Re: [fw-wiz] ASA routing over VPN



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

LOL Yea I know that Telnet should not be enabled. Actually once I get it all
working and routing properly I would like to close down ASDM, telnet and SSH to
anywhere but from the vpn.

Thanks for the advise I will be trying that out.

Horvath, Kevin M. wrote:
I only had time to look at the vpn to internet "hairpinning" scenario. It
looks like you don't have an ip pool assigned to the vpn traffic to be
designated for NATing to the internet. Try implementing ip local pool
"pool_name_here"
"ip_range_here_for_ips_from_over_the_vpn_to_access_the_internet"

Let me know how this works. Cool feature, I wish my pix could do this so I
didn't have to terminate my tunnels on a router and a concentrator.

On a side note watch out for this command "telnet 0.0.0.0 0.0.0.0 internet",
that's not good. You have ssh configured so stick to your guns with it
since at least it is encrypted. Best practice is to not even to open it to
the internet yet just vpn in and then access it via ssh. Ah but who takes
advice from a pen tester anyways ;p


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Craig
Van Tassle
Sent: Tuesday, July 25, 2006 5:12 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] ASA routing over VPN

I have a ASA 5510 and its not routing my vpn's properly. I can get from my
vpn's
to anywhere on my lan.. but I cant get to the net from my vpn's.
I have 4 VPN tunnels. One over the Internet, and 3 over a Frame relay
network.

The Internet one is not working at all.. it connects but does not route any
traffic. The VPN's on my Frame connect but do not route traffic to the
Internet.

I'm at a total loss as where to go with this.


Attacked is my current config (ip's and password have been changed)
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEx8nHAOTIJ89W4sIRAl4lAJ9tyE4gjqcMgnIQfnTF8xMrehouIQCfQgNE
VcBQam2NiY8zeDZ7qpT5RpQ=
=kYPP
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards