Firewall Wizards mailing list archives

Re: ASA routing over VPN

From: Shahin Ansari <zohal52 () yahoo com>
Date: Tue, 25 Jul 2006 20:11:00 -0700 (PDT)

Craig,
   I don't see the command "sysopt connection
permit-ipsec" in your configuration.  You need this to
change the system parameters to allow ipsec traffic. 
Give it a shot.
Regards-
 Sean

--- Craig Van Tassle <craig () codestorm org> wrote:

I have a ASA 5510 and its not routing my vpn's
properly. I can get from my vpn's
to anywhere on my lan.. but I cant get to the net
from my vpn's.
I have 4 VPN tunnels. One over the Internet, and 3
over a Frame relay network.

The Internet one is not working at all.. it connects
but does not route any
traffic.  The VPN's on my Frame connect but do not
route traffic to the Internet.

I'm at a total loss as where to go with this.


Attacked is my current config (ip's and password
have been changed)

asdm image disk0:/asdm505.bin

asdm location x 255.255.255.255 inside
no asdm history enable
: Saved
:
ASA Version 7.0(5) 
!
hostname ciscoasa
domain-name default.domain.invalid
names
dns-guard
!
interface Ethernet0/0
 nameif internet
 security-level 50
 ip address x 255.255.255.248 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet0/2
 nameif frame
 security-level 100
 ip address 10.11.8.2 255.255.255.0 
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 ip address 192.168.200.1 255.255.255.0 
 management-only
!
passwd fYGjIZ.r.8FYvTjF encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_inbound extended permit ip
192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list inside_nat0_inbound extended permit ip
192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list inside_nat0_inbound extended permit ip
192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 
access-list inside_nat0_inbound_V1 extended permit
ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0 
access-list inside_nat0_inbound_V1 extended permit
ip 192.168.1.0 255.255.255.0 192.168.4.0
255.255.255.0 
access-list inside_nat0_inbound_V1 extended permit
ip 192.168.1.0 255.255.255.0 192.168.3.0
255.255.255.0 
access-list frame_cryptomap_40 extended permit ip
192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list frame_cryptomap_60 extended permit ip
192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 
access-list frame_cryptomap_80 extended permit ip
192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list inside_to_inside extended permit ip
192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 
access-list inside_to_inside extended permit icmp
any any 
access-list inside_to_inside extended permit tcp any
any 
access-list inside_to_inside extended permit udp any
any 
access-list outside_in extended permit icmp any any 
access-list outside_in extended permit ip any any 
access-list outside_in extended permit tcp any any 
access-list outside_in extended permit udp any any 
access-list inside_nat0_outbound extended permit ip
192.168.0.0 255.255.0.0 192.168.164.0 255.255.255.0 
access-list internet_cryptomap_20 extended permit ip
192.168.0.0 255.255.0.0 192.168.164.0 255.255.255.0 
pager lines 20
logging enable
logging asdm informational
mtu internet 1500
mtu inside 1500
mtu frame 1500
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (internet) 100 x
global (frame) 100 10.11.8.3
nat (internet) 100 192.168.164.0 255.255.255.0
nat (internet) 100 192.168.4.0 255.255.255.0
nat (internet) 100 192.168.3.0 255.255.255.0
nat (internet) 100 192.168.2.0 255.255.255.0
nat (internet) 100 192.168.1.0 255.255.255.0
nat (internet) 100 192.168.0.0 255.255.0.0
nat (internet) 100 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_inbound_V1
outside
nat (inside) 100 access-list inside_to_inside
nat (inside) 100 192.168.4.0 255.255.255.0
nat (inside) 100 192.168.3.0 255.255.255.0
nat (inside) 100 192.168.2.0 255.255.255.0
nat (inside) 100 192.168.1.0 255.255.255.0
static (inside,internet) udp interface 1494
192.168.1.248 1494 netmask 255.255.255.255 
static (inside,internet) tcp interface citrix-ica
192.168.1.248 citrix-ica netmask 255.255.255.255 
static (inside,internet) tcp interface 3389
192.168.1.248 3389 netmask 255.255.255.255 
static (inside,internet) tcp interface ssh
192.168.1.247 ssh netmask 255.255.255.255 
static (frame,internet) tcp interface 1387
192.168.167.251 1387 netmask 255.255.255.255 
access-group outside_in in interface internet
rip frame default version 2
route internet 192.168.164.0 255.255.255.0
192.168.1.1 1
route internet 0.0.0.0 0.0.0.0 12.34.40.217 1
route frame 192.168.4.0 255.255.255.0 10.11.8.1 1
route frame 192.168.3.0 255.255.255.0 10.11.8.1 1
route frame 192.168.2.0 255.255.255.0 10.11.8.1 1
route frame 10.11.5.0 255.255.255.0 10.11.8.1 1
route frame 10.11.6.0 255.255.255.0 10.11.8.1 1
route frame 10.11.7.0 255.255.255.0 10.11.8.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00
mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media
0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp enable
 re-xauth enable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions none
  port-forward-name value Application Access
http server enable
http 0.0.0.0 0.0.0.0 internet
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup
linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA
esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des
esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des
esp-sha-hmac 
crypto map frame_map 40 match address
frame_cryptomap_40
crypto map frame_map 40 set peer 10.0.166.2 
crypto map frame_map 40 set transform-set
ESP-3DES-MD5
crypto map frame_map 60 match address
frame_cryptomap_60
crypto map frame_map 60 set peer 10.0.165.2 
crypto map frame_map 60 set transform-set
ESP-3DES-SHA
crypto map frame_map 80 match address
frame_cryptomap_80
crypto map frame_map 80 set peer 10.0.167.2 
crypto map frame_map 80 set transform-set
ESP-AES-256-SHA
crypto map frame_map interface frame
crypto map internet_map 20 match address
internet_cryptomap_20
crypto map internet_map 20 set peer 12.34.40.222 
crypto map internet_map 20 set transform-set
ESP-3DES-MD5
crypto map internet_map interface internet
isakmp identity address 
isakmp enable internet

=== message truncated ===>
_______________________________________________

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

ASA routing over VPN Craig Van Tassle (Jul 25)
- Re: ASA routing over VPN Shahin Ansari (Jul 26)
- Re: ASA routing over VPN (Fixed) Craig Van Tassle (Jul 31)
- <Possible follow-ups>
- Re: ASA routing over VPN Horvath, Kevin M. (Jul 26)
  - Re: ASA routing over VPN Craig Van Tassle (Jul 27)