Cisco ASA 5500 to Router site to site VPN

Discussion in 'Cisco' started by Stephen Reese, Nov 11, 2008.

  1. I'm trying to setup a site to site VPN between a Cisco 3725 and a
    ASA5505, I am able to create a VPN between the ASA5505 and a PIX515
    and the 3725 router and a 2600 router so I'm not sure what I'm missing
    when it comes to the router/ASA combo. My two configurations are
    below...


    ASA5500

    : Saved
    :
    ASA Version 7.2(4)
    !
    hostname bambam
    domain-name default.domain.invalid
    enable password blah encrypted
    passwd blah encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.31.12.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    pppoe client vpdn group ppoe
    ip address pppoe setroute
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list COLO_VPN extended permit ip 172.31.12.0 255.255.255.0
    172.31.0.0 255.255.0.0
    access-list nonat extended permit ip 172.31.12.0 255.255.255.0
    172.31.0.0 255.255.0.0
    access-list nonat extended permit ip 172.31.12.0 255.255.255.0
    172.16.2.0 255.255.255.0
    access-list nonat extended permit ip 172.31.12.0 255.255.255.0
    172.31.1.0 255.255.255.0
    access-list nonat extended permit ip 172.31.12.0 255.255.255.0
    192.168.10.96 255.255.255.240
    access-list nonat extended permit ip any 192.168.10.96
    255.255.255.240
    access-list outside_2_cryptomap extended permit ip 172.31.12.0
    255.255.255.0 172.31.1.0 255.255.255.0
    access-list clientvpn_splitTunnelAcl standard permit any
    access-list outside_3_cryptomap extended permit ip 172.31.12.0
    255.255.255.0 172.16.2.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpn-pool 192.168.10.100-192.168.10.110 mask
    255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set 3DES-SHA
    crypto dynamic-map outside_dyn_map 40 set pfs group1
    crypto dynamic-map outside_dyn_map 40 set transform-set 3DES-SHA
    crypto map VPN 10 match address COLO_VPN
    crypto map VPN 10 set peer
    crypto map VPN 10 set transform-set 3DES-SHA
    crypto map outside_map 2 match address outside_2_cryptomap
    crypto map outside_map 2 set pfs group1
    crypto map outside_map 2 set peer 66.1.12.3
    crypto map outside_map 2 set transform-set 3DES-SHA
    crypto map outside_map 3 match address outside_3_cryptomap
    crypto map outside_map 3 set pfs group1
    crypto map outside_map 3 set peer 75.12.2.3
    crypto map outside_map 3 set transform-set 3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    !

    group-policy VPN-CLIENT internal
    group-policy VPN-CLIENT attributes
    vpn-tunnel-protocol IPSec
    username ashields password eatme encrypted privilege 0
    username ashields attributes
    vpn-group-policy VPN-CLIENT
    tunnel-group COLO type ipsec-l2l
    tunnel-group COLO ipsec-attributes
    pre-shared-key *
    tunnel-group 66.1.12.3 type ipsec-l2l
    tunnel-group 66.1.12.3 ipsec-attributes
    pre-shared-key *
    tunnel-group 75.12.2.3 type ipsec-l2l
    tunnel-group 75.12.2.3 ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:88fca23d835b8fa6b66ac4a42cbab21a
    : end
    asdm image disk0:/asdm-524.bin
    asdm location 172.31.1.0 255.255.255.0 inside
    no asdm history enable






    ROUTER


    !
    ip domain name neocipher.net
    ip name-server 68.87.74.162
    ip name-server 68.87.68.162
    ip inspect udp idle-time 900
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW dns
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW https
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW netshow
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    ip inspect name SDM_LOW imap
    ip inspect name SDM_LOW pop3
    ip inspect name SDM_LOW esmtp
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip ips sdf location flash://256MB.sdf
    ip ips notify SDEE
    ip ips name sdm_ips_rule
    vpdn enable
    !

    username rsreese privilege 15 secret 5 test
    !
    !
    ip ssh authentication-retries 2
    !
    !
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 10
    authentication pre-share
    crypto isakmp key test address 10.0.0.2 no-xauth
    crypto isakmp key test address 71.2.1.5 no-xauth
    !
    crypto isakmp client configuration group VPN-Users
    key test
    dns 68.87.74.162 68.87.68.162
    domain neocipher.net
    pool VPN_POOL
    acl 115
    include-local-lan
    netmask 255.255.255.0
    crypto isakmp profile IKE-PROFILE
    match identity group VPN-Users
    client authentication list default
    isakmp authorization list default
    client configuration address initiate
    client configuration address respond
    virtual-template 1
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    mode transport
    !
    crypto ipsec profile IPSEC_PROFILE1
    set transform-set ESP-3DES-SHA
    set isakmp-profile IKE-PROFILE
    !
    !
    crypto dynamic-map DYNMAP 10
    set transform-set ESP-3DES-SHA
    !
    !
    crypto map CLIENTMAP client authentication list default
    crypto map CLIENTMAP isakmp authorization list default
    crypto map CLIENTMAP client configuration address respond
    crypto map CLIENTMAP 1 ipsec-isakmp
    set peer 10.0.0.2
    set peer 71.2.1.5
    set transform-set ESP-3DES-SHA
    match address 100
    crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
    !
    !
    !
    !
    interface Loopback0
    ip address 192.168.0.1 255.255.255.0
    no ip unreachables
    ip virtual-reassembly
    !
    interface Tunnel0
    description HE.net
    no ip address
    ipv6 address 2001:470:1F06:3B6::2/64
    ipv6 enable
    tunnel source 71.2.1.5
    tunnel destination 209.51.161.14
    tunnel mode ipv6ip
    !
    interface Null0
    no ip unreachables
    !
    interface FastEthernet0/0
    description $ETH-WAN$$FW_OUTSIDE$
    ip address dhcp client-id FastEthernet0/0 hostname 3725router
    ip access-group 104 in
    no ip unreachables
    ip nat outside
    ip inspect SDM_LOW out
    ip ips sdm_ips_rule in
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map CLIENTMAP
    !
    interface Serial0/0
    description $FW_OUTSIDE$
    ip address 10.0.0.1 255.255.240.0
    ip access-group 105 in
    ip verify unicast reverse-path
    no ip unreachables
    ip inspect SDM_LOW out
    ip virtual-reassembly
    clock rate 2000000
    crypto map CLIENTMAP
    !
    interface FastEthernet0/1
    no ip address
    no ip unreachables
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.2
    description $FW_INSIDE$
    encapsulation dot1Q 2
    ip address 172.16.2.1 255.255.255.0
    ip access-group 101 in
    no ip unreachables
    ip nat inside
    ip virtual-reassembly
    ipv6 address 2001:470:1F07:3B6::/64 eui-64
    ipv6 enable
    !
    interface FastEthernet0/1.3
    description $FW_INSIDE$
    encapsulation dot1Q 3
    ip address 172.16.3.1 255.255.255.0
    ip access-group 102 in
    no ip unreachables
    ip nat inside
    ip virtual-reassembly
    !
    interface FastEthernet0/1.10
    !
    interface Serial0/1
    no ip address
    no ip unreachables
    shutdown
    clock rate 2000000
    !
    interface Virtual-Template1 type tunnel
    description $FW_INSIDE$
    ip unnumbered Loopback0
    ip access-group 103 in
    no ip unreachables
    ip virtual-reassembly
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile IPSEC_PROFILE1
    !
    ip local pool VPN_POOL 192.168.0.100 192.168.0.105
    ip forward-protocol nd
    ip route 172.16.10.0 255.255.255.0 10.0.0.2
    ip route 172.31.12.0 255.255.255.0 71.2.1.5
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat translation udp-timeout 900
    ip nat inside source list 1 interface FastEthernet0/0 overload
    !
    logging trap debugging
    logging origin-id hostname
    logging 172.16.2.5
    access-list 1 permit 172.16.2.0 0.0.0.255
    access-list 1 permit 172.16.3.0 0.0.0.255
    access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
    access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit ahp any host 172.16.2.1
    access-list 101 permit esp any host 172.16.2.1
    access-list 101 permit udp any host 172.16.2.1 eq isakmp
    access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
    access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
    access-list 101 deny ip 10.0.0.0 0.0.15.255 any log
    access-list 101 deny ip 192.168.0.0 0.0.0.255 any log
    access-list 101 deny ip 172.16.3.0 0.0.0.255 any log
    access-list 101 deny ip host 255.255.255.255 any log
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 101 deny tcp any any range 1 chargen log
    access-list 101 deny tcp any any eq whois log
    access-list 101 deny tcp any any eq 93 log
    access-list 101 deny tcp any any range 135 139 log
    access-list 101 deny tcp any any eq 445 log
    access-list 101 deny tcp any any range exec 518 log
    access-list 101 deny tcp any any eq uucp log
    access-list 101 permit ip any any
    access-list 102 remark auto generated by SDM firewall configuration
    access-list 102 remark SDM_ACL Category=1
    access-list 102 deny ip 172.16.2.0 0.0.0.255 any log
    access-list 102 deny ip 10.0.0.0 0.0.15.255 any log
    access-list 102 deny ip 192.168.0.0 0.0.0.255 any log
    access-list 102 deny ip host 255.255.255.255 any log
    access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 102 permit ip any any
    access-list 103 remark auto generated by SDM firewall configuration
    access-list 103 remark SDM_ACL Category=1
    access-list 103 deny ip 172.16.2.0 0.0.0.255 any
    access-list 103 deny ip 10.0.0.0 0.0.15.255 any
    access-list 103 deny ip 172.16.3.0 0.0.0.255 any
    access-list 103 deny ip host 255.255.255.255 any
    access-list 103 deny ip 127.0.0.0 0.255.255.255 any
    access-list 103 permit ip any any
    access-list 104 remark auto generated by SDM firewall configuration
    access-list 104 remark SDM_ACL Category=1
    access-list 104 permit udp host 205.152.132.23 eq domain any
    access-list 104 permit udp host 205.152.144.23 eq domain any
    access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29
    access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp
    access-list 104 permit ahp any any
    access-list 104 permit esp any any
    access-list 104 permit udp any any eq isakmp
    access-list 104 permit udp any any eq non500-isakmp
    access-list 104 deny ip 10.0.0.0 0.0.15.255 any log
    access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
    access-list 104 deny ip 172.16.2.0 0.0.0.255 any log
    access-list 104 deny ip 192.168.0.0 0.0.0.255 any log
    access-list 104 deny ip 172.16.3.0 0.0.0.255 any log
    access-list 104 permit udp any eq bootps any eq bootpc
    access-list 104 permit icmp any any echo-reply
    access-list 104 permit icmp any any time-exceeded
    access-list 104 permit icmp any any unreachable
    access-list 104 deny icmp any any echo log
    access-list 104 deny icmp any any mask-request log
    access-list 104 deny icmp any any redirect log
    access-list 104 deny ip 10.0.0.0 0.255.255.255 any log
    access-list 104 deny ip 172.16.0.0 0.15.255.255 any log
    access-list 104 deny ip 192.168.0.0 0.0.255.255 any log
    access-list 104 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 104 deny ip 224.0.0.0 15.255.255.255 any log
    access-list 104 deny ip host 255.255.255.255 any log
    access-list 104 deny tcp any any range 6000 6063 log
    access-list 104 deny tcp any any eq 6667 log
    access-list 104 deny tcp any any range 12345 12346 log
    access-list 104 deny tcp any any eq 31337 log
    access-list 104 deny udp any any eq 2049 log
    access-list 104 deny udp any any eq 31337 log
    access-list 104 deny udp any any range 33400 34400 log
    access-list 104 deny ip any any log
    access-list 105 remark auto generated by SDM firewall configuration
    access-list 105 remark SDM_ACL Category=1
    access-list 105 remark Auto generated by SDM for NTP (123) 129.6.15.29
    access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq
    ntp
    access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1
    access-list 105 permit esp host 10.0.0.2 host 10.0.0.1
    access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp
    access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-
    isakmp
    access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
    access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp
    access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog
    access-list 105 deny ip 172.16.2.0 0.0.0.255 any
    access-list 105 deny ip 192.168.0.0 0.0.0.255 any
    access-list 105 deny ip 172.16.3.0 0.0.0.255 any
    access-list 105 permit icmp any host 10.0.0.1 echo-reply
    access-list 105 permit icmp any host 10.0.0.1 time-exceeded
    access-list 105 permit icmp any host 10.0.0.1 unreachable
    access-list 105 deny ip 10.0.0.0 0.255.255.255 any
    access-list 105 deny ip 172.16.0.0 0.15.255.255 any
    access-list 105 deny ip 192.168.0.0 0.0.255.255 any
    access-list 105 deny ip 127.0.0.0 0.255.255.255 any
    access-list 105 deny ip host 255.255.255.255 any
    access-list 105 deny ip host 0.0.0.0 any
    access-list 105 deny ip any any log
    access-list 115 permit ip 172.16.0.0 0.0.255.255 any
    access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
    access-list 120 permit ip 172.16.0.0 0.0.255.255 any
    snmp-server community public RO
    ipv6 route 2001:470:1F07:3B6::/64 FastEthernet0/1.2
    ipv6 route ::/0 Tunnel0
     
    Stephen Reese, Nov 11, 2008
    #1
    1. Advertising

  2. On Nov 11, 1:23 pm, Artie Lange <> wrote:
    > Stephen Reese wrote:
    > > access-list COLO_VPN extended permit ip 172.31.12.0 255.255.255.0
    > > 172.31.0.0 255.255.0.0
    > > nat (inside) 0 access-list nonat
    > > nat (inside) 1 0.0.0.0 0.0.0.0
    > > crypto map VPN 10 match address COLO_VPN

    >
    > One thing I notice is that your crypto map is COLO_VPN but you are using
    > nonat for your NAT exclusion where it should be
    >
    > nat (inside) 0 access-list COLO_VPN
    >
    > Also looking at your ACL's it appears that your network segments overlap
    >
    > access-list COLO_VPN permit ip 172.31.12.0 255.255.255.0 172.31.0.0
    > 255.255.0.0
    >
    > I can not speak for the router side of things.


    The COLO stuff is not relevant, I'm actually in the process of
    removing that from the configuration.
     
    Stephen Reese, Nov 11, 2008
    #2
    1. Advertising

  3. Stephen Reese

    bod43 Guest

    On 11 Nov, 18:36, Stephen Reese <> wrote:
    > On Nov 11, 1:23 pm, Artie Lange <> wrote:
    >
    >
    >
    >
    >
    > > Stephen Reese wrote:
    > > > access-list COLO_VPN extended permit ip 172.31.12.0 255.255.255.0
    > > > 172.31.0.0 255.255.0.0
    > > > nat (inside) 0 access-list nonat
    > > > nat (inside) 1 0.0.0.0 0.0.0.0
    > > > crypto map VPN 10 match address COLO_VPN

    >
    > > One thing I notice is that your crypto map is COLO_VPN but you are using
    > > nonat for your NAT exclusion where it should be

    >
    > > nat (inside) 0 access-list COLO_VPN

    >
    > > Also looking at your ACL's it appears that your network segments overlap

    >
    > > access-list COLO_VPN permit ip 172.31.12.0 255.255.255.0 172.31.0.0
    > > 255.255.0.0

    >
    > > I can not speak for the router side of things.

    >
    > The COLO stuff is not relevant, I'm actually in the process of
    > removing that from the configuration.- Hide quoted text -


    I have not looked in detail but I have done pix-router
    VPNs with no issues that I can recall so
    it does work without doing anything special.

    Most likely a small error somewhere.

    maybe worth checking the timeouts and
    looking at a debug.

    on router
    deb crypto isakmp
    deb cry ipsec

    Pix similar.
    You also need to arrange to view the debugs.
     
    bod43, Nov 11, 2008
    #3
  4. > I have not looked in detail but I have done pix-router
    > VPNs with no issues that I can recall so
    > it does work without doing anything special.
    >
    > Most likely a small error somewhere.
    >
    > maybe worth checking the timeouts and
    > looking at a debug.
    >
    > on router
    > deb crypto isakmp
    > deb cry ipsec
    >
    > Pix similar.
    > You also need to arrange to view the debugs.


    When I try to initiate a connection from the ASA side the tunnel seems
    to come up but I'm still unable to pass any traffic through. The
    router side does not seem to initiate a connection.

    # sh crypto isakmp sa

    Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during
    rekey)
    Total IKE SA: 2

    1 IKE Peer: x.x.x.x.
    Type : user Role : responder
    Rekey : no State : AM_ACTIVE
    2 IKE Peer: x.x.x.x
    Type : L2L Role : initiator
    Rekey : no State : MM_ACTIVE

    #sh crypto isakmp sa
    dst src state conn-id slot status
    x.x.x.x x.x.x.x QM_IDLE 1 0 ACTIVE
     
    Stephen Reese, Nov 11, 2008
    #4
  5. On Nov 11, 6:50 pm, Stephen Reese <> wrote:
    > > I have not looked in detail but I have done pix-router
    > > VPNs with no issues that I can recall so
    > > it does work without doing anything special.

    >
    > > Most likely a small error somewhere.

    >
    > > maybe worth checking the timeouts and
    > > looking at a debug.

    >
    > > on router
    > > deb crypto isakmp
    > > deb cry ipsec

    >
    > > Pix similar.
    > > You also need to arrange to view the debugs.

    >


    I'm assuming since the ASA side can initiate the connection that there
    is a problem with the router side of things?
     
    Stephen Reese, Nov 12, 2008
    #5
  6. Stephen Reese

    Brian V Guest

    "Stephen Reese" <> wrote in message
    news:...
    On Nov 11, 6:50 pm, Stephen Reese <> wrote:
    > > I have not looked in detail but I have done pix-router
    > > VPNs with no issues that I can recall so
    > > it does work without doing anything special.

    >
    > > Most likely a small error somewhere.

    >
    > > maybe worth checking the timeouts and
    > > looking at a debug.

    >
    > > on router
    > > deb crypto isakmp
    > > deb cry ipsec

    >
    > > Pix similar.
    > > You also need to arrange to view the debugs.

    >


    I didn't see the original configs but a lot of people tend to forget to put
    the denies to the remote subnets in to a routers NAT ACL.
     
    Brian V, Nov 12, 2008
    #6
  7. Stephen Reese

    Jay Guest

    Check pfs group, encryption domain.
     
    Jay, Nov 12, 2008
    #7
  8. > I didn't see the original configs but a lot of people tend to forget to put
    > the denies to the remote subnets in to a routers NAT ACL.


    I believe I have added the correct deny statements for NAT

    ip nat inside source list 150 interface FastEthernet0/0 overload

    access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
    access-list 150 permit ip 172.16.2.0 0.0.0.255 any
    access-list 150 permit ip 172.16.3.0 0.0.0.255 any

    172.31.12.0 being the remote site I would like to let into the network.
     
    Stephen Reese, Nov 13, 2008
    #8
  9. > I believe I have added the correct deny statements for NAT
    >
    > ip nat inside source list 150 interface FastEthernet0/0 overload
    >
    > access-list 150 deny   ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
    > access-list 150 permit ip 172.16.2.0 0.0.0.255 any
    > access-list 150 permit ip 172.16.3.0 0.0.0.255 any
    >
    > 172.31.12.0 being the remote site I would like to let into the network.


    Do I need to do something similar to this for the ASA?
     
    Stephen Reese, Nov 13, 2008
    #9
  10. Stephen Reese

    Brian V Guest

    "Stephen Reese" <> wrote in message
    news:...
    > I believe I have added the correct deny statements for NAT
    >
    > ip nat inside source list 150 interface FastEthernet0/0 overload
    >
    > access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
    > access-list 150 permit ip 172.16.2.0 0.0.0.255 any
    > access-list 150 permit ip 172.16.3.0 0.0.0.255 any
    >
    > 172.31.12.0 being the remote site I would like to let into the network.


    Do I need to do something similar to this for the ASA?

    Absolutely, the exact oposite, should be a nat 0 list of the local to the
    remote, 172.31.12.0/24 to 172.16.2.0/24. You'll need to do a clear xlate on
    the ASA after adding it to clear the active translation table
     
    Brian V, Nov 13, 2008
    #10
  11. > Absolutely, the exact oposite, should be a nat 0 list of the local to the
    > remote, 172.31.12.0/24 to 172.16.2.0/24. You'll need to do a clear xlate on
    > the ASA after adding it to clear the active  translation table


    I'm reluctant to touch anything at this point because I added the 'set
    pfs group1' to 'crypto map CLIENTMAP 1 ipsec-isakmp' and everything
    started working like clock work. Then I made a change and poof it
    stopped working :-(. Should the deny statement fall somewhere in here?
    Do I need it because I believe I made it work without it. It was
    something I changed on the router, not the ASA...

    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0

    access-list outside_1_cryptomap extended permit ip 172.31.1.0
    255.255.255.0 172.31.12.0 255.255.255.0
    access-list nonat extended permit ip 172.31.12.0 255.255.255.0
    172.31.0.0 255.255.0.0
    access-list nonat extended permit ip 172.31.12.0 255.255.255.0
    172.16.2.0 255.255.255.0
    access-list nonat extended permit ip 172.31.12.0 255.255.255.0
    172.31.1.0 255.255.255.0
    access-list nonat extended permit ip 172.31.12.0 255.255.255.0
    192.168.10.96 255.255.255.240
    access-list nonat extended permit ip any 192.168.10.96 255.255.255.240
    access-list nonat extended permit ip 172.31.1.0 255.255.255.0
    172.31.12.0 255.255.255.0
    access-list nonat extended permit ip 172.16.2.0 255.255.255.0
    172.31.12.0 255.255.255.0
    access-list VPNUSERS_splitTunnelAcl standard permit 172.31.12.0
    255.255.255.0
    access-list outside_2_cryptomap extended permit ip 172.16.2.0
    255.255.255.0 172.31.12.0 255.255.255.0
    access-list VPNUSERS_splitTunnelAcl_1 standard permit 172.31.12.0
    255.255.255.0
     
    Stephen Reese, Nov 13, 2008
    #11
  12. Stephen Reese

    Brian V Guest

    "Stephen Reese" <> wrote in message
    news:...
    > Absolutely, the exact oposite, should be a nat 0 list of the local to the
    > remote, 172.31.12.0/24 to 172.16.2.0/24. You'll need to do a clear xlate
    > on
    > the ASA after adding it to clear the active translation table


    I'm reluctant to touch anything at this point because I added the 'set
    pfs group1' to 'crypto map CLIENTMAP 1 ipsec-isakmp' and everything
    started working like clock work. Then I made a change and poof it
    stopped working :-(. Should the deny statement fall somewhere in here?
    Do I need it because I believe I made it work without it. It was
    something I changed on the router, not the ASA...

    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0

    access-list outside_1_cryptomap extended permit ip 172.31.1.0
    255.255.255.0 172.31.12.0 255.255.255.0
    access-list nonat extended permit ip 172.31.12.0 255.255.255.0
    172.31.0.0 255.255.0.0
    access-list nonat extended permit ip 172.31.12.0 255.255.255.0
    172.16.2.0 255.255.255.0
    access-list nonat extended permit ip 172.31.12.0 255.255.255.0
    172.31.1.0 255.255.255.0
    access-list nonat extended permit ip 172.31.12.0 255.255.255.0
    192.168.10.96 255.255.255.240
    access-list nonat extended permit ip any 192.168.10.96 255.255.255.240
    access-list nonat extended permit ip 172.31.1.0 255.255.255.0
    172.31.12.0 255.255.255.0
    access-list nonat extended permit ip 172.16.2.0 255.255.255.0
    172.31.12.0 255.255.255.0
    access-list VPNUSERS_splitTunnelAcl standard permit 172.31.12.0
    255.255.255.0
    access-list outside_2_cryptomap extended permit ip 172.16.2.0
    255.255.255.0 172.31.12.0 255.255.255.0
    access-list VPNUSERS_splitTunnelAcl_1 standard permit 172.31.12.0
    255.255.255.0

    The ASA doesn't use a deny in the NAT 0, it uses a permit. You have it in
    there already, nonat list looks right to me.
     
    Brian V, Nov 13, 2008
    #12

  13. > The ASA doesn't use a deny in the NAT 0, it uses a permit. You have it in
    > there already, nonat list looks right to me.


    > The ASA doesn't use a deny in the NAT 0, it uses a permit. You have it in
    > there already, nonat list looks right to me.


    I figured it had to be right since the tunnel did come up and start
    working at some point. It seems to be dying at the key exchange:

    #sh crypto isakmp sa
    dst src state conn-id slot status
    1.1.1.1 2.2.2.2 MM_KEY_EXCH 1 0 ACTIVE

    #sh crypto isakmp sa
    dst src state conn-id slot status
    1.1.1.1 2.2.2.2 MM_NO_STATE 1 0 ACTIVE (deleted)

    When it worked I believe the state would go into IDLE. I would like to
    thank everyone that's helping out with this thread.
     
    Stephen Reese, Nov 13, 2008
    #13
  14. > The ASA doesn't use a deny in the NAT 0, it uses a permit. You have it in
    > there already, nonat list looks right to me.


    Also here is a updated configuration for the router since the hasn't
    been changed since it worked.

    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime
    service password-encryption
    !
    hostname 3725router
    !
    boot-start-marker
    boot system flash:/c3725-adventerprisek9-mz.124-21.bin
    boot-end-marker
    !
    logging buffered 8192 debugging
    logging console informational
    enable secret 5 $1$BUZ8$sNjxnHHht1NP3co5Vkj2o0
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    aaa authorization exec default local
    aaa authorization network default local
    !
    aaa session-id common
    clock timezone EST -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    network-clock-participate slot 1
    network-clock-participate slot 2
    no ip source-route
    !
    ip traffic-export profile IDS-SNORT
    interface FastEthernet0/0
    bidirectional
    mac-address 000c.2989.f93a
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 172.16.2.1
    ip dhcp excluded-address 172.16.3.1
    !
    ip dhcp pool VLAN2clients
    network 172.16.2.0 255.255.255.0
    default-router 172.16.2.1
    option 66 ip 172.16.2.10
    option 150 ip 172.16.2.10
    dns-server 68.87.74.162 68.87.68.162 68.87.73.242
    !
    ip dhcp pool VLAN3clients
    network 172.16.3.0 255.255.255.0
    default-router 172.16.3.1
    dns-server 68.87.74.162 68.87.68.162 68.87.73.242
    !
    ip dhcp pool DEBIAN
    host 172.16.2.6 255.255.255.0
    hardware-address 0004.e29c.4345
    !
    !
    ip domain name neocipher.net
    ip name-server 68.87.74.162
    ip name-server 68.87.68.162
    ip inspect udp idle-time 900
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW dns
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW https
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW netshow
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    ip inspect name SDM_LOW imap
    ip inspect name SDM_LOW pop3
    ip inspect name SDM_LOW esmtp
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip ips sdf location flash://256MB.sdf
    ip ips notify SDEE
    ip ips name sdm_ips_rule
    vpdn enable
    !
    !
    !
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 10
    authentication pre-share
    crypto isakmp key key address 2.2.2.2 no-xauth
    crypto isakmp key key address 10.0.0.2 no-xauth
    !
    crypto isakmp client configuration group VPN-Users
    key key
    dns 68.87.74.162 68.87.68.162
    domain neocipher.net
    pool VPN_POOL
    acl 115
    include-local-lan
    netmask 255.255.255.0
    crypto isakmp profile IKE-PROFILE
    match identity group VPN-Users
    client authentication list default
    isakmp authorization list default
    client configuration address initiate
    client configuration address respond
    virtual-template 1
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    mode transport
    !
    crypto ipsec profile IPSEC_PROFILE1
    set transform-set ESP-3DES-SHA
    set isakmp-profile IKE-PROFILE
    !
    !
    crypto dynamic-map DYNMAP 10
    set transform-set ESP-3DES-SHA
    !
    !
    crypto map CLIENTMAP client authentication list default
    crypto map CLIENTMAP isakmp authorization list default
    crypto map CLIENTMAP client configuration address respond
    crypto map CLIENTMAP 1 ipsec-isakmp
    set peer 2.2.2.2
    set transform-set ESP-3DES-SHA
    set pfs group1
    match address 100
    crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
    !
    !
    !
    !
    interface Loopback0
    ip address 192.168.0.1 255.255.255.0
    no ip unreachables
    ip virtual-reassembly
    !
    interface Tunnel0
    description HE.net
    no ip address
    ipv6 address 2001:470:1F06:3B6::2/64
    ipv6 enable
    tunnel source 78.18.222.115
    tunnel destination 209.51.161.14
    tunnel mode ipv6ip
    !
    interface Null0
    no ip unreachables
    !
    interface FastEthernet0/0
    description $ETH-WAN$$FW_OUTSIDE$
    ip address dhcp client-id FastEthernet0/0 hostname 3725router
    ip access-group 104 in
    no ip unreachables
    ip nat outside
    ip inspect SDM_LOW out
    ip ips sdm_ips_rule in
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map CLIENTMAP
    !
    interface Serial0/0
    description $FW_OUTSIDE$
    ip address 10.0.0.1 255.255.240.0
    ip access-group 105 in
    ip verify unicast reverse-path
    no ip unreachables
    ip inspect SDM_LOW out
    ip virtual-reassembly
    clock rate 2000000
    crypto map CLIENTMAP
    !
    interface FastEthernet0/1
    no ip address
    no ip unreachables
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.2
    description $FW_INSIDE$
    encapsulation dot1Q 2
    ip address 172.16.2.1 255.255.255.0
    ip access-group 101 in
    no ip unreachables
    ip nat inside
    ip virtual-reassembly
    ipv6 address 2001:470:880D::1/64
    ipv6 enable
    !
    interface FastEthernet0/1.3
    description $FW_INSIDE$
    encapsulation dot1Q 3
    ip address 172.16.3.1 255.255.255.0
    ip access-group 102 in
    no ip unreachables
    ip virtual-reassembly
    !
    interface FastEthernet0/1.10
    !
    interface Serial0/1
    no ip address
    no ip unreachables
    shutdown
    clock rate 2000000
    !
    interface Virtual-Template1 type tunnel
    description $FW_INSIDE$
    ip unnumbered Loopback0
    ip access-group 103 in
    no ip unreachables
    ip virtual-reassembly
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile IPSEC_PROFILE1
    !
    ip local pool VPN_POOL 192.168.0.100 192.168.0.105
    ip forward-protocol nd
    ip route 172.16.10.0 255.255.255.0 10.0.0.2
    ip route 172.31.12.0 255.255.255.0 74.245.61.45
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat translation udp-timeout 900
    ip nat inside source list 150 interface FastEthernet0/0 overload
    !
    logging trap debugging
    logging origin-id hostname
    logging 172.16.2.6
    access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
    access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
    access-list 101 remark SDM_ACL Category=17
    access-list 101 permit ahp any host 172.16.2.1
    access-list 101 permit esp any host 172.16.2.1
    access-list 101 permit udp any host 172.16.2.1 eq isakmp
    access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
    access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
    access-list 101 permit ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255
    access-list 101 deny ip 10.0.0.0 0.0.15.255 any log
    access-list 101 deny ip 192.168.0.0 0.0.0.255 any log
    access-list 101 deny ip 172.16.3.0 0.0.0.255 any log
    access-list 101 deny ip host 255.255.255.255 any log
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 101 deny tcp any any range 1 chargen log
    access-list 101 deny tcp any any eq whois log
    access-list 101 deny tcp any any eq 93 log
    access-list 101 deny tcp any any range 135 139 log
    access-list 101 deny tcp any any eq 445 log
    access-list 101 deny tcp any any range exec 518 log
    access-list 101 deny tcp any any eq uucp log
    access-list 101 permit ip any any
    access-list 102 deny ip 172.16.2.0 0.0.0.255 any log
    access-list 102 deny ip 10.0.0.0 0.0.15.255 any log
    access-list 102 deny ip 192.168.0.0 0.0.0.255 any log
    access-list 102 deny ip host 255.255.255.255 any log
    access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 102 permit ip any any
    access-list 103 deny ip 172.16.2.0 0.0.0.255 any
    access-list 103 deny ip 10.0.0.0 0.0.15.255 any
    access-list 103 deny ip 172.16.3.0 0.0.0.255 any
    access-list 103 deny ip host 255.255.255.255 any
    access-list 103 deny ip 127.0.0.0 0.255.255.255 any
    access-list 103 permit ip any any
    access-list 104 remark SDM_ACL Category=17
    access-list 104 permit udp host 205.152.132.23 eq domain any
    access-list 104 permit udp host 205.152.144.23 eq domain any
    access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29
    access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp
    access-list 104 permit ahp any any
    access-list 104 permit esp any any
    access-list 104 permit 41 any any
    access-list 104 permit udp any any eq isakmp
    access-list 104 permit udp any any eq non500-isakmp
    access-list 104 deny ip 10.0.0.0 0.0.15.255 any log
    access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
    access-list 104 deny ip 172.16.2.0 0.0.0.255 any log
    access-list 104 deny ip 192.168.0.0 0.0.0.255 any log
    access-list 104 deny ip 172.16.3.0 0.0.0.255 any log
    access-list 104 permit udp any eq bootps any eq bootpc
    access-list 104 permit icmp any any echo-reply
    access-list 104 permit icmp any any time-exceeded
    access-list 104 permit icmp any any unreachable
    access-list 104 permit icmp any any echo
    access-list 104 deny icmp any any mask-request log
    access-list 104 deny icmp any any redirect log
    access-list 104 deny ip 10.0.0.0 0.255.255.255 any log
    access-list 104 deny ip 172.16.0.0 0.15.255.255 any log
    access-list 104 deny ip 192.168.0.0 0.0.255.255 any log
    access-list 104 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 104 deny ip 224.0.0.0 15.255.255.255 any log
    access-list 104 deny ip host 255.255.255.255 any log
    access-list 104 deny tcp any any range 6000 6063 log
    access-list 104 deny tcp any any eq 6667 log
    access-list 104 deny tcp any any range 12345 12346 log
    access-list 104 deny tcp any any eq 31337 log
    access-list 104 deny udp any any eq 2049 log
    access-list 104 deny udp any any eq 31337 log
    access-list 104 deny udp any any range 33400 34400 log
    access-list 104 deny ip any any log
    access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq
    ntp
    access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1
    access-list 105 permit esp host 10.0.0.2 host 10.0.0.1
    access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp
    access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-
    isakmp
    access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
    access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp
    access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog
    access-list 105 deny ip 172.16.2.0 0.0.0.255 any
    access-list 105 deny ip 192.168.0.0 0.0.0.255 any
    access-list 105 deny ip 172.16.3.0 0.0.0.255 any
    access-list 105 permit icmp any host 10.0.0.1 echo-reply
    access-list 105 permit icmp any host 10.0.0.1 time-exceeded
    access-list 105 permit icmp any host 10.0.0.1 unreachable
    access-list 105 deny ip 10.0.0.0 0.255.255.255 any
    access-list 105 deny ip 172.16.0.0 0.15.255.255 any
    access-list 105 deny ip 192.168.0.0 0.0.255.255 any
    access-list 105 deny ip 127.0.0.0 0.255.255.255 any
    access-list 105 deny ip host 255.255.255.255 any
    access-list 105 deny ip host 0.0.0.0 any
    access-list 105 deny ip any any log
    access-list 115 permit ip 172.16.0.0 0.0.255.255 any
    access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
    access-list 120 permit ip 172.16.0.0 0.0.255.255 any
    access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
    access-list 150 permit ip 172.16.2.0 0.0.0.255 any
    access-list 150 permit ip 172.16.3.0 0.0.0.255 any
     
    Stephen Reese, Nov 13, 2008
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    2
    Views:
    801
    hschlecht
    Jun 7, 2006
  2. Replies:
    2
    Views:
    5,586
    Walter Roberson
    Jan 22, 2007
  3. Ramon F Herrera

    Cisco ASA 5500 comparison table?

    Ramon F Herrera, Feb 7, 2007, in forum: Cisco
    Replies:
    4
    Views:
    1,241
    Walter Roberson
    Feb 7, 2007
  4. Anthony
    Replies:
    1
    Views:
    433
    Walter Roberson
    Aug 31, 2007
  5. Cisco 5500 ASA Help

    , Mar 11, 2008, in forum: Cisco
    Replies:
    2
    Views:
    440
Loading...

Share This Page