cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
937
Views
0
Helpful
6
Replies

Range Internet access

said.ritel
Level 1
Level 1

Hi, 

Currently I blocked Internet traffic (www and http) on the whole network but I want to allow a part of the network (192.168.1.1 - 192.168.1.20) to access the internet.

What order should be added to allow this range to go on the internet

This is my config: 

interface GigabitEthernet0/1
description LAN
ip address 192.168.1.8 255.255.255.0
ip access-group 111 in

access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq www
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 111 permit ip any any

6 Replies 6

JP Miranda Z
Cisco Employee
Cisco Employee

Hi said.ritel,

The reason why is not coming up will be a mismatch on the configuration for example on the asa the ikev1 policy is:

crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

and on the router you have:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2

The second error you have there will be the interesting traffic, on the asa you have:

crypto map MAPSITE 10 match address site1

access-list site1 extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255

and on the router you have:

match address VPN

ip access-list extended VPN
permit ip 10.7.10.0 0.0.0.255 192.168.1.0 0.0.0.255

So i will recommend you to check all the configuration and make sure everything is matching, in case you need documentation about this you can take a look to this guide:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html

Hope this info helps!!

Rate if helps you!! 

-JP-

Hi JP Miranda Z

Thank you very much for your help, now the tunnel  is UP , but I can not join the server , the routing is not working  

1 IKE Peer: ZZZ.ZZZ.ZZZ.ZZZ
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: TTT.TTT.TTT.TTT
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs
Asa#

Hi said.ritel,

That's awesome!!!

Now the issue that you have i believe is nat related please take a look to your configuration and my suggestions:

ASA:

Current:

nat (inside,outside) source static LAN LAN destination static VPN-site1 VPN-site1 no-proxy-arp route-lookup

New:

nat (inside,outside) source static LAN LAN destination static VPN-site2 VPN-site2 no-proxy-arp route-lookup

Router:

In your current config you have a permit first and then a deny like this:

ip access-list extended Natlist
permit ip 10.7.10.0 0.0.0.255 any
deny ip 10.7.10.0 0.0.0.255 192.168.1.0 0.0.0.255

and you should have this:

ip access-list extended Natlist

deny ip 10.7.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.7.10.0 0.0.0.255 any

ip nat inside source route-map nonat interface ATM0.1 overload

Hope this info helps!!

Rate if helps you!! 

-JP-

Hi JP Miranda Z

 I corrected but I can not join the server , the routing is not working

HELP!!!!

said.ritel,

When trying to send traffic, can you share the output sh crypto ipsec sa peer <peerip>?

You can also take a capture on the inside interface of the ASA to find out if you are getting a reply or if the request is reaching the server:

capture test interface inside match ip host <sourceip> host <destinationip>

sh cap test

Hope this info helps!!

Rate if helps you!! 

-JP-

Hi JP

Good news , i can   join the server, it works fine

tahks JP!!!!!!

Now i want to enable routing betwen two internal in the ASA(9.1) but is not working  i can not ping .

this is my conf: 

interface GigabitEthernet0/1
description Lan
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
!
interface GigabitEthernet0/3
description LS
nameif LS
security-level 100
ip address 10.10.10.1 255.255.255.248
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface


object network LS
subnet 10.10.10.0 255.255.255.248


object network LAN
subnet 192.168.0.0 255.255.255.0

object network obj_any
subnet 0.0.0.0 0.0.0.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list LS extended permit ip 10.10.10.0 255.255.255.248 any
access-list INSIDE-LS extended permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu LS 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected

object network LAN
nat (inside,LS) static 10.10.10.0

object network LS
nat (LS,inside) static 10.10.10.0
object network obj_any
nat (inside,outside) dynamic interface
access-group INSIDE-LS in interface inside
access-group LS in interface LS
!
router eigrp 500
network 10.10.10.0 255.255.255.248
network 192.168.1.0 255.255.255.0
passive-interface outside
!