08-03-2010 02:13 AM
Hi All,
I have a VPN to a partner,but i have a carrier which is linking us together.Its suppose to be private and not passing through the internet.
The partner provided me the underlisted.
Remote/Peer ID - 172.16.25.1
Remote Hosts Subnet -172.16.25.0/24
My own ID is 192.168.50.1
Local Host subnet - 10.22.0.0
I need to know what is wrong in my configs
And i have the configs on my device pasted below.
I am presently using the host-10.22.32.20 as a test.
ASA Version 7.0(8)
!
hostname asa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RuyrRXU24 encrypted
passwd 2KFQnbNstyuIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif trust
security-level 10
ip address 10.22.0.10 255.255.0.0
!
interface Ethernet0/1
nameif vpnout
security-level 0
ip address 192.168.22.1 255.255.255.0
!
interface Ethernet0/2
nameif untrust
security-level 0
ip address 60.50.x.x 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup untrust
dns name-server 60.50.x.1
dns name-server 60.50.x.2
access-list trust_pnat_inbound extended permit ip host 10.22.32.20 172.16.16.0 255.255.255.0
access-list trust_pnat_inbound_V1 extended permit ip host 10.22.16.51 172.16.25.0 255.255.255.0
access-list trust_pnat_inbound_V2 extended permit ip host 10.22.16.52 172.16.25.0 255.255.255.0
access-list trust_pnat_inbound_V3 extended permit ip host 10.22.16.53 172.16.25.0 255.255.255.0
access-list trust_pnat_inbound_V4 extended permit ip host 10.22.16.54 172.16.25.0 255.255.255.0
access-list trust_nat0_outbound extended permit ip host 10.22.32.20 172.16.25.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu trust 1500
mtu vpnout 1500
mtu untrust 1500
mtu management 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (vpnout) 1 interface
nat (trust) 0 access-list trust_nat0_outbound
static (trust,vpnout) 192.168.22.55 access-list trust_pnat_inbound
static (trust,vpnout) 192.168.22.51 access-list trust_pnat_inbound_V1
static (trust,vpnout) 192.168.22.52 access-list trust_pnat_inbound_V2
static (trust,vpnout) 192.168.22.53 access-list trust_pnat_inbound_V3
static (trust,vpnout) 192.168.22.54 access-list trust_pnat_inbound_V4
route vpnout 172.16.25.0 255.255.255.0 192.168.22.2 1
route untrust 0.0.0.0 0.0.0.0 60.50.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username ciscoretw password ZBZ8GNEdruirJsjFvsR encrypted
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.22.0.0 255.255.0.0 trust
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MyMap 5 match address trust_pnat_inbound
crypto map MyMap 5 set peer 172.16.25.1
crypto map MyMap 5 set transform-set MySet
crypto map MyMap 5 set security-association lifetime seconds 84600
crypto map MyMap 5 set security-association lifetime kilobytes 4608000
crypto map MyMap interface vpnout
isakmp identity auto
isakmp enable vpnout
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp nat-traversal 3600
isakmp disconnect-notify
tunnel-group 172.16.25.1 type ipsec-l2l
tunnel-group 172.16.25.1 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 10
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:20b93ce676451dd2395f76dd4b6a2719
: end
08-03-2010 05:46 AM
i do not see any access-list entry permitting traffic since you are trying to est this vpn on
the least security zone that is 0
try adding the following command
sysopt connection permit-vpn
also please verify whether you need this internal network to be marked as unsecure with security level 0 as for a interface with sec 0 all traffic is denied by default
08-04-2010 12:34 AM
Hi.Thanks for the reply.
I had to reconfigure the device,but still no headway.
Maybe we can work with this new config.
The config is pasted below.
I intend natting my internal(Trust) address which is on the 10.22.x.x network to the 192.168.22.x(vpnout) network.
So the remote end should be talking to the 192.168.22.x address.
Checking my config can you help me see if i am fine with this?
Also,do i need another access list from the one i have created.
Do a check through.
ASA Version 7.0(8)
!
hostname asa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RuyrRXU24 encrypted
passwd 2KFQnbNstyuIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif trust
security-level 40
ip address 10.22.0.10 255.255.0.0
!
interface Ethernet0/1
nameif vpnout
security-level 50
ip address 192.168.22.1 255.255.255.0
!
interface Ethernet0/2
nameif untrust
security-level 0
ip address 60.50.x.x 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup untrust
dns name-server 60.50.x.1
dns name-server 60.50.x.2
access-list TRUST_VPNOUT extended permit ip host 10.22.32.20 172.16.25.0 255.255.
255.0
access-list TRUST_VPNOUT extended permit ip host 10.22.16.51 172.16.25.0 255.255.
255.0
access-list TRUST_VPNOUT extended permit ip host 10.22.16.52 172.16.25.0 255.255.
255.0
access-list TRUST_VPNOUT extended permit ip host 10.22.16.53 172.16.25.0 255.255.
255.0
access-list TRUST_VPNOUT extended permit ip host 10.22.16.54 172.16.25.0 255.255.
255.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu trust 1500
mtu vpnout 1500
mtu untrust 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (vpnout) 1 192.168.22.51-192.168.22.55 netmask 255.255.255.0
nat (trust) 1 access-list TRUST_VPNOUT
static (trust,vpnout) 192.168.22.55 10.22.32.20 netmask 255.255.255.255
static (trust,vpnout) 192.168.22.51 10.22.16.51 netmask 255.255.255.255
static (trust,vpnout) 192.168.22.52 10.22.16.52 netmask 255.255.255.255
static (trust,vpnout) 192.168.22.53 10.22.16.53 netmask 255.255.255.255
static (trust,vpnout) 192.168.22.54 10.22.16.54 netmask 255.255.255.255
access-group trust_access_in in interface trust
route vpnout 172.16.25.0 255.255.255.0 192.168.22.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ZBZ8GNEdrJsjFvsR encrypted
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.22.0 255.255.255.0 management
http 10.22.0.0 255.255.0.0 trust
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MyMap 5 match address TRUST_VPNOUT
crypto map MyMap 5 set peer 172.16.25.1
crypto map MyMap 5 set transform-set MySet
crypto map MyMap 5 set security-association lifetime seconds 84600
crypto map MyMap 5 set security-association lifetime kilobytes 4608000
crypto map MyMap interface vpnout
isakmp identity auto
isakmp enable vpnout
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
isakmp nat-traversal 3600
isakmp disconnect-notify
tunnel-group 172.16.25.1 type ipsec-l2l
tunnel-group 172.16.25.1 ipsec-attributes
pre-shared-key *
telnet 10.22.0.0 255.255.0.0 trust
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:8d407308e1edf944032i447d6a84091902
: end
Thanks in advance
08-04-2010 03:48 AM
here's the thing
the traffic that you need to encrypt needs to be specified in the acl under crypto map, which you have done it perfectly
now where this thing fails is right in the nat rules
if you want the traffic to match the acl in the crypto map then you will need to donat exemption for this traffic
try this
nat (trust) 0 access-list TRUST_VPNOUT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide