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide