- Posts: 107
- Thank you received: 0
Anyone got a ASA Site-to-Site VPN Guide
NoNAT Access-List
Code:
access-list acl_nat extended permit ip any 172.29.1.0 255.255.255.0
Basically what you say here is that you dont want anything translated. The access list works as follows: access-list acl_nat permit ip yournetwork 255.255.255.0 remotenetwork 255.255.255.0
Interesting Traffic
Code:
access-list ip_29_1 extended permit ip any 172.29.1.0 255.255.255.0
Same here. The rule here says that ALL traffic (including regular http traffic) should be encrypted. This access list works as follows:
access-list ip_29_1 permit yournetwork 255.255.255.0 remotenetwork 255.255.255.0
Allowing all traffic outbound
Code:
access-group Allow-ALL in interface inside
Dont need that. ASA's allways allow traffic to flow from a higher security-level (inside is defaulted to 100) to a lower security-level (outside is defaulted to 0)
Interesting Traffic
Code:
ip access-list extended VPN-INT-TRAF
remark VPN interesting traffic
permit ip 172.29.1.0 0.0.0.255 any
Same here ^^
Also if the router nats you need to configure a no-nat. just make a deny rule for the sourcenetwork to the remotenetwork on your nat access-list.
Hope this helps a bit
Ron.
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
NoNAT Access-List
Code:
access-list acl_nat extended permit ip any 172.29.1.0 255.255.255.0
Basically what you say here is that you dont want anything translated. The access list works as follows: access-list acl_nat permit ip yournetwork 255.255.255.0 remotenetwork 255.255.255.0
Yes, but only destined to the 172.29.1.0 network. I am basically saying that i dont want to use split tunneling and want everything from my remote site to go down the link. This is to allow the return traffic back.
Interesting Traffic
Code:
access-list ip_29_1 extended permit ip any 172.29.1.0 255.255.255.0
Same here. The rule here says that ALL traffic (including regular http traffic) should be encrypted. This access list works as follows:
access-list ip_29_1 permit yournetwork 255.255.255.0 remotenetwork 255.255.255.0
Same reason as above. This should all work as its working through the VPN Concentrator and is by design.
Allowing all traffic outbound
Code:
access-group Allow-ALL in interface inside
Dont need that. ASA's allways allow traffic to flow from a higher security-level (inside is defaulted to 100) to a lower security-level (outside is defaulted to 0)
You are quite correct, force of habbit from my ISA days i'm afraid. This is only in to 1, ensure that stuff is being allowed and 2, so anyone who looks at the config knows that everything is being allowed.
Interesting Traffic
Code:
ip access-list extended VPN-INT-TRAF
remark VPN interesting traffic
permit ip 172.29.1.0 0.0.0.255 any
Same here ^^
Also if the router nats you need to configure a no-nat. just make a deny rule for the sourcenetwork to the remotenetwork on your nat access-list.
Same as reasons above
Hope this helps a bit
Ron.
Thanks for taking the time to post. I still cannot seem to spot whats causing this issue.
Anyone spot the problem getting the VPN connected ?
Cheers
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
But there really isnt a point in using "any" in a VPN access-list and it could only cause trouble.
Ron.
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
I can post the config's from a live enviroment where the tunnel works if you'd like.
But there really isnt a point in using "any" in a VPN access-list and it could only cause trouble.
Ron.
Sorry but i dissagree with you there. I see many organisations that use "any" in VPN access to stop split tunnelling and force all traffic to the main site in order to ensure a centralised policy is in force for all traffic.
Its ok about the config
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
[code:1]sh run all tunnel-groups[/code:1]
This will give the following output (well the bit of interest)
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
no pre-shared-key
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 10 retry 2
As you can see, the default group policy is set to the DfltGrpPolicy and in my configuration it was allowing multiple protocols (sslvpn was using this also). It was therefore complaining in the debugging that the tunnel-group and default-policy didn't have matching protocols.
I therefore created my own group policy and set my tunnel-group to use it. Hey presto everything worked.
The only other issues was then to do with me needing to force all the traffic down the tunnel and through a seperate gateway.
The access-lists for interesting traffic worked fine on the ASA and the Router (even though i read that to turn off split tunnelling you just used a standard access list, it doesn't allow this in the crypto map so i had to keep my access-list as it was).
Anyhow, i needed to then send the traffic through the internal web filtering software out of another gateway, the traffic was going down the tunnel ok but then the ASA was trying to route it out to the internet itself instead of throwing the traffic back inside the network out of the other gateway. The fix for this is to use the tunneled option at the end of the route command.
[code:1]route [interface] [ipaddress] [subnet] [gateway] tunneled
e.g. route Inside 0 0 172.28.1.5 tunneled[/code:1]
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Sorry if this may appear that i'm seeking spoon-feeding style sort of a help. But I tried everything I could. I've hit a brick wall. So if anyone out there kind enough to post a complete working basic config of two ASA 5505 (8.x) talking together with Site-to-site VPN with the default route going to ASA number 2 (Where I can just paste them into the ASA), I would really really really really appreciate it.
In my scenario, i've set the proper crypto maps and proper mirroring ACLs, transform sets, NAT, and IP Peers, the ASAs wouldnt even try connecting, they wouldnt initiate a connection. Dont know why. I've done all stuff in CLI because ASDM is not work anything.
Super Thanks!