[fw-wiz] ASA routing over VPN



I have a ASA 5510 and its not routing my vpn's properly. I can get from my vpn's
to anywhere on my lan.. but I cant get to the net from my vpn's.
I have 4 VPN tunnels. One over the Internet, and 3 over a Frame relay network.

The Internet one is not working at all.. it connects but does not route any
traffic. The VPN's on my Frame connect but do not route traffic to the Internet.

I'm at a total loss as where to go with this.


Attacked is my current config (ip's and password have been changed)
asdm image disk0:/asdm505.bin
asdm location x 255.255.255.255 inside
no asdm history enable
: Saved
:
ASA Version 7.0(5)
!
hostname ciscoasa
domain-name default.domain.invalid
names
dns-guard
!
interface Ethernet0/0
nameif internet
security-level 50
ip address x 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif frame
security-level 100
ip address 10.11.8.2 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
ip address 192.168.200.1 255.255.255.0
management-only
!
passwd fYGjIZ.r.8FYvTjF encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_nat0_inbound_V1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_inbound_V1 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_nat0_inbound_V1 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list frame_cryptomap_40 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list frame_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list frame_cryptomap_80 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_to_inside extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_to_inside extended permit icmp any any
access-list inside_to_inside extended permit tcp any any
access-list inside_to_inside extended permit udp any any
access-list outside_in extended permit icmp any any
access-list outside_in extended permit ip any any
access-list outside_in extended permit tcp any any
access-list outside_in extended permit udp any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.164.0 255.255.255.0
access-list internet_cryptomap_20 extended permit ip 192.168.0.0 255.255.0.0 192.168.164.0 255.255.255.0
pager lines 20
logging enable
logging asdm informational
mtu internet 1500
mtu inside 1500
mtu frame 1500
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (internet) 100 x
global (frame) 100 10.11.8.3
nat (internet) 100 192.168.164.0 255.255.255.0
nat (internet) 100 192.168.4.0 255.255.255.0
nat (internet) 100 192.168.3.0 255.255.255.0
nat (internet) 100 192.168.2.0 255.255.255.0
nat (internet) 100 192.168.1.0 255.255.255.0
nat (internet) 100 192.168.0.0 255.255.0.0
nat (internet) 100 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_inbound_V1 outside
nat (inside) 100 access-list inside_to_inside
nat (inside) 100 192.168.4.0 255.255.255.0
nat (inside) 100 192.168.3.0 255.255.255.0
nat (inside) 100 192.168.2.0 255.255.255.0
nat (inside) 100 192.168.1.0 255.255.255.0
static (inside,internet) udp interface 1494 192.168.1.248 1494 netmask 255.255.255.255
static (inside,internet) tcp interface citrix-ica 192.168.1.248 citrix-ica netmask 255.255.255.255
static (inside,internet) tcp interface 3389 192.168.1.248 3389 netmask 255.255.255.255
static (inside,internet) tcp interface ssh 192.168.1.247 ssh netmask 255.255.255.255
static (frame,internet) tcp interface 1387 192.168.167.251 1387 netmask 255.255.255.255
access-group outside_in in interface internet
rip frame default version 2
route internet 192.168.164.0 255.255.255.0 192.168.1.1 1
route internet 0.0.0.0 0.0.0.0 12.34.40.217 1
route frame 192.168.4.0 255.255.255.0 10.11.8.1 1
route frame 192.168.3.0 255.255.255.0 10.11.8.1 1
route frame 192.168.2.0 255.255.255.0 10.11.8.1 1
route frame 10.11.5.0 255.255.255.0 10.11.8.1 1
route frame 10.11.6.0 255.255.255.0 10.11.8.1 1
route frame 10.11.7.0 255.255.255.0 10.11.8.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp enable
re-xauth enable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions none
port-forward-name value Application Access
http server enable
http 0.0.0.0 0.0.0.0 internet
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map frame_map 40 match address frame_cryptomap_40
crypto map frame_map 40 set peer 10.0.166.2
crypto map frame_map 40 set transform-set ESP-3DES-MD5
crypto map frame_map 60 match address frame_cryptomap_60
crypto map frame_map 60 set peer 10.0.165.2
crypto map frame_map 60 set transform-set ESP-3DES-SHA
crypto map frame_map 80 match address frame_cryptomap_80
crypto map frame_map 80 set peer 10.0.167.2
crypto map frame_map 80 set transform-set ESP-AES-256-SHA
crypto map frame_map interface frame
crypto map internet_map 20 match address internet_cryptomap_20
crypto map internet_map 20 set peer 12.34.40.222
crypto map internet_map 20 set transform-set ESP-3DES-MD5
crypto map internet_map interface internet
isakmp identity address
isakmp enable internet
isakmp enable frame
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 28800
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 28800
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption aes-256
isakmp policy 70 hash sha
isakmp policy 70 group 2
isakmp policy 70 lifetime 28800
tunnel-group 10.11.7.2 type ipsec-l2l
tunnel-group 10.11.7.2 ipsec-attributes
pre-shared-key *
tunnel-group 10.11.6.2 type ipsec-l2l
tunnel-group 10.11.6.2 ipsec-attributes
pre-shared-key *
tunnel-group 10.11.5.2 type ipsec-l2l
tunnel-group 10.11.5.2 ipsec-attributes
pre-shared-key *
tunnel-group x type ipsec-l2l
tunnel-group x ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 internet
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 frame
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global

: end

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: PIX-515E Default routing and cryptos
    ... reach the crypto map. ... should be pumped out and natted to which interface. ... fixup protocol dns maximum-length 512 ... isakmp policy 20 authentication pre-share ...
    (comp.dcom.sys.cisco)
  • PIX-515E Default routing and cryptos
    ... should be pumped out and natted to which interface. ... fixup protocol dns maximum-length 512 ... crypto map outside_map 20 match address outside_cryptomap_20 ... isakmp policy 20 authentication pre-share ...
    (comp.dcom.sys.cisco)
  • Re: PIX-515E Default routing and cryptos
    ... reach the crypto map. ... should be pumped out and natted to which interface. ... fixup protocol dns maximum-length 512 ... isakmp policy 20 authentication pre-share ...
    (comp.dcom.sys.cisco)
  • Re: PIX-515E Default routing and cryptos
    ... reach the crypto map. ... should be pumped out and natted to which interface. ... fixup protocol dns maximum-length 512 ... isakmp policy 20 authentication pre-share ...
    (comp.dcom.sys.cisco)
  • Re: PIX 501 & VPN
    ... crypto map toRemote 20 match address ASCD ... isakmp policy 10 authentication pre-share ... crypto map toOffice 20 match address MSPC ...
    (comp.dcom.sys.cisco)