12-15-2010 05:21 PM
Hello everyone,
New ASA user and I'm stuck !
This should be a pretty stock install, but of course not….smile. I'm pretty sure I'm just lost with the "routing".
Two ASA 5505s, version 8.05 - configured for LAN to LAN IPsec VPN.
All traffic at site B needs to go through the tunnel, to site A resources.
MAIN SITE A:
outside:200.200.200.131 / GW: 200.200.200.192
inside: 10.99.10.1
REMOTE SITE B:
outside:63.63.63.201 GW: 63.63.63.193
inside: 192.168.1.1
Connected to the inside of site B, I try a host at site A --- i get no connection (times out), BUT -- it does establish the VPN tunnel - and everything appears to check good (ipsec tunnel wise).
Thank you for your time and help,
john-
SITE A:
ASA Version 8.0(5)
!
hostname office
domain-name office.org
!
interface Vlan1
nameif inside
security-level 100
ip address 10.99.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 200.200.200.131 255.255.255.224
!
ftp mode passive
dns server-group DefaultDNS
domain-name office.org
access-list outside_1_cryptomap extended permit ip 10.99.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.99.10.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 200.200.200.129 1
route outside 192.168.1.0 255.255.255.0 63.63.63.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.99.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 63.63.63.201
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
dhcpd address 10.99.10.3-10.99.10.33 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd lease 14400 interface inside
dhcpd domain office.org interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 63.63.63.201 type ipsec-l2l
tunnel-group 63.63.63.201 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
: end
REMOTE SITE:
ASA Version 8.0(5)
!
hostname remote
domain-name remote.org
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 63.63.63.201 255.255.255.224
!
!
ftp mode passive
dns server-group DefaultDNS
domain-name remote.org
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.99.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.99.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 63.63.63.193 1
route outside 10.99.10.0 255.255.255.0 200.200.200.131 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 200.200.200.131
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd lease 14400 interface inside
dhcpd domain remote.org interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 200.200.200.131 type ipsec-l2l
tunnel-group 200.200.200.131 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
: end
no asdm history enable
Solved! Go to Solution.
12-21-2010 04:41 PM
12-16-2010 12:43 AM
Please kindly remove the following 2 routes as they are incorrect:
route outside 192.168.1.0 255.255.255.0 63.63.63.201 1
route outside 10.99.10.0 255.255.255.0 200.200.200.131 1
If you are testing by ping, please kindly enable icmp inspection on both ASA:
policy-map global_policy
class inspection_default
inspect icmp
And if it still does not work, please share the output of:
show cry isa sa
show cry ipsec sa
12-16-2010 11:09 AM
Jennifer,
Thank you for the response.
* I removed both of the routes as you instructed.
Leaving only a single route on both devices - 0.0.0.0 > both to their respective internet gateways.
* I also enabled icmp inspection on both devices.
From the 192.168.1.0 network - I tried to access a web page at 10.99.10.4, with no success.
I also tried to ping the same device, again, with no success.
I ran the commands you requested, from both devices - and have attached each.
Thank you for your help,
john-
12-16-2010 03:50 PM
Base on the output provided, it seems that the 10.99.10.4 device is not replying. Can you please check to see if personal firewall on that device has been turned off?
A lot of the times, the firewall is on, and it is not allowing inbound connection from different subnet.
I also assume that the default gateway on the 10.99.10.4 device is 10.99.10.1 (the ASA inside interface).
Try to ping other devices in the same network and see if you can have connectivity between the 2 subnets.
To confirm that it's not a configuration issue on the ASA, please kindly add the following command:
management-access inside
Then you can test to see if you can ping the ASA inside interface across the tunnel:
- From 192.168.1.0 network, see if you can ping 10.99.10.1
- From 10.99.10.0 network, see if you can ping 192.168.1.1
If you can ping the ASA inside interface, that means the configuration on the ASA is correct, and you should check the end host itself that you want to access.
Hope that helps.
12-16-2010 04:28 PM
Jennifer,
Ok --- added the management access as you instructed - I am able to ping internal gateways, both ways.
Replaced the existing machine with a laptop - turned off the firewall - and what do you know !
I can ping machines both ways too.
BUT ---- I'm still missing the one thing that I need for this "connection" to do, one last thing.
The remote machine has access to 'raw' unfiltered internet access.... I need all of the remote machine's traffic to go through the tunnel, to the office.
I think we are VERY close now,
Thank you again for all your time and help,
john-
12-16-2010 04:32 PM
Great... thanks for the update.
So what is your filtering device at the HQ? is it a proxy server for web traffic? where is the proxy server, and what is the ip address? and how are you going to redirect the remote user to use the HQ proxy (PAC file, WPAD, proxy URL?)
12-16-2010 05:13 PM
Jennifer,
Can you see my - deer in the head lights - blank stare ??
Now I'm lost .....
I was just thinking there was a way to force all the remote traffic through the tunnel.
None, the less, you have been very helpful and I learned some very good things to check.
I appreciate your time and help,
john-
12-16-2010 05:25 PM
Sure you can definitely direct traffic towards the VPN tunnel, but you mention that you want some filtering done for your remote subnet, hence the question of how you are currently performing the filtering at your main site
Anyway, currently your crypto ACL is between the 2 subnets: 192.168.1.0/24 and 10.99.10.0/24 subnet. If you need all the 192.168.1.0/24 subnet destined for everything going through the tunnel, and u-turn traffic at the main site for traffic destined for the internet, then here is the configuration that you require:
Main site:
access-list outside_1_cryptomap extended permit ip any 192.168.1.0 255.255.255.0
nat (outside) 1 192.168.1.0 255.255.255.0
same-security-traffic permit intra-interface
clear xlate
Remote site:
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 any
clear xlate
Please kindly mark the post as answered if you have no further questions. Thank you.
12-17-2010 03:54 PM
Jennifer,
My apologies for the delay.
I made the changes as instructed, but then lost the connection all together! (was no longer able to ping gateways).
I restored the configs - and I'm back to being able to ping both ways again.
I do have one more piece to this puzzle..... you asked about a filter.
I will have a filter plugged into the main ASA - with an IP address of 10.99.10.2
thank you,
john-
12-17-2010 04:29 PM
What device is the filter 10.99.10.2? How are you directing the web traffic towards this filter?
I am just trying to understand which way you are planning to direct the traffic, as advised earlier, there is a number of ways to direct web traffic and configuration is different depending on which method you are using.
12-17-2010 04:42 PM
Jennifer,
10.99.10.2 in the inside interface of an Untangle Server / setup primarily as a web filter.
It will be connected directly to eth0/1 - on the main ASA.
john-
12-17-2010 04:52 PM
I've just read the Untangle web filter website, and it says "No proxy settings required", however I couldn't find the information on how or what protocol it uses to direct the web traffic. Do you have information on how traffic will be routed towards the Untangle web filter for it to inspect the web traffic?
12-17-2010 05:13 PM
Jennifer,
If I set the Untangle box as a transparent bridge, it will listen on port 80 - for all tcp-ip traffic.
I'm assuming....yes - here I go again -smile, that since it's the only device connected to the inside of the Main ASA, web traffic will find the Untangle box?????
john-
12-17-2010 05:19 PM
Not really, unless you are placing the Untangle server inline between the users and the ASA inside interface, the traffic will not magically be routed towards the Untangle server
Might be good to ask the Untangle vendor on how and what protocol it uses to direct web traffic? whether it is inline, transparent via WCCP or something else?
12-17-2010 10:07 PM
WOW
NO - Cisco MAGIC....
smile ---
I will contact Untangle on Monday.... but in the mean time --- and I'm just throwing straw in the air !!
But... was reading --- ( yes, scary...)
Can we not somehow create the initial tunnel, then use a "tunnel route" that points traffic to 10.99.10.2 as a gateway ?
Or am I just being delusional?
... I do appreciate all your help---
thank you,
john-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide