[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 324
  • Last Modified:

Site-to-site | possible routing issue?

I have a site to site tunnel between my house and work.
 My house is 192.168.3.0/24.  Work is 172.16.1.0/24, 172.16.10.0/24 and 172.16.101.0/24

Interesting traffic in my pix is defined as 192.168.3.0------------->172.16.0.0/16

I am terminating at an ASA5505 (172.16.101.0/24)

Problems:
1. I can not initiate the tunnel. Work has to do it

2. Even with the tunnel established, I cannot access 172.16.10.60/24. I can only access the 172.16.101.0/24 network (where I terminate)

Any ideas?
HOME:
 
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50
enable password uCC7HvYx68qN0nG5 encrypted
passwd xIsrlcAkUmuvQSHs encrypted
hostname fwall
domain-name chpk.cpk.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside-to-inside permit icmp any any
access-list outside-to-inside permit tcp any interface outside eq 9090
access-list outside-to-inside permit tcp any interface outside eq www
access-list split_tunnel_acl permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list dmz permit icmp any any echo-reply
pager lines 24
logging on
logging buffered informational
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.3.1 255.255.255.0
ip address dmz 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 192.168.50.10-192.168.50.13 mask 255.255.255.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 192.168.4.0 255.255.255.0 0 0
static (inside,outside) tcp interface www 192.168.3.130 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 9090 192.168.3.131 9090 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0 0 0
access-group outside-to-inside in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 71.200.32.1 1
route outside 172.16.0.0 255.255.0.0 71.200.32.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set aesmap esp-aes-256 esp-md5-hmac
crypto dynamic-map vpn 65535 set transform-set aesmap
crypto dynamic-map vpn 65535 set security-association lifetime seconds 84600 kilobytes 4608000
crypto map mymap 88 ipsec-isakmp
crypto map mymap 88 match address ipsec
crypto map mymap 88 set peer 75.150.145.225
crypto map mymap 88 set transform-set aesmap
crypto map vpn 65535 ipsec-isakmp dynamic vpn
crypto map vpn client configuration address initiate
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 75.150.145.225 netmask 255.255.255.255 no-xauth
isakmp nat-traversal 20
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
vpngroup family address-pool vpn-pool
vpngroup family split-tunnel split_tunnel_acl
vpngroup family idle-time 14400
vpngroup family password ********
vpngroup password idle-time 1800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
username ryan password wo854658/NDCLO encrypted privilege 15
 
terminal width 80
Cryptochecksum:e8b11d03a9160c5a61d25d59c5227949
: end

Open in new window

0
dissolved
Asked:
dissolved
  • 4
  • 3
1 Solution
 
dissolvedAuthor Commented:
My boss suggested that I apply my "ipsec" ACL  INBOUND on my inside interface. I did this and I still could not initiate the tunnel. I also could not get out to the internet when I had the "ipsec ACL applied to my inside interface (in the INBOUND direction)

Whats going on with this?
0
 
JFrederick29Commented:
Your config looks fine.

Any chance we can see the Work side config?
0
 
dissolvedAuthor Commented:
Cool. So the "ipsec" ACL does not need to be applied to an interface via the access-group command?  Just want to be sure. I figured the "ipsec' ACL is only used as a reference point for defining interesting traffic

I don't have access to the work side right now, as we have a memory leak in that asa and it's at a remote site. But it looks like below (all from my memory)

I can ping the 172.16.101.0/24 network fine. Its the 172.16.1.0/24 and 172.16.10.0/24 I cannot communicate with> i also cannot initiate the tunnel, it has to be on their end.

I should note:  The 172.16.10.0/24 network can ping me and get a response. Just not the other way around. I will try to get the actual config later today.



object-group network HQ
network 172.16.1.0
network 172.16.10.0
network 172.16.101.0
 
object-group test
network 192.168.3.0
 
 
route outside 192.168.3.0  255.255.255.0  75.150.145.1
access-list test_acl extended permit ip object-group network HQ object-group test
access-list nonat extended permit ip object-group network HQ object-group test

Open in new window

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
JFrederick29Commented:
>So the "ipsec" ACL does not need to be applied to an interface via the access-group command?  Just want to be sure. I figured the "ipsec' ACL is only used as a reference point for defining interesting traffic
Correct.

The access-lists need to be exact mirrors so your ASA "ipsec" access-list should look like this based on the work "test_acl".

access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.101.0 255.255.255.0
no access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.0.0 255.255.0.0
0
 
dissolvedAuthor Commented:
I see. So instead of having ACLs like 172.16.0.0/16 (to cover 3 of the company's networks).............I should do each one individually
0
 
JFrederick29Commented:
Well, the key is that they match on both ends which currently they do not.  You can use 172.16.0.0/16 as long as both ends are changed to match.  Your end had the /16 and the work end had 3 /24's which won't work.
0
 
dissolvedAuthor Commented:
J, can you check this out? I am still having issues. Now I cannot ping anything. Once when I did have the tunnel established (last week), I could ping two out of 2 of the corporate networks. I need to access to all 3. Thank you in advance

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24356225.html
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now