Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco ASA 5500 to Router site to site VPN

Reply
Thread Tools

Cisco ASA 5500 to Router site to site VPN

 
 
Stephen Reese
Guest
Posts: n/a
 
      11-11-2008
I'm trying to setup a site to site VPN between a Cisco 3725 and a
ASA5505, I am able to create a VPN between the ASA5505 and a PIX515
and the 3725 router and a 2600 router so I'm not sure what I'm missing
when it comes to the router/ASA combo. My two configurations are
below...


ASA5500

: Saved
:
ASA Version 7.2(4)
!
hostname bambam
domain-name default.domain.invalid
enable password blah encrypted
passwd blah encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.31.12.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ppoe
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list COLO_VPN extended permit ip 172.31.12.0 255.255.255.0
172.31.0.0 255.255.0.0
access-list nonat extended permit ip 172.31.12.0 255.255.255.0
172.31.0.0 255.255.0.0
access-list nonat extended permit ip 172.31.12.0 255.255.255.0
172.16.2.0 255.255.255.0
access-list nonat extended permit ip 172.31.12.0 255.255.255.0
172.31.1.0 255.255.255.0
access-list nonat extended permit ip 172.31.12.0 255.255.255.0
192.168.10.96 255.255.255.240
access-list nonat extended permit ip any 192.168.10.96
255.255.255.240
access-list outside_2_cryptomap extended permit ip 172.31.12.0
255.255.255.0 172.31.1.0 255.255.255.0
access-list clientvpn_splitTunnelAcl standard permit any
access-list outside_3_cryptomap extended permit ip 172.31.12.0
255.255.255.0 172.16.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn-pool 192.168.10.100-192.168.10.110 mask
255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set 3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set 3DES-SHA
crypto map VPN 10 match address COLO_VPN
crypto map VPN 10 set peer
crypto map VPN 10 set transform-set 3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 66.1.12.3
crypto map outside_map 2 set transform-set 3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer 75.12.2.3
crypto map outside_map 3 set transform-set 3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!

group-policy VPN-CLIENT internal
group-policy VPN-CLIENT attributes
vpn-tunnel-protocol IPSec
username ashields password eatme encrypted privilege 0
username ashields attributes
vpn-group-policy VPN-CLIENT
tunnel-group COLO type ipsec-l2l
tunnel-group COLO ipsec-attributes
pre-shared-key *
tunnel-group 66.1.12.3 type ipsec-l2l
tunnel-group 66.1.12.3 ipsec-attributes
pre-shared-key *
tunnel-group 75.12.2.3 type ipsec-l2l
tunnel-group 75.12.2.3 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:88fca23d835b8fa6b66ac4a42cbab21a
: end
asdm image disk0:/asdm-524.bin
asdm location 172.31.1.0 255.255.255.0 inside
no asdm history enable






ROUTER


!
ip domain name neocipher.net
ip name-server 68.87.74.162
ip name-server 68.87.68.162
ip inspect udp idle-time 900
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW esmtp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips sdf location flash://256MB.sdf
ip ips notify SDEE
ip ips name sdm_ips_rule
vpdn enable
!

username rsreese privilege 15 secret 5 test
!
!
ip ssh authentication-retries 2
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key test address 10.0.0.2 no-xauth
crypto isakmp key test address 71.2.1.5 no-xauth
!
crypto isakmp client configuration group VPN-Users
key test
dns 68.87.74.162 68.87.68.162
domain neocipher.net
pool VPN_POOL
acl 115
include-local-lan
netmask 255.255.255.0
crypto isakmp profile IKE-PROFILE
match identity group VPN-Users
client authentication list default
isakmp authorization list default
client configuration address initiate
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC_PROFILE1
set transform-set ESP-3DES-SHA
set isakmp-profile IKE-PROFILE
!
!
crypto dynamic-map DYNMAP 10
set transform-set ESP-3DES-SHA
!
!
crypto map CLIENTMAP client authentication list default
crypto map CLIENTMAP isakmp authorization list default
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 1 ipsec-isakmp
set peer 10.0.0.2
set peer 71.2.1.5
set transform-set ESP-3DES-SHA
match address 100
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
!
!
!
!
interface Loopback0
ip address 192.168.0.1 255.255.255.0
no ip unreachables
ip virtual-reassembly
!
interface Tunnel0
description HE.net
no ip address
ipv6 address 2001:470:1F06:3B6::2/64
ipv6 enable
tunnel source 71.2.1.5
tunnel destination 209.51.161.14
tunnel mode ipv6ip
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0/0 hostname 3725router
ip access-group 104 in
no ip unreachables
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule in
ip virtual-reassembly
duplex auto
speed auto
crypto map CLIENTMAP
!
interface Serial0/0
description $FW_OUTSIDE$
ip address 10.0.0.1 255.255.240.0
ip access-group 105 in
ip verify unicast reverse-path
no ip unreachables
ip inspect SDM_LOW out
ip virtual-reassembly
clock rate 2000000
crypto map CLIENTMAP
!
interface FastEthernet0/1
no ip address
no ip unreachables
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1.2
description $FW_INSIDE$
encapsulation dot1Q 2
ip address 172.16.2.1 255.255.255.0
ip access-group 101 in
no ip unreachables
ip nat inside
ip virtual-reassembly
ipv6 address 2001:470:1F07:3B6::/64 eui-64
ipv6 enable
!
interface FastEthernet0/1.3
description $FW_INSIDE$
encapsulation dot1Q 3
ip address 172.16.3.1 255.255.255.0
ip access-group 102 in
no ip unreachables
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.10
!
interface Serial0/1
no ip address
no ip unreachables
shutdown
clock rate 2000000
!
interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip unnumbered Loopback0
ip access-group 103 in
no ip unreachables
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE1
!
ip local pool VPN_POOL 192.168.0.100 192.168.0.105
ip forward-protocol nd
ip route 172.16.10.0 255.255.255.0 10.0.0.2
ip route 172.31.12.0 255.255.255.0 71.2.1.5
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat translation udp-timeout 900
ip nat inside source list 1 interface FastEthernet0/0 overload
!
logging trap debugging
logging origin-id hostname
logging 172.16.2.5
access-list 1 permit 172.16.2.0 0.0.0.255
access-list 1 permit 172.16.3.0 0.0.0.255
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ahp any host 172.16.2.1
access-list 101 permit esp any host 172.16.2.1
access-list 101 permit udp any host 172.16.2.1 eq isakmp
access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.15.255 any log
access-list 101 deny ip 192.168.0.0 0.0.0.255 any log
access-list 101 deny ip 172.16.3.0 0.0.0.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny tcp any any range 1 chargen log
access-list 101 deny tcp any any eq whois log
access-list 101 deny tcp any any eq 93 log
access-list 101 deny tcp any any range 135 139 log
access-list 101 deny tcp any any eq 445 log
access-list 101 deny tcp any any range exec 518 log
access-list 101 deny tcp any any eq uucp log
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 172.16.2.0 0.0.0.255 any log
access-list 102 deny ip 10.0.0.0 0.0.15.255 any log
access-list 102 deny ip 192.168.0.0 0.0.0.255 any log
access-list 102 deny ip host 255.255.255.255 any log
access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny ip 172.16.2.0 0.0.0.255 any
access-list 103 deny ip 10.0.0.0 0.0.15.255 any
access-list 103 deny ip 172.16.3.0 0.0.0.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp host 205.152.132.23 eq domain any
access-list 104 permit udp host 205.152.144.23 eq domain any
access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29
access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp
access-list 104 permit ahp any any
access-list 104 permit esp any any
access-list 104 permit udp any any eq isakmp
access-list 104 permit udp any any eq non500-isakmp
access-list 104 deny ip 10.0.0.0 0.0.15.255 any log
access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 104 deny ip 172.16.2.0 0.0.0.255 any log
access-list 104 deny ip 192.168.0.0 0.0.0.255 any log
access-list 104 deny ip 172.16.3.0 0.0.0.255 any log
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny icmp any any echo log
access-list 104 deny icmp any any mask-request log
access-list 104 deny icmp any any redirect log
access-list 104 deny ip 10.0.0.0 0.255.255.255 any log
access-list 104 deny ip 172.16.0.0 0.15.255.255 any log
access-list 104 deny ip 192.168.0.0 0.0.255.255 any log
access-list 104 deny ip 127.0.0.0 0.255.255.255 any log
access-list 104 deny ip 224.0.0.0 15.255.255.255 any log
access-list 104 deny ip host 255.255.255.255 any log
access-list 104 deny tcp any any range 6000 6063 log
access-list 104 deny tcp any any eq 6667 log
access-list 104 deny tcp any any range 12345 12346 log
access-list 104 deny tcp any any eq 31337 log
access-list 104 deny udp any any eq 2049 log
access-list 104 deny udp any any eq 31337 log
access-list 104 deny udp any any range 33400 34400 log
access-list 104 deny ip any any log
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 remark Auto generated by SDM for NTP (123) 129.6.15.29
access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq
ntp
access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1
access-list 105 permit esp host 10.0.0.2 host 10.0.0.1
access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp
access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-
isakmp
access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp
access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog
access-list 105 deny ip 172.16.2.0 0.0.0.255 any
access-list 105 deny ip 192.168.0.0 0.0.0.255 any
access-list 105 deny ip 172.16.3.0 0.0.0.255 any
access-list 105 permit icmp any host 10.0.0.1 echo-reply
access-list 105 permit icmp any host 10.0.0.1 time-exceeded
access-list 105 permit icmp any host 10.0.0.1 unreachable
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any log
access-list 115 permit ip 172.16.0.0 0.0.255.255 any
access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 172.16.0.0 0.0.255.255 any
snmp-server community public RO
ipv6 route 2001:470:1F07:3B6::/64 FastEthernet0/1.2
ipv6 route ::/0 Tunnel0
 
Reply With Quote
 
 
 
 
Stephen Reese
Guest
Posts: n/a
 
      11-11-2008
On Nov 11, 1:23*pm, Artie Lange <(E-Mail Removed)> wrote:
> Stephen Reese wrote:
> > access-list COLO_VPN extended permit ip 172.31.12.0 255.255.255.0
> > 172.31.0.0 255.255.0.0
> > nat (inside) 0 access-list nonat
> > nat (inside) 1 0.0.0.0 0.0.0.0
> > crypto map VPN 10 match address COLO_VPN

>
> One thing I notice is that your crypto map is COLO_VPN but you are using
> nonat for your NAT exclusion where it should be
>
> nat (inside) 0 access-list COLO_VPN
>
> Also looking at your ACL's it appears that your network segments overlap
>
> access-list COLO_VPN permit ip 172.31.12.0 255.255.255.0 172.31.0.0
> 255.255.0.0
>
> I can not speak for the router side of things.


The COLO stuff is not relevant, I'm actually in the process of
removing that from the configuration.
 
Reply With Quote
 
 
 
 
bod43
Guest
Posts: n/a
 
      11-11-2008
On 11 Nov, 18:36, Stephen Reese <(E-Mail Removed)> wrote:
> On Nov 11, 1:23*pm, Artie Lange <(E-Mail Removed)> wrote:
>
>
>
>
>
> > Stephen Reese wrote:
> > > access-list COLO_VPN extended permit ip 172.31.12.0 255.255.255.0
> > > 172.31.0.0 255.255.0.0
> > > nat (inside) 0 access-list nonat
> > > nat (inside) 1 0.0.0.0 0.0.0.0
> > > crypto map VPN 10 match address COLO_VPN

>
> > One thing I notice is that your crypto map is COLO_VPN but you are using
> > nonat for your NAT exclusion where it should be

>
> > nat (inside) 0 access-list COLO_VPN

>
> > Also looking at your ACL's it appears that your network segments overlap

>
> > access-list COLO_VPN permit ip 172.31.12.0 255.255.255.0 172.31.0.0
> > 255.255.0.0

>
> > I can not speak for the router side of things.

>
> The COLO stuff is not relevant, I'm actually in the process of
> removing that from the configuration.- Hide quoted text -


I have not looked in detail but I have done pix-router
VPNs with no issues that I can recall so
it does work without doing anything special.

Most likely a small error somewhere.

maybe worth checking the timeouts and
looking at a debug.

on router
deb crypto isakmp
deb cry ipsec

Pix similar.
You also need to arrange to view the debugs.
 
Reply With Quote
 
Stephen Reese
Guest
Posts: n/a
 
      11-11-2008
> I have not looked in detail but I have done pix-router
> VPNs with no issues that I can recall so
> it does work without doing anything special.
>
> Most likely a small error somewhere.
>
> maybe worth checking the timeouts and
> looking at a debug.
>
> on router
> deb crypto isakmp
> deb cry ipsec
>
> Pix similar.
> You also need to arrange to view the debugs.


When I try to initiate a connection from the ASA side the tunnel seems
to come up but I'm still unable to pass any traffic through. The
router side does not seem to initiate a connection.

# sh crypto isakmp sa

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during
rekey)
Total IKE SA: 2

1 IKE Peer: x.x.x.x.
Type : user Role : responder
Rekey : no State : AM_ACTIVE
2 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

#sh crypto isakmp sa
dst src state conn-id slot status
x.x.x.x x.x.x.x QM_IDLE 1 0 ACTIVE



 
Reply With Quote
 
Stephen Reese
Guest
Posts: n/a
 
      11-12-2008
On Nov 11, 6:50*pm, Stephen Reese <(E-Mail Removed)> wrote:
> > I have not looked in detail but I have done pix-router
> > VPNs with no issues that I can recall so
> > it does work without doing anything special.

>
> > Most likely a small error somewhere.

>
> > maybe worth checking the timeouts and
> > looking at a debug.

>
> > on router
> > deb crypto isakmp
> > deb cry ipsec

>
> > Pix similar.
> > You also need to arrange to view the debugs.

>


I'm assuming since the ASA side can initiate the connection that there
is a problem with the router side of things?
 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      11-12-2008

"Stephen Reese" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
On Nov 11, 6:50 pm, Stephen Reese <(E-Mail Removed)> wrote:
> > I have not looked in detail but I have done pix-router
> > VPNs with no issues that I can recall so
> > it does work without doing anything special.

>
> > Most likely a small error somewhere.

>
> > maybe worth checking the timeouts and
> > looking at a debug.

>
> > on router
> > deb crypto isakmp
> > deb cry ipsec

>
> > Pix similar.
> > You also need to arrange to view the debugs.

>


I didn't see the original configs but a lot of people tend to forget to put
the denies to the remote subnets in to a routers NAT ACL.


 
Reply With Quote
 
Jay
Guest
Posts: n/a
 
      11-12-2008
Check pfs group, encryption domain.

 
Reply With Quote
 
Stephen Reese
Guest
Posts: n/a
 
      11-13-2008
> I didn't see the original configs but a lot of people tend to forget to put
> the denies to the remote subnets in to a routers NAT ACL.


I believe I have added the correct deny statements for NAT

ip nat inside source list 150 interface FastEthernet0/0 overload

access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 150 permit ip 172.16.2.0 0.0.0.255 any
access-list 150 permit ip 172.16.3.0 0.0.0.255 any

172.31.12.0 being the remote site I would like to let into the network.
 
Reply With Quote
 
Stephen Reese
Guest
Posts: n/a
 
      11-13-2008
> I believe I have added the correct deny statements for NAT
>
> ip nat inside source list 150 interface FastEthernet0/0 overload
>
> access-list 150 deny * ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
> access-list 150 permit ip 172.16.2.0 0.0.0.255 any
> access-list 150 permit ip 172.16.3.0 0.0.0.255 any
>
> 172.31.12.0 being the remote site I would like to let into the network.


Do I need to do something similar to this for the ASA?
 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      11-13-2008

"Stephen Reese" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I believe I have added the correct deny statements for NAT
>
> ip nat inside source list 150 interface FastEthernet0/0 overload
>
> access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
> access-list 150 permit ip 172.16.2.0 0.0.0.255 any
> access-list 150 permit ip 172.16.3.0 0.0.0.255 any
>
> 172.31.12.0 being the remote site I would like to let into the network.


Do I need to do something similar to this for the ASA?

Absolutely, the exact oposite, should be a nat 0 list of the local to the
remote, 172.31.12.0/24 to 172.16.2.0/24. You'll need to do a clear xlate on
the ASA after adding it to clear the active translation table

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco 5500 ASA Help tweaked540@gmail.com Cisco 2 03-17-2008 03:20 PM
Advanced VPN Solution Help (ASA 5500) Anthony Cisco 1 08-31-2007 03:40 AM
Cisco ASA 5500 comparison table? Ramon F Herrera Cisco 4 02-07-2007 02:51 PM
ASA 5500 and VPN default gateway sdemeyer@psat.wa.gov Cisco 2 01-22-2007 08:14 PM
Cisco ASA 5500 Series Adaptive Security Appliances?? interflex@hotmail.com Cisco 2 06-07-2006 04:38 AM



Advertisments