VPN tunnel into Cisco ASA via static NAT from router???
I have a client with a Layered Cisco network solution. Their Cisco router is public facing and provides a private IP address to the Cisco ASA behind it.
I need to be able to create a VPN tunnel into the ASA. There are public IP addresses available to be statically NAT'ed to the ASA, one has been selected by the IT person on site and has been translated to an IP address in the network of the ASA but NOT the IP address of the interface connecting the ASA to the Router.
I've configured the VPN on both the ASA and the other end point (a Linksys RV042) and can see both devices attempting to bring up phase one of the tunnel. The RV042 is complaining about using Main Mode and the ASA seems to be complaining about the network I've set as the local network.
Behind the ASA are multiple additional networks which have static routes back through the ASA into the router.
I guess my initial question is if it's even possible to NAT a VPN tunnel in this manner. The IT person on site doesn't seem particularily interested in statically NAT'ing to the interface IP but I suspect this is going to be necessary to bring the tunnel up.
My follow on questions relate to which network on the ASA side to specify as local (IP network of the ASA on the internal side or the one NAT'ted network that I need traffic to pass into) and what ports to allow into the ASA from the static map (I'm currently allowing ESP, ISAKMP and 4500).
Help appreciated. I can post a sanitized version of the router and ASA configs ifn they'll be helpful.
I need to be able to create a VPN tunnel into the ASA. There are public IP addresses available to be statically NAT'ed to the ASA, one has been selected by the IT person on site and has been translated to an IP address in the network of the ASA but NOT the IP address of the interface connecting the ASA to the Router.
I've configured the VPN on both the ASA and the other end point (a Linksys RV042) and can see both devices attempting to bring up phase one of the tunnel. The RV042 is complaining about using Main Mode and the ASA seems to be complaining about the network I've set as the local network.
Behind the ASA are multiple additional networks which have static routes back through the ASA into the router.
I guess my initial question is if it's even possible to NAT a VPN tunnel in this manner. The IT person on site doesn't seem particularily interested in statically NAT'ing to the interface IP but I suspect this is going to be necessary to bring the tunnel up.
My follow on questions relate to which network on the ASA side to specify as local (IP network of the ASA on the internal side or the one NAT'ted network that I need traffic to pass into) and what ports to allow into the ASA from the static map (I'm currently allowing ESP, ISAKMP and 4500).
Help appreciated. I can post a sanitized version of the router and ASA configs ifn they'll be helpful.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>Do I write the VPN ACL to allow traffic from 10.0.0.x to my remote end 10.50.50.x
Yes
Sanitized version of config will be good.
Yes
Sanitized version of config will be good.
ASKER
Sorry for the delay in replying. So many projects this month, so little time to work on other things.
I think I'm making some progress on getting the tunnel up. With a little help from Cisco the VPN tunnel will start build but the remote endpoint (a Linksys RV042) seems to see the traffic comming from the ASA as the iIP address of it's outside interface (private IP) address rather than the IP address which is statically NAT'ed at the router (Public IP).
Am attaching the RV042's log, the Router config and the ASA config below. The local IT gent received lots of help from Cisco with the ASA config. That means I didn't write it and do not have a complete grasp on why it was written as it is. It does work as intended for everything other than the VPN tunnel...
Linksys RV042's VPN Log:
Aug 16 13:53:06 2007 VPN Log Ignoring Vendor ID payload Type = [Cisco-Unity]
Aug 16 13:53:06 2007 VPN Log Ignoring Vendor ID payload Type = [XAUTH]
Aug 16 13:53:06 2007 VPN Log Ignoring Vendor ID payload [60819f6505263398...]
Aug 16 13:53:06 2007 VPN Log Ignoring Vendor ID payload [1f07f70eaa6514d3...]
Aug 16 13:53:06 2007 VPN Log [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Aug 16 13:53:07 2007 VPN Log [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Aug 16 13:53:07 2007 VPN Log Received Vendor ID payload Type = [Dead Peer Detection]
Aug 16 13:53:07 2007 VPN Log [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
Aug 16 13:53:07 2007 VPN Log Main mode peer ID is ID_IPV4_ADDR: '10.254.254.2'
Aug 16 13:53:07 2007 VPN Log We require peer to have ID '67..x.x.x, but peer declares '10.254.254.2'
Aug 16 13:53:09 2007 VPN Log Initiating Main Mode
Router config:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CERouter1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$p8rp$U6QUkzgK08JpT3DJn8
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -7
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip domain name corbinselectric.local
!
username router_root privilege 15 secret 5 $1$wrMT$sZUtefpoAkqwm4gp2j
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 10.254.254.1 255.255.255.0
ip access-group sdm_fastethernet0/0_in in
ip access-group sdm_fastethernet0/0_out out
no ip redirects
no ip unreachables
ip nat inside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no mop enabled
!
interface Serial0/1/0
description $ES_WAN$$FW_OUTSIDE$
ip address 65.x.x.x 255.255.255.248
ip access-group sdm_serial0/1/0_in in
ip access-group sdm_serial0/1/0_out out
no ip redirects
no ip unreachables
ip nat outside
encapsulation ppp
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
ip route 10.0.0.0 255.255.255.0 10.254.254.2 2
ip route 10.0.0.220 255.255.255.255 10.254.254.2 2
ip route 10.0.1.0 255.255.255.0 10.254.254.2 2
ip route 10.0.2.0 255.255.255.0 10.254.254.2 2
ip route 10.0.3.0 255.255.255.0 10.254.254.2
ip route 10.0.10.0 255.255.255.0 10.254.254.2 3
ip route 10.0.11.0 255.255.255.0 10.254.254.2 3
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 5 interface Serial0/1/0 overload
ip nat inside source static 10.254.254.2 67.x.x.x extendable
ip nat inside source static 10.254.254.467.x.x.x
ip nat inside source static 10.254.254.3 67.x.x.x
!
ip access-list extended sdm_fastethernet0/0_in
remark SDM_ACL Category=1
remark 1
permit ip any any
ip access-list extended sdm_fastethernet0/0_out
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_serial0/1/0_in
remark SDM_ACL Category=1
permit tcp any host 65.46.28.214 eq www
permit tcp any host 65.46.28.214 eq smtp
permit tcp any host 65.46.28.214 eq 3389
remark 2
permit ip any any
ip access-list extended sdm_serial0/1/0_out
remark SDM_ACL Category=1
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.254.254.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 10.0.0.0 0.0.255.255
access-list 4 remark SDM_ACL Category=2
access-list 4 permit 10.0.3.0 0.0.0.255
access-list 4 permit 10.0.10.0 0.0.0.255
access-list 4 permit 10.0.0.0 0.0.0.255
access-list 5 permit 10.254.254.2
access-list 5 remark SDM_ACL Category=2
access-list 5 permit 10.0.3.0 0.0.0.255
access-list 5 permit 10.0.0.0 0.0.0.255
access-list 5 permit 10.0.10.0 0.0.0.255
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
end
CERouter1#
The ASA's config (sanitized)
ciscoasa# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name corbinselectric.local
names
dns-guard
!
interface Ethernet0/0
description Outside Interface
nameif Outside
security-level 0
ip address 10.254.254.2 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 90
ip address 10.254.253.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.0.3.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone MST -7
dns server-group DefaultDNS
domain-name corbinselectric.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service TeleworkerPhones udp
description Teleworker ports.
port-object range 20000 23000
port-object range 3999 3999
port-object range 3300 3300
port-object eq tftp
port-object range 1024 65535
object-group service TeleworkerPhonesTCP tcp
port-object eq 2114
port-object eq 2116
port-object eq 3300
port-object eq 35000
port-object eq 37000
port-object eq https
port-object eq ssh
port-object range 6801 6802
object-group service Ports tcp
description Ports
port-object range 1 1024
access-list Inside-Default_access_out_
access-list Inside-Default_access_out extended permit ip any any
access-list Outside_access_in extended permit tcp any host 10.254.254.2 eq www
access-list Outside_access_in extended permit tcp any host 10.254.254.2 eq smtp
access-list Outside_access_in extended permit tcp any host 10.254.254.2 eq 3389
access-list Outside_access_in extended permit tcp any host 10.254.254.3 eq citrix-ica
access-list Outside_access_in extended permit tcp any host 10.254.254.3 eq www
access-list Outside_access_in extended permit udp any object-group TeleworkerPhones host 10.254.254.4 object-group TeleworkerPhones
access-list Outside_access_in extended permit tcp any host 10.254.254.4 object-group TeleworkerPhonesTCP
access-list Outside_access_in extended permit udp any host 10.254.254.2 eq isakmp
access-list Outside_access_in extended permit esp any host 10.254.254.2
access-list Outside_access_in extended permit udp any host 10.254.254.2 eq 4500
access-list Outside_access_in extended permit tcp any any eq ssh
access-list Outside_access_in extended permit tcp any host 10.254.254.3 eq 2598
access-list DMZ_access_in extended permit tcp host 10.0.3.2 any
access-list IPS extended permit ip any any
access-list Inside-Default_access_in extended permit ip any any
access-list DMZ_access_in_1 extended permit ip any any
access-list DMZ_access_out extended permit ip any any
access-list Inside-PhoneSubnet_access_
access-list Inside-Default_access_in_1
access-list Outside_access_out extended permit ip any any
access-list Inside-Default_nat0_outbou
access-list Inside-Default_nat0_outbou
access-list Inside-Default_nat0_outbou
access-list Inside-Default_nat0_outbou
access-list Inside-PhoneSubnet_nat0_ou
access-list Inside-PhoneSubnet_nat0_ou
access-list Inside-PhoneSubnet_nat0_ou
access-list Inside_access_in extended permit ip any any
access-list Inside_access_out extended permit ip any any
access-list ICMP_Traffic extended permit icmp any any
access-list Ouside_access_in extended permit tcp any host 10.254.254.4 object-group TeleworkerPhonesTCP
access-list management_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.50.50.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.50.50.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
logging mail errors
logging from-address cisco@corbinselectric.com
logging recipient-address r.gruver@corbinselectric.c
mtu Outside 1500
mtu DMZ 1500
mtu management 1500
mtu Inside 1500
ip verify reverse-path interface Outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (management) 0 access-list management_nat0_outbound
static (Inside,Outside) tcp interface smtp 10.0.0.220 smtp netmask 255.255.255.255
static (Inside,Outside) tcp interface 3389 10.0.0.212 3389 netmask 255.255.255.255
static (Inside,Outside) tcp interface www 10.0.0.220 www netmask 255.255.255.255
static (Inside,Outside) tcp 10.254.254.3 www 10.0.0.200 www netmask 255.255.255.255
static (Inside,Outside) tcp 10.254.254.3 citrix-ica 10.0.0.200 citrix-ica netmask 255.255.255.255
static (Inside,Outside) tcp 10.254.254.3 2598 10.0.0.200 2598 netmask 255.255.255.255
static (DMZ,Outside) 10.254.254.4 10.0.3.2 netmask 255.255.255.255
static (DMZ,Inside) 67.x.x.x 10.0.3.2 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group DMZ_access_in_1 in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group Inside_access_in in interface Inside
access-group Inside_access_out out interface Inside
route Outside 0.0.0.0 0.0.0.0 10.254.254.1 1
route Inside 10.0.0.0 255.255.255.0 10.254.253.2 1
route Inside 10.0.1.0 255.255.255.0 10.254.253.2 1
route Inside 10.0.2.0 255.255.255.0 10.254.253.2 1
route Inside 10.0.10.0 255.255.255.0 10.254.253.2 2
route Inside 10.0.11.0 255.255.255.0 10.254.253.2 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set peer 207.119.95.19
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 set security-association lifetime seconds 86400
crypto map Outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group 207.x.x.x type ipsec-l2l
tunnel-group 207.x.x.x ipsec-attributes
pre-shared-key *
telnet 192.168.1.0 255.255.255.0 management
telnet 10.0.0.0 255.255.255.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map IPS
match any
!
!
policy-map IPS
description IPS usage
class IPS
ips inline fail-open
!
service-policy IPS interface Outside
ntp server 10.0.0.212 prefer
smtp-server 10.0.0.220
prompt hostname context
Cryptochecksum:2423bcd8637
: end
ciscoasa# $
I think I'm making some progress on getting the tunnel up. With a little help from Cisco the VPN tunnel will start build but the remote endpoint (a Linksys RV042) seems to see the traffic comming from the ASA as the iIP address of it's outside interface (private IP) address rather than the IP address which is statically NAT'ed at the router (Public IP).
Am attaching the RV042's log, the Router config and the ASA config below. The local IT gent received lots of help from Cisco with the ASA config. That means I didn't write it and do not have a complete grasp on why it was written as it is. It does work as intended for everything other than the VPN tunnel...
Linksys RV042's VPN Log:
Aug 16 13:53:06 2007 VPN Log Ignoring Vendor ID payload Type = [Cisco-Unity]
Aug 16 13:53:06 2007 VPN Log Ignoring Vendor ID payload Type = [XAUTH]
Aug 16 13:53:06 2007 VPN Log Ignoring Vendor ID payload [60819f6505263398...]
Aug 16 13:53:06 2007 VPN Log Ignoring Vendor ID payload [1f07f70eaa6514d3...]
Aug 16 13:53:06 2007 VPN Log [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Aug 16 13:53:07 2007 VPN Log [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Aug 16 13:53:07 2007 VPN Log Received Vendor ID payload Type = [Dead Peer Detection]
Aug 16 13:53:07 2007 VPN Log [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
Aug 16 13:53:07 2007 VPN Log Main mode peer ID is ID_IPV4_ADDR: '10.254.254.2'
Aug 16 13:53:07 2007 VPN Log We require peer to have ID '67..x.x.x, but peer declares '10.254.254.2'
Aug 16 13:53:09 2007 VPN Log Initiating Main Mode
Router config:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CERouter1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$p8rp$U6QUkzgK08JpT3DJn8
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -7
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip domain name corbinselectric.local
!
username router_root privilege 15 secret 5 $1$wrMT$sZUtefpoAkqwm4gp2j
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 10.254.254.1 255.255.255.0
ip access-group sdm_fastethernet0/0_in in
ip access-group sdm_fastethernet0/0_out out
no ip redirects
no ip unreachables
ip nat inside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no mop enabled
!
interface Serial0/1/0
description $ES_WAN$$FW_OUTSIDE$
ip address 65.x.x.x 255.255.255.248
ip access-group sdm_serial0/1/0_in in
ip access-group sdm_serial0/1/0_out out
no ip redirects
no ip unreachables
ip nat outside
encapsulation ppp
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
ip route 10.0.0.0 255.255.255.0 10.254.254.2 2
ip route 10.0.0.220 255.255.255.255 10.254.254.2 2
ip route 10.0.1.0 255.255.255.0 10.254.254.2 2
ip route 10.0.2.0 255.255.255.0 10.254.254.2 2
ip route 10.0.3.0 255.255.255.0 10.254.254.2
ip route 10.0.10.0 255.255.255.0 10.254.254.2 3
ip route 10.0.11.0 255.255.255.0 10.254.254.2 3
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 5 interface Serial0/1/0 overload
ip nat inside source static 10.254.254.2 67.x.x.x extendable
ip nat inside source static 10.254.254.467.x.x.x
ip nat inside source static 10.254.254.3 67.x.x.x
!
ip access-list extended sdm_fastethernet0/0_in
remark SDM_ACL Category=1
remark 1
permit ip any any
ip access-list extended sdm_fastethernet0/0_out
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_serial0/1/0_in
remark SDM_ACL Category=1
permit tcp any host 65.46.28.214 eq www
permit tcp any host 65.46.28.214 eq smtp
permit tcp any host 65.46.28.214 eq 3389
remark 2
permit ip any any
ip access-list extended sdm_serial0/1/0_out
remark SDM_ACL Category=1
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.254.254.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 10.0.0.0 0.0.255.255
access-list 4 remark SDM_ACL Category=2
access-list 4 permit 10.0.3.0 0.0.0.255
access-list 4 permit 10.0.10.0 0.0.0.255
access-list 4 permit 10.0.0.0 0.0.0.255
access-list 5 permit 10.254.254.2
access-list 5 remark SDM_ACL Category=2
access-list 5 permit 10.0.3.0 0.0.0.255
access-list 5 permit 10.0.0.0 0.0.0.255
access-list 5 permit 10.0.10.0 0.0.0.255
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
end
CERouter1#
The ASA's config (sanitized)
ciscoasa# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name corbinselectric.local
names
dns-guard
!
interface Ethernet0/0
description Outside Interface
nameif Outside
security-level 0
ip address 10.254.254.2 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 90
ip address 10.254.253.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.0.3.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone MST -7
dns server-group DefaultDNS
domain-name corbinselectric.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service TeleworkerPhones udp
description Teleworker ports.
port-object range 20000 23000
port-object range 3999 3999
port-object range 3300 3300
port-object eq tftp
port-object range 1024 65535
object-group service TeleworkerPhonesTCP tcp
port-object eq 2114
port-object eq 2116
port-object eq 3300
port-object eq 35000
port-object eq 37000
port-object eq https
port-object eq ssh
port-object range 6801 6802
object-group service Ports tcp
description Ports
port-object range 1 1024
access-list Inside-Default_access_out_
access-list Inside-Default_access_out extended permit ip any any
access-list Outside_access_in extended permit tcp any host 10.254.254.2 eq www
access-list Outside_access_in extended permit tcp any host 10.254.254.2 eq smtp
access-list Outside_access_in extended permit tcp any host 10.254.254.2 eq 3389
access-list Outside_access_in extended permit tcp any host 10.254.254.3 eq citrix-ica
access-list Outside_access_in extended permit tcp any host 10.254.254.3 eq www
access-list Outside_access_in extended permit udp any object-group TeleworkerPhones host 10.254.254.4 object-group TeleworkerPhones
access-list Outside_access_in extended permit tcp any host 10.254.254.4 object-group TeleworkerPhonesTCP
access-list Outside_access_in extended permit udp any host 10.254.254.2 eq isakmp
access-list Outside_access_in extended permit esp any host 10.254.254.2
access-list Outside_access_in extended permit udp any host 10.254.254.2 eq 4500
access-list Outside_access_in extended permit tcp any any eq ssh
access-list Outside_access_in extended permit tcp any host 10.254.254.3 eq 2598
access-list DMZ_access_in extended permit tcp host 10.0.3.2 any
access-list IPS extended permit ip any any
access-list Inside-Default_access_in extended permit ip any any
access-list DMZ_access_in_1 extended permit ip any any
access-list DMZ_access_out extended permit ip any any
access-list Inside-PhoneSubnet_access_
access-list Inside-Default_access_in_1
access-list Outside_access_out extended permit ip any any
access-list Inside-Default_nat0_outbou
access-list Inside-Default_nat0_outbou
access-list Inside-Default_nat0_outbou
access-list Inside-Default_nat0_outbou
access-list Inside-PhoneSubnet_nat0_ou
access-list Inside-PhoneSubnet_nat0_ou
access-list Inside-PhoneSubnet_nat0_ou
access-list Inside_access_in extended permit ip any any
access-list Inside_access_out extended permit ip any any
access-list ICMP_Traffic extended permit icmp any any
access-list Ouside_access_in extended permit tcp any host 10.254.254.4 object-group TeleworkerPhonesTCP
access-list management_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.50.50.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.50.50.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
logging mail errors
logging from-address cisco@corbinselectric.com
logging recipient-address r.gruver@corbinselectric.c
mtu Outside 1500
mtu DMZ 1500
mtu management 1500
mtu Inside 1500
ip verify reverse-path interface Outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (management) 0 access-list management_nat0_outbound
static (Inside,Outside) tcp interface smtp 10.0.0.220 smtp netmask 255.255.255.255
static (Inside,Outside) tcp interface 3389 10.0.0.212 3389 netmask 255.255.255.255
static (Inside,Outside) tcp interface www 10.0.0.220 www netmask 255.255.255.255
static (Inside,Outside) tcp 10.254.254.3 www 10.0.0.200 www netmask 255.255.255.255
static (Inside,Outside) tcp 10.254.254.3 citrix-ica 10.0.0.200 citrix-ica netmask 255.255.255.255
static (Inside,Outside) tcp 10.254.254.3 2598 10.0.0.200 2598 netmask 255.255.255.255
static (DMZ,Outside) 10.254.254.4 10.0.3.2 netmask 255.255.255.255
static (DMZ,Inside) 67.x.x.x 10.0.3.2 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group DMZ_access_in_1 in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group Inside_access_in in interface Inside
access-group Inside_access_out out interface Inside
route Outside 0.0.0.0 0.0.0.0 10.254.254.1 1
route Inside 10.0.0.0 255.255.255.0 10.254.253.2 1
route Inside 10.0.1.0 255.255.255.0 10.254.253.2 1
route Inside 10.0.2.0 255.255.255.0 10.254.253.2 1
route Inside 10.0.10.0 255.255.255.0 10.254.253.2 2
route Inside 10.0.11.0 255.255.255.0 10.254.253.2 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set peer 207.119.95.19
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 set security-association lifetime seconds 86400
crypto map Outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group 207.x.x.x type ipsec-l2l
tunnel-group 207.x.x.x ipsec-attributes
pre-shared-key *
telnet 192.168.1.0 255.255.255.0 management
telnet 10.0.0.0 255.255.255.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map IPS
match any
!
!
policy-map IPS
description IPS usage
class IPS
ips inline fail-open
!
service-policy IPS interface Outside
ntp server 10.0.0.212 prefer
smtp-server 10.0.0.220
prompt hostname context
Cryptochecksum:2423bcd8637
: end
ciscoasa# $
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
lrmoore -
I agree, it's ugly and hard to parse through. I'm the poor slob trying to get things to work with it though :)
If I understand you correctly you're suggesting obtaining an additional public IP range, applying it to the outside interface on the Router, apply the 65.x.x.x/28 subnet to the inside interface on the router and outside interface on the ASA?
This is the way I've done this in other locations and it works well. Just want to be sure I'm understanding you correctly.
I agree, it's ugly and hard to parse through. I'm the poor slob trying to get things to work with it though :)
If I understand you correctly you're suggesting obtaining an additional public IP range, applying it to the outside interface on the Router, apply the 65.x.x.x/28 subnet to the inside interface on the router and outside interface on the ASA?
This is the way I've done this in other locations and it works well. Just want to be sure I'm understanding you correctly.
Exactly. All you need is a /30 for the T1 interface
You could try using ipunnumbered on the serial and still put the 65.x.x.x on the LAN and ASA, but a dedicated IP is better. Unnumbered example:
interface serial 0/1/0
no ip nat outside
ip unnumbered fast 0/0
interface fast 0/0
ip address 65.x.x.x 255.255.255.248
no ip nat inside
You could try using ipunnumbered on the serial and still put the 65.x.x.x on the LAN and ASA, but a dedicated IP is better. Unnumbered example:
interface serial 0/1/0
no ip nat outside
ip unnumbered fast 0/0
interface fast 0/0
ip address 65.x.x.x 255.255.255.248
no ip nat inside
ASKER
Gents,
Thanks again. I'm going to go ahead and award points to both respondants, a few more to lrmoore but his comments were more applicable to the situation.
I'm not local to this client so am going to have to work out a time when he can be on site after hours with a laptop/cellular card so I can make the config changes remotely or arrange travel to the site (their dime). It may be up to a week before I'll get this done but I'm confident that one of the solutions will work.
Thanks again!
Thanks again. I'm going to go ahead and award points to both respondants, a few more to lrmoore but his comments were more applicable to the situation.
I'm not local to this client so am going to have to work out a time when he can be on site after hours with a laptop/cellular card so I can make the config changes remotely or arrange travel to the site (their dime). It may be up to a week before I'll get this done but I'm confident that one of the solutions will work.
Thanks again!
Thanks! Post back to let us know how you get on...
ASKER
Thanks for replyng. I'll try changing the static nat map on the router so that it points to the ip address of the interface on the ASA which connects to the router.
Inside the ASA there are several different internal networks. I only need to encapsulate/encrypt one of them in the VPN tunnel.
The IP networks look like this:
ASA - Router side: 10.254.254.x
ASA - LAN Side: 10.254.253.x
LAN: 10.0.0.x, 10.0.1.x, 10.0.2.x, 10.0.3.x
Static routes in the ASA take care of routing the LAN network into the ASA LAN side.
I only need the 10.0.0.x network to pass through the VPN tunnel. Do I write the VPN ACL to allow traffic from 10.0.0.x to my remote end 10.50.50.x or from the ASA LAN side (10.254.253.x to 10.50.50.x)?