Firewall Wizards mailing list archives

ASA routing over VPN

From: Craig Van Tassle <craig () codestorm org>
Date: Tue, 25 Jul 2006 16:12:23 -0500

I have a ASA 5510 and its not routing my vpn's properly. I can get from my vpn's
to anywhere on my lan.. but I cant get to the net from my vpn's.
I have 4 VPN tunnels. One over the Internet, and 3 over a Frame relay network.

The Internet one is not working at all.. it connects but does not route any
traffic.  The VPN's on my Frame connect but do not route traffic to the Internet.

I'm at a total loss as where to go with this.


Attacked is my current config (ip's and password have been changed)

asdm image disk0:/asdm505.bin
asdm location x 255.255.255.255 inside
no asdm history enable
: Saved
:
ASA Version 7.0(5) 
!
hostname ciscoasa
domain-name default.domain.invalid
names
dns-guard
!
interface Ethernet0/0
 nameif internet
 security-level 50
 ip address x 255.255.255.248 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet0/2
 nameif frame
 security-level 100
 ip address 10.11.8.2 255.255.255.0 
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 ip address 192.168.200.1 255.255.255.0 
 management-only
!
passwd fYGjIZ.r.8FYvTjF encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 
access-list inside_nat0_inbound_V1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list inside_nat0_inbound_V1 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 
access-list inside_nat0_inbound_V1 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list frame_cryptomap_40 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list frame_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 
access-list frame_cryptomap_80 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list inside_to_inside extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 
access-list inside_to_inside extended permit icmp any any 
access-list inside_to_inside extended permit tcp any any 
access-list inside_to_inside extended permit udp any any 
access-list outside_in extended permit icmp any any 
access-list outside_in extended permit ip any any 
access-list outside_in extended permit tcp any any 
access-list outside_in extended permit udp any any 
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.164.0 255.255.255.0 
access-list internet_cryptomap_20 extended permit ip 192.168.0.0 255.255.0.0 192.168.164.0 255.255.255.0 
pager lines 20
logging enable
logging asdm informational
mtu internet 1500
mtu inside 1500
mtu frame 1500
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (internet) 100 x
global (frame) 100 10.11.8.3
nat (internet) 100 192.168.164.0 255.255.255.0
nat (internet) 100 192.168.4.0 255.255.255.0
nat (internet) 100 192.168.3.0 255.255.255.0
nat (internet) 100 192.168.2.0 255.255.255.0
nat (internet) 100 192.168.1.0 255.255.255.0
nat (internet) 100 192.168.0.0 255.255.0.0
nat (internet) 100 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_inbound_V1 outside
nat (inside) 100 access-list inside_to_inside
nat (inside) 100 192.168.4.0 255.255.255.0
nat (inside) 100 192.168.3.0 255.255.255.0
nat (inside) 100 192.168.2.0 255.255.255.0
nat (inside) 100 192.168.1.0 255.255.255.0
static (inside,internet) udp interface 1494 192.168.1.248 1494 netmask 255.255.255.255 
static (inside,internet) tcp interface citrix-ica 192.168.1.248 citrix-ica netmask 255.255.255.255 
static (inside,internet) tcp interface 3389 192.168.1.248 3389 netmask 255.255.255.255 
static (inside,internet) tcp interface ssh 192.168.1.247 ssh netmask 255.255.255.255 
static (frame,internet) tcp interface 1387 192.168.167.251 1387 netmask 255.255.255.255 
access-group outside_in in interface internet
rip frame default version 2
route internet 192.168.164.0 255.255.255.0 192.168.1.1 1
route internet 0.0.0.0 0.0.0.0 12.34.40.217 1
route frame 192.168.4.0 255.255.255.0 10.11.8.1 1
route frame 192.168.3.0 255.255.255.0 10.11.8.1 1
route frame 192.168.2.0 255.255.255.0 10.11.8.1 1
route frame 10.11.5.0 255.255.255.0 10.11.8.1 1
route frame 10.11.6.0 255.255.255.0 10.11.8.1 1
route frame 10.11.7.0 255.255.255.0 10.11.8.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp enable
 re-xauth enable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions none
  port-forward-name value Application Access
http server enable
http 0.0.0.0 0.0.0.0 internet
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map frame_map 40 match address frame_cryptomap_40
crypto map frame_map 40 set peer 10.0.166.2 
crypto map frame_map 40 set transform-set ESP-3DES-MD5
crypto map frame_map 60 match address frame_cryptomap_60
crypto map frame_map 60 set peer 10.0.165.2 
crypto map frame_map 60 set transform-set ESP-3DES-SHA
crypto map frame_map 80 match address frame_cryptomap_80
crypto map frame_map 80 set peer 10.0.167.2 
crypto map frame_map 80 set transform-set ESP-AES-256-SHA
crypto map frame_map interface frame
crypto map internet_map 20 match address internet_cryptomap_20
crypto map internet_map 20 set peer 12.34.40.222 
crypto map internet_map 20 set transform-set ESP-3DES-MD5
crypto map internet_map interface internet
isakmp identity address 
isakmp enable internet
isakmp enable frame
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 28800
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 28800
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption aes-256
isakmp policy 70 hash sha
isakmp policy 70 group 2
isakmp policy 70 lifetime 28800
tunnel-group 10.11.7.2 type ipsec-l2l
tunnel-group 10.11.7.2 ipsec-attributes
 pre-shared-key *
tunnel-group 10.11.6.2 type ipsec-l2l
tunnel-group 10.11.6.2 ipsec-attributes
 pre-shared-key *
tunnel-group 10.11.5.2 type ipsec-l2l
tunnel-group 10.11.5.2 ipsec-attributes
 pre-shared-key *
tunnel-group x type ipsec-l2l
tunnel-group x ipsec-attributes
 pre-shared-key *
telnet 0.0.0.0 0.0.0.0 internet
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 frame
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global

: end

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

ASA routing over VPN Craig Van Tassle (Jul 25)
- Re: ASA routing over VPN Shahin Ansari (Jul 26)
- Re: ASA routing over VPN (Fixed) Craig Van Tassle (Jul 31)
- <Possible follow-ups>
- Re: ASA routing over VPN Horvath, Kevin M. (Jul 26)
  - Re: ASA routing over VPN Craig Van Tassle (Jul 27)