Re: [fw-wiz] ASA routing over VPN

---

• From: Shahin Ansari <zohal52@xxxxxxxxx>
• Date: Tue, 25 Jul 2006 20:11:00 -0700 (PDT)

---

Craig,
I don't see the command "sysopt connection
permit-ipsec" in your configuration. You need this to
change the system parameters to allow ipsec traffic.
Give it a shot.
Regards-
Sean

--- Craig Van Tassle <craig@xxxxxxxxxxxxx> wrote:

I have a ASA 5510 and its not routing my vpn's
properly. I can get from my vpn's
to anywhere on my lan.. but I cant get to the net
from my vpn's.
I have 4 VPN tunnels. One over the Internet, and 3
over a Frame relay network.

The Internet one is not working at all.. it connects
but does not route any
traffic. The VPN's on my Frame connect but do not
route traffic to the Internet.

I'm at a total loss as where to go with this.


Attacked is my current config (ip's and password
have been changed)

asdm image disk0:/asdm505.bin

asdm location x 255.255.255.255 inside
no asdm history enable
: Saved
:
ASA Version 7.0(5)
!
hostname ciscoasa
domain-name default.domain.invalid
names
dns-guard
!
interface Ethernet0/0
nameif internet
security-level 50
ip address x 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif frame
security-level 100
ip address 10.11.8.2 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
ip address 192.168.200.1 255.255.255.0
management-only
!
passwd fYGjIZ.r.8FYvTjF encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_inbound extended permit ip
192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_inbound extended permit ip
192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_inbound extended permit ip
192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_nat0_inbound_V1 extended permit
ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list inside_nat0_inbound_V1 extended permit
ip 192.168.1.0 255.255.255.0 192.168.4.0
255.255.255.0
access-list inside_nat0_inbound_V1 extended permit
ip 192.168.1.0 255.255.255.0 192.168.3.0
255.255.255.0
access-list frame_cryptomap_40 extended permit ip
192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list frame_cryptomap_60 extended permit ip
192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list frame_cryptomap_80 extended permit ip
192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_to_inside extended permit ip
192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_to_inside extended permit icmp
any any
access-list inside_to_inside extended permit tcp any
any
access-list inside_to_inside extended permit udp any
any
access-list outside_in extended permit icmp any any
access-list outside_in extended permit ip any any
access-list outside_in extended permit tcp any any
access-list outside_in extended permit udp any any
access-list inside_nat0_outbound extended permit ip
192.168.0.0 255.255.0.0 192.168.164.0 255.255.255.0
access-list internet_cryptomap_20 extended permit ip
192.168.0.0 255.255.0.0 192.168.164.0 255.255.255.0
pager lines 20
logging enable
logging asdm informational
mtu internet 1500
mtu inside 1500
mtu frame 1500
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (internet) 100 x
global (frame) 100 10.11.8.3
nat (internet) 100 192.168.164.0 255.255.255.0
nat (internet) 100 192.168.4.0 255.255.255.0
nat (internet) 100 192.168.3.0 255.255.255.0
nat (internet) 100 192.168.2.0 255.255.255.0
nat (internet) 100 192.168.1.0 255.255.255.0
nat (internet) 100 192.168.0.0 255.255.0.0
nat (internet) 100 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_inbound_V1
outside
nat (inside) 100 access-list inside_to_inside
nat (inside) 100 192.168.4.0 255.255.255.0
nat (inside) 100 192.168.3.0 255.255.255.0
nat (inside) 100 192.168.2.0 255.255.255.0
nat (inside) 100 192.168.1.0 255.255.255.0
static (inside,internet) udp interface 1494
192.168.1.248 1494 netmask 255.255.255.255
static (inside,internet) tcp interface citrix-ica
192.168.1.248 citrix-ica netmask 255.255.255.255
static (inside,internet) tcp interface 3389
192.168.1.248 3389 netmask 255.255.255.255
static (inside,internet) tcp interface ssh
192.168.1.247 ssh netmask 255.255.255.255
static (frame,internet) tcp interface 1387
192.168.167.251 1387 netmask 255.255.255.255
access-group outside_in in interface internet
rip frame default version 2
route internet 192.168.164.0 255.255.255.0
192.168.1.1 1
route internet 0.0.0.0 0.0.0.0 12.34.40.217 1
route frame 192.168.4.0 255.255.255.0 10.11.8.1 1
route frame 192.168.3.0 255.255.255.0 10.11.8.1 1
route frame 192.168.2.0 255.255.255.0 10.11.8.1 1
route frame 10.11.5.0 255.255.255.0 10.11.8.1 1
route frame 10.11.6.0 255.255.255.0 10.11.8.1 1
route frame 10.11.7.0 255.255.255.0 10.11.8.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00
mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media
0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp enable
re-xauth enable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions none
port-forward-name value Application Access
http server enable
http 0.0.0.0 0.0.0.0 internet
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup
linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA
esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des
esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des
esp-sha-hmac
crypto map frame_map 40 match address
frame_cryptomap_40
crypto map frame_map 40 set peer 10.0.166.2
crypto map frame_map 40 set transform-set
ESP-3DES-MD5
crypto map frame_map 60 match address
frame_cryptomap_60
crypto map frame_map 60 set peer 10.0.165.2
crypto map frame_map 60 set transform-set
ESP-3DES-SHA
crypto map frame_map 80 match address
frame_cryptomap_80
crypto map frame_map 80 set peer 10.0.167.2
crypto map frame_map 80 set transform-set
ESP-AES-256-SHA
crypto map frame_map interface frame
crypto map internet_map 20 match address
internet_cryptomap_20
crypto map internet_map 20 set peer 12.34.40.222
crypto map internet_map 20 set transform-set
ESP-3DES-MD5
crypto map internet_map interface internet
isakmp identity address
isakmp enable internet

=== message truncated ===>
_______________________________________________

firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx

https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

---

• References:
  • [fw-wiz] ASA routing over VPN
    • From: Craig Van Tassle

• Prev by Date: Re: [fw-wiz] PI X PPTP stopped working
• Next by Date: Re: [fw-wiz] PI X PPTP stopped working
• Previous by thread: [fw-wiz] ASA routing over VPN
• Next by thread: Re: [fw-wiz] ASA routing over VPN
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: PIX: Ping VPN host from inside network ... to ping hosts in the vpn subnet pool or vice-versa. ... The same capture applied to the outside interface shows pings heading ... access-list inside_nat0_outbound extended permit ip any 192.168.24.0 ... access-group outside_access_in in interface outside ... (comp.security.firewalls) Re: E-Mail Woes to Mailsweeper on PIX DMZ ... description Interface to Outside ... access-list outside extended permit tcp any host X.X.X.30 eq smtp ... access-group dmz_access in interface DMZ ... (comp.dcom.sys.cisco) Re: Help! DMZ on Pix515 ... I can't reach anything on the DMZ from the outside. ... interface Ethernet0 ... access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0 ... access-group outside_access_in in interface outside ... (comp.dcom.sys.cisco) Re: Help! DMZ on Pix515 ... I was of course missing static routes to the DMZ. ... interface Ethernet0 ... access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0 ... access-group outside_access_in in interface outside ... (comp.dcom.sys.cisco) Have traffic access net from dmz with access-list applied ... access-list IN_DMZ4 extended permit tcp host 66.xx.xx.xx host 192.168.x.x eq 222 ... I would then drop the current access-group, make an OUT_INSIDE ACL and bind it to traffic going out interface inside and then it's just using standard security level rules again. ... (comp.dcom.sys.cisco)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Firewall-Wizards  > 2006-07