«

Hi guys we've got a 506e on 6.3 and a 515 running on v7.0, i've
managed to get the VPN tunnel to create but the only traffic that
seems to be passing through the tunnel is ICMP pings, i've posted both
configs below, if anyone has any ideas i'd really appreciate some
input as i'm racking my brains on this can can't find an answer.

Thanks in advance guys

506 Site
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password BnAQmAGgoqJkWL51 encrypted
passwd BnAQmAGgoqJkWL51 encrypted
hostname xxxxx
domain-name xxx.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out-acl permit tcp any any eq ssh
access-list out-acl permit icmp any any
access-list out-acl permit tcp any host xx.xx.133.66 eq 3389
access-list out-acl permit tcp any host xx.xx.133.66 eq pptp
access-list out-acl permit gre any host xx.xx.133.66
access-list 100 permit ip 10.45.9.0 255.255.255.0 10.45.10.0
255.255.254.0
access-list 110 permit ip 10.45.9.0 255.255.255.0 10.45.10.0
255.255.254.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.133.66 255.255.255.252
ip address inside 10.45.9.38 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 10.45.9.9 3389 netmask
255.255.255.25
5 0 0
static (inside,outside) tcp interface pptp 10.45.9.9 pptp netmask
255.255.255.25
5 0 0
access-group out-acl in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.133.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 10.45.9.12 timeout 5 protocol
TCP versi
on 1
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 10.45.9.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer xx.xx.95.227
crypto map newmap 10 set transform-set myset
crypto map newmap client configuration address initiate
crypto map newmap client configuration address respond
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address xx.xx.95.227 netmask 255.255.255.255 no-
xauth no-con
fig-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 25
console timeout 0
dhcpd ping_timeout 750
terminal width 80


515 Site
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address xx.xx.95.227 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.45.10.251 255.255.254.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
no ftp mode passive
access-list out-acl extended permit tcp any any eq ssh
access-list out-acl extended permit icmp any any
access-list out-acl extended permit tcp any host xx.xx.95.228 eq smtp
access-list out-acl extended permit tcp any host xx.xx.95.228 eq pptp
access-list out-acl extended permit gre any host xx.xx.95.228
access-list out-acl extended permit tcp any host xx.xx.95.229 eq https
access-list out-acl extended permit tcp any host xx.xx.95.230 eq ftp
access-list out-acl extended permit tcp any host xx.xx.95.230 eq ftp-
data
access-list 100 extended permit ip 10.45.10.0 255.255.254.0 10.45.9.0
255.255.25
5.0
access-list 110 extended permit ip 10.45.10.0 255.255.254.0 10.45.9.0
255.255.25
5.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xx.xx 95.228 pptp 10.45.10.30 pptp netmask
255.255.2
55.255
static (inside,outside) tcp xx.xx 95.228 smtp 10.45.10.30 smtp netmask
255.255.2
55.255
static (inside,outside) tcp xx.xx 95.229 https 10.45.10.101 https
netmask 255.25
5.255.255
static (inside,outside) tcp xx.xx 95.230 ftp 10.45.10.100 ftp netmask
255.255.25
5.255
static (inside,outside) tcp xx.xx 95.230 ftp-data 10.45.10.100 ftp-
data netmask
255.255.255.255
access-group out-acl in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.95.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-server (inside) vendor websense host 10.45.10.99 timeout 30
protocol TCP ver
sion 1 connections 5
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 10.45.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 10 match address 110
crypto map newmap 10 set peer xx.xx 133.66
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
tunnel-group xx.xx.133.66 type ipsec-l2l
tunnel-group xx.xx.133.66 ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 25
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect pptp
inspect ftp

On 2007-02-28 01:11, wrote:
> Hi guys we've got a 506e on 6.3 and a 515 running on v7.0, i've
> managed to get the VPN tunnel to create but the only traffic that
> seems to be passing through the tunnel is ICMP pings, i've posted both
> configs below, if anyone has any ideas i'd really appreciate some
> input as i'm racking my brains on this can can't find an answer.

Permit this traffic (specified in access lists 100 and 110) in out-acl.


--
Michał Iwaszko

I'd like to permit all traffic between sites regardless of type, what
ACL's would you recommend ?