Firewall Wizards mailing list archives
Re: LinkSys RV042 to ASA 5505 IPsec tunnel
From: "Fetch, Brandon" <bfetch () tpg com>
Date: Mon, 2 Mar 2009 11:13:43 -0500
ASA needs to have the "same-security-traffic permit intra-interface". Note the distinction between 'intra' and 'inter': Intra is traffic between two hosts on the same network (if the ASA is performing a redirect). Inter is traffic between two interfaces of the same security level. It's that implicit drop behavior of the ASA/PIX to not allow a packet that entered an interface to leave on the same. Since your VPN is terminated on the outside, for you to be able to "hairpin" the remote site's traffic you have to tell the firewall to allow that. Be sure to have your interesting traffic ACL on the firewall to incorporate the remote network attempting to reach "everything": ACL S2S-VPN permit ip 0.0.0.0 0.0.0.0 192.168.25.0/24 If you're looking to do a dynamic VPN as well there are config examples on Cisco's site to do this. Here's one for v7.x of PIX OS: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura tion_example09186a00804675ac.shtml HTH, Brandon -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Christopher J. Wargaski Sent: Wednesday, February 18, 2009 5:32 PM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] LinkSys RV042 to ASA 5505 IPsec tunnel Hello-- I have a Linksys RV042 running the latest firmware and an ASA 5505 running 8.0(4). I have successfully established an IPsec LAN to LAN tunnel by specifying actual local and remote networks. Now, I would like to configure the tunnel so that all traffic from the LinkSys "inside" network (192.168.25.0/24) is sent across the VPN no matter what the destination address is. The idea here is to force the branch office to send all traffic through the main office and force that traffic out one content filter. (BTW, the ASA "inside" network is 192.168.17.0/24). To achieve this, I configured the Linksys as such: Local Group: Gateway type--IP only IP address 75.2.2.2 Group type--Subnet IP IP--192.168.25.0 Mask--255.255.255.0 Remote Group: Gateway type--IP only IP address 75.2.2.3 Group type--Subnet IP IP--0.0.0.0 Mask--0.0.0.0 Of course, this does not work. I enabled crypto debugs (ISAKMP and IPsec) on the ASA and saw nothing. OK, so if the ASA is not seeing any crypto traffic, is it seeing ANY traffic on the outside interface? I set up a capture on the outside interface from any to any. I saw no crypto traffic, only the ICMP echo requests that I was sending from inside the Linksys. Any thoughts on this? If I could configure the Linksys to be a hardware client, that would be just fine too. cjw _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards This message is intended only for the person(s) to which it is addressed and may contain privileged, confidential and/or insider information.. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Any disclosure, copying, distribution, or the taking of any action concerning the contents of this message and any attachment(s) by anyone other than the named recipient(s) is strictly prohibited. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- LinkSys RV042 to ASA 5505 IPsec tunnel Christopher J. Wargaski (Mar 01)
- Re: LinkSys RV042 to ASA 5505 IPsec tunnel Fetch, Brandon (Mar 04)