Solved: Routing for LAN to LAN asa5505s

montoya-j · ‎12-15-2010

Hello everyone,

New ASA user and I'm stuck !

This should be a pretty stock install, but of course not….smile. I'm pretty sure I'm just lost with the "routing".

Two ASA 5505s, version 8.05 - configured for LAN to LAN IPsec VPN.

All traffic at site B needs to go through the tunnel, to site A resources.

MAIN SITE A:

outside:200.200.200.131 / GW: 200.200.200.192

inside: 10.99.10.1

REMOTE SITE B:

outside:63.63.63.201 GW: 63.63.63.193

inside: 192.168.1.1

Connected to the inside of site B, I try a host at site A --- i get no connection (times out), BUT -- it does establish the VPN tunnel - and everything appears to check good (ipsec tunnel wise).

Thank you for your time and help,

john-

SITE A:

ASA Version 8.0(5)

!

hostname office

domain-name office.org

!

interface Vlan1

nameif inside

security-level 100

ip address 10.99.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 200.200.200.131 255.255.255.224

!

ftp mode passive

dns server-group DefaultDNS

domain-name office.org

access-list outside_1_cryptomap extended permit ip 10.99.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.99.10.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 200.200.200.129 1

route outside 192.168.1.0 255.255.255.0 63.63.63.201 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.99.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 63.63.63.201

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

dhcpd address 10.99.10.3-10.99.10.33 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd lease 14400 interface inside

dhcpd domain office.org interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 63.63.63.201 type ipsec-l2l

tunnel-group 63.63.63.201 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

: end

REMOTE SITE:

ASA Version 8.0(5)

!

hostname remote

domain-name remote.org

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 63.63.63.201 255.255.255.224

!

ftp mode passive

dns server-group DefaultDNS

domain-name remote.org

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.99.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.99.10.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 63.63.63.193 1

route outside 10.99.10.0 255.255.255.0 200.200.200.131 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 200.200.200.131

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd lease 14400 interface inside

dhcpd domain remote.org interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 200.200.200.131 type ipsec-l2l

tunnel-group 200.200.200.131 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

: end

no asdm history enable

Jennifer Halim · ‎12-21-2010

Ooops, typo, should be:

nat (inside) 1 10.99.10.0 255.255.255.0

View solution in original post

Jennifer Halim · ‎12-16-2010

Please kindly remove the following 2 routes as they are incorrect:

route outside 192.168.1.0 255.255.255.0 63.63.63.201 1

route outside 10.99.10.0 255.255.255.0 200.200.200.131 1

If you are testing by ping, please kindly enable icmp inspection on both ASA:

policy-map global_policy

class inspection_default

inspect icmp

And if it still does not work, please share the output of:

show cry isa sa

show cry ipsec sa

montoya-j · ‎12-16-2010

Jennifer,

Thank you for the response.

* I removed both of the routes as you instructed.

Leaving only a single route on both devices - 0.0.0.0 > both to their respective internet gateways.

* I also enabled icmp inspection on both devices.

From the 192.168.1.0 network - I tried to access a web page at 10.99.10.4, with no success.

I also tried to ping the same device, again, with no success.

I ran the commands you requested, from both devices - and have attached each.

Thank you for your help,

john-

Jennifer Halim · ‎12-16-2010

Base on the output provided, it seems that the 10.99.10.4 device is not replying. Can you please check to see if personal firewall on that device has been turned off?

A lot of the times, the firewall is on, and it is not allowing inbound connection from different subnet.

I also assume that the default gateway on the 10.99.10.4 device is 10.99.10.1 (the ASA inside interface).

Try to ping other devices in the same network and see if you can have connectivity between the 2 subnets.

To confirm that it's not a configuration issue on the ASA, please kindly add the following command:

management-access inside

Then you can test to see if you can ping the ASA inside interface across the tunnel:

- From 192.168.1.0 network, see if you can ping 10.99.10.1

- From 10.99.10.0 network, see if you can ping 192.168.1.1

If you can ping the ASA inside interface, that means the configuration on the ASA is correct, and you should check the end host itself that you want to access.

Hope that helps.

montoya-j · ‎12-16-2010

Jennifer,

Ok --- added the management access as you instructed - I am able to ping internal gateways, both ways.

Replaced the existing machine with a laptop - turned off the firewall - and what do you know !

I can ping machines both ways too.

BUT ---- I'm still missing the one thing that I need for this "connection" to do, one last thing.

The remote machine has access to 'raw' unfiltered internet access.... I need all of the remote machine's traffic to go through the tunnel, to the office.

I think we are VERY close now,

Thank you again for all your time and help,

john-

Jennifer Halim · ‎12-16-2010

Great... thanks for the update.

So what is your filtering device at the HQ? is it a proxy server for web traffic? where is the proxy server, and what is the ip address? and how are you going to redirect the remote user to use the HQ proxy (PAC file, WPAD, proxy URL?)

montoya-j · ‎12-16-2010

Jennifer,

Can you see my - deer in the head lights - blank stare ??

Now I'm lost .....

I was just thinking there was a way to force all the remote traffic through the tunnel.

None, the less, you have been very helpful and I learned some very good things to check.

I appreciate your time and help,

john-

Jennifer Halim · ‎12-16-2010

Sure you can definitely direct traffic towards the VPN tunnel, but you mention that you want some filtering done for your remote subnet, hence the question of how you are currently performing the filtering at your main site

Anyway, currently your crypto ACL is between the 2 subnets: 192.168.1.0/24 and 10.99.10.0/24 subnet. If you need all the 192.168.1.0/24 subnet destined for everything going through the tunnel, and u-turn traffic at the main site for traffic destined for the internet, then here is the configuration that you require:

Main site:

access-list outside_1_cryptomap extended permit ip any 192.168.1.0 255.255.255.0

nat (outside) 1 192.168.1.0 255.255.255.0

same-security-traffic permit intra-interface

clear xlate

Remote site:

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 any

clear xlate

Please kindly mark the post as answered if you have no further questions. Thank you.

montoya-j · ‎12-17-2010

Jennifer,

My apologies for the delay.

I made the changes as instructed, but then lost the connection all together! (was no longer able to ping gateways).

I restored the configs - and I'm back to being able to ping both ways again.

I do have one more piece to this puzzle..... you asked about a filter.

I will have a filter plugged into the main ASA - with an IP address of 10.99.10.2

thank you,

john-

Jennifer Halim · ‎12-17-2010

What device is the filter 10.99.10.2? How are you directing the web traffic towards this filter?

I am just trying to understand which way you are planning to direct the traffic, as advised earlier, there is a number of ways to direct web traffic and configuration is different depending on which method you are using.

montoya-j · ‎12-17-2010

Jennifer,

10.99.10.2 in the inside interface of an Untangle Server / setup primarily as a web filter.

It will be connected directly to eth0/1 - on the main ASA.

john-

Jennifer Halim · ‎12-17-2010

I've just read the Untangle web filter website, and it says "No proxy settings required", however I couldn't find the information on how or what protocol it uses to direct the web traffic. Do you have information on how traffic will be routed towards the Untangle web filter for it to inspect the web traffic?

montoya-j · ‎12-17-2010

Jennifer,

If I set the Untangle box as a transparent bridge, it will listen on port 80 - for all tcp-ip traffic.

I'm assuming....yes - here I go again -smile, that since it's the only device connected to the inside of the Main ASA, web traffic will find the Untangle box?????

john-

Jennifer Halim · ‎12-17-2010

Not really, unless you are placing the Untangle server inline between the users and the ASA inside interface, the traffic will not magically be routed towards the Untangle server

Might be good to ask the Untangle vendor on how and what protocol it uses to direct web traffic? whether it is inline, transparent via WCCP or something else?

montoya-j · ‎12-17-2010

WOW

NO - Cisco MAGIC....

smile ---

I will contact Untangle on Monday.... but in the mean time --- and I'm just throwing straw in the air !!

But... was reading --- ( yes, scary...)

Can we not somehow create the initial tunnel, then use a "tunnel route" that points traffic to 10.99.10.2 as a gateway ?

Or am I just being delusional?

... I do appreciate all your help---

thank you,

john-