Firewall Wizards mailing list archives
ASA routing over VPN
From: Craig Van Tassle <craig () codestorm org>
Date: Tue, 25 Jul 2006 16:12:23 -0500
I have a ASA 5510 and its not routing my vpn's properly. I can get from my vpn's to anywhere on my lan.. but I cant get to the net from my vpn's. I have 4 VPN tunnels. One over the Internet, and 3 over a Frame relay network. The Internet one is not working at all.. it connects but does not route any traffic. The VPN's on my Frame connect but do not route traffic to the Internet. I'm at a total loss as where to go with this. Attacked is my current config (ip's and password have been changed)
asdm image disk0:/asdm505.bin asdm location x 255.255.255.255 inside no asdm history enable : Saved : ASA Version 7.0(5) ! hostname ciscoasa domain-name default.domain.invalid names dns-guard ! interface Ethernet0/0 nameif internet security-level 50 ip address x 255.255.255.248 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/2 nameif frame security-level 100 ip address 10.11.8.2 255.255.255.0 ! interface Management0/0 shutdown no nameif no security-level ip address 192.168.200.1 255.255.255.0 management-only ! passwd fYGjIZ.r.8FYvTjF encrypted ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list inside_nat0_inbound_V1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_nat0_inbound_V1 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list inside_nat0_inbound_V1 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list frame_cryptomap_40 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list frame_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list frame_cryptomap_80 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_to_inside extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 access-list inside_to_inside extended permit icmp any any access-list inside_to_inside extended permit tcp any any access-list inside_to_inside extended permit udp any any access-list outside_in extended permit icmp any any access-list outside_in extended permit ip any any access-list outside_in extended permit tcp any any access-list outside_in extended permit udp any any access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.164.0 255.255.255.0 access-list internet_cryptomap_20 extended permit ip 192.168.0.0 255.255.0.0 192.168.164.0 255.255.255.0 pager lines 20 logging enable logging asdm informational mtu internet 1500 mtu inside 1500 mtu frame 1500 asdm image disk0:/asdm505.bin no asdm history enable arp timeout 14400 global (internet) 100 x global (frame) 100 10.11.8.3 nat (internet) 100 192.168.164.0 255.255.255.0 nat (internet) 100 192.168.4.0 255.255.255.0 nat (internet) 100 192.168.3.0 255.255.255.0 nat (internet) 100 192.168.2.0 255.255.255.0 nat (internet) 100 192.168.1.0 255.255.255.0 nat (internet) 100 192.168.0.0 255.255.0.0 nat (internet) 100 0.0.0.0 0.0.0.0 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 0 access-list inside_nat0_inbound_V1 outside nat (inside) 100 access-list inside_to_inside nat (inside) 100 192.168.4.0 255.255.255.0 nat (inside) 100 192.168.3.0 255.255.255.0 nat (inside) 100 192.168.2.0 255.255.255.0 nat (inside) 100 192.168.1.0 255.255.255.0 static (inside,internet) udp interface 1494 192.168.1.248 1494 netmask 255.255.255.255 static (inside,internet) tcp interface citrix-ica 192.168.1.248 citrix-ica netmask 255.255.255.255 static (inside,internet) tcp interface 3389 192.168.1.248 3389 netmask 255.255.255.255 static (inside,internet) tcp interface ssh 192.168.1.247 ssh netmask 255.255.255.255 static (frame,internet) tcp interface 1387 192.168.167.251 1387 netmask 255.255.255.255 access-group outside_in in interface internet rip frame default version 2 route internet 192.168.164.0 255.255.255.0 192.168.1.1 1 route internet 0.0.0.0 0.0.0.0 12.34.40.217 1 route frame 192.168.4.0 255.255.255.0 10.11.8.1 1 route frame 192.168.3.0 255.255.255.0 10.11.8.1 1 route frame 192.168.2.0 255.255.255.0 10.11.8.1 1 route frame 10.11.5.0 255.255.255.0 10.11.8.1 1 route frame 10.11.6.0 255.255.255.0 10.11.8.1 1 route frame 10.11.7.0 255.255.255.0 10.11.8.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec webvpn password-storage disable ip-comp enable re-xauth enable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none webvpn functions none port-forward-name value Application Access http server enable http 0.0.0.0 0.0.0.0 internet http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map frame_map 40 match address frame_cryptomap_40 crypto map frame_map 40 set peer 10.0.166.2 crypto map frame_map 40 set transform-set ESP-3DES-MD5 crypto map frame_map 60 match address frame_cryptomap_60 crypto map frame_map 60 set peer 10.0.165.2 crypto map frame_map 60 set transform-set ESP-3DES-SHA crypto map frame_map 80 match address frame_cryptomap_80 crypto map frame_map 80 set peer 10.0.167.2 crypto map frame_map 80 set transform-set ESP-AES-256-SHA crypto map frame_map interface frame crypto map internet_map 20 match address internet_cryptomap_20 crypto map internet_map 20 set peer 12.34.40.222 crypto map internet_map 20 set transform-set ESP-3DES-MD5 crypto map internet_map interface internet isakmp identity address isakmp enable internet isakmp enable frame isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash md5 isakmp policy 30 group 2 isakmp policy 30 lifetime 28800 isakmp policy 50 authentication pre-share isakmp policy 50 encryption 3des isakmp policy 50 hash sha isakmp policy 50 group 2 isakmp policy 50 lifetime 28800 isakmp policy 70 authentication pre-share isakmp policy 70 encryption aes-256 isakmp policy 70 hash sha isakmp policy 70 group 2 isakmp policy 70 lifetime 28800 tunnel-group 10.11.7.2 type ipsec-l2l tunnel-group 10.11.7.2 ipsec-attributes pre-shared-key * tunnel-group 10.11.6.2 type ipsec-l2l tunnel-group 10.11.6.2 ipsec-attributes pre-shared-key * tunnel-group 10.11.5.2 type ipsec-l2l tunnel-group 10.11.5.2 ipsec-attributes pre-shared-key * tunnel-group x type ipsec-l2l tunnel-group x ipsec-attributes pre-shared-key * telnet 0.0.0.0 0.0.0.0 internet telnet 0.0.0.0 0.0.0.0 inside telnet 0.0.0.0 0.0.0.0 frame telnet timeout 5 ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global : end
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- ASA routing over VPN Craig Van Tassle (Jul 25)
- Re: ASA routing over VPN Shahin Ansari (Jul 26)
- Re: ASA routing over VPN (Fixed) Craig Van Tassle (Jul 31)
- <Possible follow-ups>
- Re: ASA routing over VPN Horvath, Kevin M. (Jul 26)
- Re: ASA routing over VPN Craig Van Tassle (Jul 27)