Solved

Tunnel All IPSEC Traffic

Posted on 2006-11-20
10
527 Views
Last Modified: 2012-08-14
G Day.
We're setting up a L2L VPN from a 837 to a ASA5510. The tunnel is working fine however i would like to have all traffic tunnel between the sites. We will have approximately 15 sites when done. I have tried to change the crypto ACL on the router to any any however the ASA reports that there is not match. Can anyone add some input? The reason for this is that we need to control all routing and connectivity from central site. Some sites are independent but passing all traffic through central site allows us to control security better.

Could this also be achieved by using a route map and just add all traffic to the ACL? I’d rather just tunnel everything. Router config below.

Thank you in advance




DZM#sh run
Building configuration...

Current configuration : 3537 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname AAA
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$40as$CJ4Z0DpGarcv46dkE1o8J0
enable password Password1
!
no aaa new-model
!
resource policy

clock timezone GMT 2
no ip source-route
no ip dhcp use vrf connected
!
ip dhcp pool crwstest
   origin ipcp
!
!
ip cef
no ip domain lookup
ip domain name local
no ip bootp server
!
!
!
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key XWKwoMNHlPvLUTcoiIp8Pxa9EZuQDSSAASDASDKDHJKADHAKLDHKDHAKL
SDHSDAKLJDHAK234365466 address XXX.XXX.XXX.XXX
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set pix-set esp-3des esp-md5-hmac
!
crypto map pix 10 ipsec-isakmp
 set peer XXX.XXX.XXX.XXX
 set transform-set pix-set
 match address 101
!
!
!
interface Ethernet0
 ip address 190.99.99.100 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
 ip tcp adjust-mss 1452
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface Ethernet2
 no ip address
 shutdown
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
interface Dialer1
 ip address negotiated
 ip access-group 102 in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp pap sent-username online509526@dsl512telkomsa.net password 0 ixund
 crypto map pix
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface Dialer1 overload
!
access-list 101 permit ip 190.99.99.0 0.0.0.255 192.99.99.0 0.0.0.255
access-list 102 remark WAN
access-list 102 permit ip 192.99.99.0 0.0.0.255 190.99.99.0 0.0.0.255
access-list 102 deny   ip 0.0.0.0 0.255.255.255 any
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip 169.254.0.0 0.0.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.0.2.0 0.0.0.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 198.18.0.0 0.1.255.255 any
access-list 102 deny   ip 224.0.0.0 0.15.255.255 any
access-list 102 deny   ip any host 255.255.255.255
access-list 102 permit udp any any eq non500-isakmp
access-list 102 permit udp any any eq isakmp
access-list 102 permit esp any any
access-list 102 permit icmp any any echo-reply
access-list 102 deny   ip any any log
access-list 102 remark WAN
access-list 110 deny   ip 190.99.99.0 0.0.0.255 192.99.99.0 0.0.0.255
access-list 110 permit ip 190.99.99.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
 match ip address 110
!
!
control-plane
!
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 access-class 2 in
 exec-timeout 120 0
 password 7 023605481811003348
 login local
 length 0
 transport input telnet ssh
 transport output none
!
scheduler max-task-time 5000
end

DZM#
0
Comment
Question by:savannahmicro
  • 4
  • 3
  • 3
10 Comments
 
LVL 9

Expert Comment

by:stressedout2004
Comment Utility
We have this kind of setup. We have 8 remote sites and we are sending everything over the tunnel to our main site. The remote sites internet traffic and corporate traffic goes to the main site. Instead of using any any for source and destination, we only specify any as a destination for our remote site.

Any any won't work, the reason for which is the ASA would need to know how which encrypted traffic goes back to which sites.use the *any* only for the ASA network.

In the above config, do:

access-list 101 permit ip 190.99.99.0 0.0.0.255 any

and on the ASA you will have:

access-list 101 permit ip any 190.99.99.0 255.255.255.0

You will also need to remove the NATting on the router (nat inside and outside)
0
 

Author Comment

by:savannahmicro
Comment Utility
Thank you. i made the changes you recommended, i also removed the ip nat inside source list 105 interface Dialer0 overload, would that be correct?

what i have found even before the changes you made is that i can't ping from inside the router to the central site.

Another thing i'm not sure of is when i do a trace inside to a ip on the internet the trace seems to go out on the D1 int instead of going to the central site core router? Is that normal.
0
 
LVL 9

Expert Comment

by:stressedout2004
Comment Utility
the packet will still be going out through the D1 interface but you should see the next hop after that is in your central site. Can you post an updated copy of your running config after the changes has been made?
0
 

Author Comment

by:savannahmicro
Comment Utility
Thank you for you time.

Current configuration : 5859 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname DZM
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$/5pv$O81UJXDIVR6ckr62ANyV5/
enable password Password1
!
no aaa new-model
!
resource policy
!
clock timezone GMT 2
no ip source-route
!
!
ip cef
no ip domain lookup
ip domain name local
ip name-server 192.99.99.101
no ip bootp server
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW cuseeme
ip inspect name FW h323
ip inspect name FW rcmd
ip inspect name FW realaudio
ip inspect name FW streamworks
ip inspect name FW vdolive
ip inspect name FW sqlnet
ip inspect name FW tftp
ip inspect name FW ftp
ip inspect name FW icmp
ip inspect name FW sip
ip inspect name FW esmtp
ip inspect name FW fragment maximum 256 timeout 1
ip inspect name FW netshow
ip inspect name FW rtsp
ip inspect name FW skinny
!
!
!
username Administrator secret 5 $1$e0Lg$KR/C1.vl67D6aRTyjN9ZU.
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key XWKwLDHKDHAKL
SDHSDAKLJDHAK234365466 address XXX.XXX.1X1.X37
crypto isakmp keepalive 60
!
crypto ipsec transform-set pix-set esp-3des esp-md5-hmac
!
crypto map pix 10 ipsec-isakmp
 set peer XXX.XXX.1X1.X37
 set transform-set pix-set
 match address 101
!
interface Ethernet0
 ip address 190.99.99.100 255.255.255.0
 ip access-group 103 in
 rate-limit input access-group 120 64000 2000 2000 conform-action transmit exceed-action drop
 rate-limit output access-group 120 64000 2000 2000 conform-action transmit exceed-action drop
 ip tcp adjust-mss 1452
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface Ethernet2
 no ip address
 shutdown
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
 pvc 8/35
  pppoe-client dial-pool-number 1
 !

interface Dialer1
 ip address negotiated
 ip access-group 102 in
 ip inspect FW out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp pap sent-username online515894@dsl512telkomsa.net password 0 fuzuzz
 crypto map pix
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
!
access-list 101 permit ip 190.99.99.0 0.0.0.255 any
access-list 102 remark WAN
access-list 102 permit ip 192.99.99.0 0.0.0.255 190.99.99.0 0.0.0.255
access-list 102 deny   ip 0.0.0.0 0.255.255.255 any
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip 169.254.0.0 0.0.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.0.2.0 0.0.0.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 198.18.0.0 0.1.255.255 any
access-list 102 deny   ip 224.0.0.0 0.15.255.255 any
access-list 102 deny   ip any host 255.255.255.255
access-list 102 permit udp any any eq non500-isakmp
access-list 102 permit udp any any eq isakmp
access-list 102 permit esp any any
access-list 102 permit icmp any any echo-reply
access-list 102 deny   ip any any log
access-list 102 remark WAN
access-list 103 remark LAN
access-list 103 permit ip 192.99.99.0 0.0.0.255 host 190.99.99.100
access-list 103 permit ip 190.99.99.0 0.0.0.255 host 190.99.99.100
access-list 103 permit ip host 190.99.99.101 192.99.99.0 0.0.0.255
access-list 103 deny   ip any host 190.99.99.255
access-list 103 deny   udp any any eq tftp log
access-list 103 permit tcp host 190.99.99.101 host 192.99.99.101 eq smtp
access-list 103 permit tcp 190.99.99.0 0.0.0.255 192.99.99.0 0.0.0.255 eq domain

access-list 103 permit tcp 190.99.99.0 0.0.0.255 192.99.99.0 0.0.0.255 eq 8080
access-list 103 permit tcp 190.99.99.0 0.0.0.255 192.99.99.0 0.0.0.255 eq 443
access-list 103 permit icmp any 192.99.99.0 0.0.0.255
access-list 103 deny   ip any 0.0.0.0 0.255.255.255 log
access-list 103 deny   ip any 10.0.0.0 0.255.255.255 log
access-list 103 deny   ip any 127.0.0.0 0.255.255.255 log
access-list 103 deny   ip any 169.254.0.0 0.0.255.255 log
access-list 103 deny   ip any 172.16.0.0 0.15.255.255 log
access-list 103 deny   ip any 192.0.2.0 0.0.0.255 log
access-list 103 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 103 deny   ip any 198.18.0.0 0.1.255.255 log
access-list 103 deny   udp any any eq 135 log
access-list 103 deny   tcp any any eq 135 log
access-list 103 deny   udp any any eq netbios-ns log
access-list 103 deny   udp any any eq netbios-dgm log
access-list 103 deny   tcp any any eq 445 log
access-list 103 deny   ip any any log
access-list 110 deny   ip 190.99.99.0 0.0.0.255 any
access-list 110 permit ip 190.99.99.0 0.0.0.255 any
access-list 120 permit tcp any any eq smtp
dialer-list 1 protocol ip permit
route-map nonat permit 10
 match ip address 110
!
!
control-plane
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 access-class 2 in
 exec-timeout 120 0
 password 7 023605481811003348
 login local
 length 0
 transport input telnet ssh
 transport output none
!
scheduler max-task-time 5000
end
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
It appears that your acl 103, as applied to the inside LAN interface, only allows your local traffic from 190.99.99.x to 192.99.99.x. I would expect to see something like "permit tcp 190.99.99.0 0.0.0.255 any"

Also, your acl 102 inbound on D1 does not allow 'any'
 I would expect something like  'permit tcp 190.99.99.0 0.0.0.255 any established'

IMHO, your best bet may be to simply use a cache-only proxy at HQ, only allow traffic between 190.99.99.x and 192.99.99.x, force users to use proxy in IE for all protocols. This requires only traffic between 190<->192 and not
190->any or any<-190
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:savannahmicro
Comment Utility
it all seems to be working, but a new problem has presented itself. When spooling mail from remote site to central site, the smtp connection drops every now and then, when under load. i've done some reading and it seems to have to do with MTU. i've set the MTU on the D1 1352 and MSS to 1312. this seemed to help a bit. Am i missing something?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Adjusting the MTU on the interface would be a last resort. Changing the mss is OK. Your original setting of 1452 should have been adequate.
You might consider changing the MaxMTU setting on the mail server itself
0
 
LVL 9

Expert Comment

by:stressedout2004
Comment Utility
You could try adding the global command:

crypto ipsec df-bit clear

This command will force the packet to be fragmented for packets that would exceed the MTU which normally would be dropped. You should leave the MTU of the interfaces to whatever the default is and adjust the MSS accordingly. It normally works for me that way but usually it involves sending unfragmented ping packets over the tunnel to find the right value.




0
 

Author Comment

by:savannahmicro
Comment Utility
the mtu of 1352 seems to have sorted me, i also confirmed with the only telecomms provider we have and they confirmed 1352. ok, i have a few last questions to close this one up:

a. i'm going to setup another two routers this weekend, can i use the same isakmp and crypto config on the asa, but just add the additional subnet to the nat 0? same psk on the other two routers?

b. why can't i ping from inside the router to the asa or any other hosts on the remote side network? i can ping the asa inside int from the router side network? if i trace from inside the router and specify source that works fine? Do i need to remove the 0.0.0.0/0 route to D1?

c. on the asa logs, it's whining that there is not route from the external ip of the asa to the external ip of the router? why is that? from my understanding no routes need to be added on the asa to directly connected tunnels?

Thank you for your time.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 175 total points
Comment Utility
a. Yes, add their subnets to the nat 0 acl, but create new acls to apply the traffic to a crypto map peer

b. Because if you are on the router console and try to ping out, your source IP is your public ip and not your private ip. However, you can use extended ping to designate a source IP for testing.

c. You do need a default route on the ASA that is on the same IP subnet as the outside IP .. you don't  need specific routes to other subnets because that's what the peer statement does. You just need to know how to get to that peer.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now