asktech
asked on
Cisco ASA 5505 routes VPN traffic bound to the internet
I have a Cisco ASA 5505 being used as a VPN router. This unit was setup by the previous IT staff and has working routes already in place. I tried adding the new subnet to the object group and to the ACL which did not pass traffic through the VPN but rather the internet. Please help.
ASKER
interface Vlan10
description Internal VPN Subnet
nameif inside
security-level 100
ip address 74.X.X.161 255.255.255.248
!
interface Vlan20
description External VPN Subnet
nameif outside
security-level 0
ip address 66.X.X.134 255.255.255.248
!
interface Vlan30
description Private Network
no forward interface Vlan10
nameif private
security-level 100
ip address 10.X.X.2 255.255.255.0
!
interface Ethernet0/0
description External Firewall (66.X.X.134)
switchport access vlan 20
!
interface Ethernet0/1
description Internal M Server
switchport access vlan 10
!
interface Ethernet0/2
description Internal M Server
switchport access vlan 10
!
interface Ethernet0/3
description Testing VPN
switchport access vlan 10
!
interface Ethernet0/4
!
interface Ethernet0/5
description Cisco ASA Management Interface
switchport access vlan 30
!
interface Ethernet0/6
description ASA PoE Port
!
interface Ethernet0/7
description ASA PoE Port
!
banner exec UNAUTHORIZED ACCESS PROHIBITED
banner exec --------------------------
banner exec
banner exec You are attempting to access a private device. If you are
banner exec not authorized to access this device, please disconnect
banner exec immediately.
banner exec
banner exec All access attempts are monitored and recorded. In the event
banner exec non-authorized access is attempted or obtained, those
banner exec persons will be subject to and prosecuted to the fullest
banner exec extent of the law.
banner exec
banner exec Thank you.
ftp mode passive
clock timezone EDT -5
clock summer-time EDT recurring
dns server-group DefaultDNS
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network DNS_Servers
range 4.2.2.2 4.2.2.3
object network NETWORK_OBJ_74.X.X.160_29
subnet 74.X.X.160 255.255.255.248
object network local_VPN
host 74.X.X.165
object-group network CT
description HTTPS/C traffic (routes from VPN)
network-object 207.X.X.46 255.255.255.255
network-object 207.X.X.27 255.255.255.255
network-object 207.X.X.112 255.255.255.255
network-object 207.X.X.28 255.255.255.255
network-object 207.X.X.0 255.255.255.0
network-object 207.X.X.0 255.255.255.0
network-object 207.X.X.0 255.255.255.0
network-object 144.226.X.0 255.255.255.0
network-object 144.226.X.0 255.255.255.0
network-object 144.226.X.0 255.255.255.0
network-object 144.226.X.0 255.255.255.0
network-object 144.226.X.0 255.255.255.0
network-object 144.226.X.0 255.255.254.0
network-object 144.229.X.0 255.255.254.0
network-object 144.226.X.0 255.255.252.0
object-group service CT tcp
port-object eq www
port-object eq https
port-object eq c-ica
port-object eq 2598
object-group service HTTP-S tcp
port-object eq www
port-object eq https
port-object eq 444
object-group service SSH tcp
port-object eq ssh
object-group network DM_INLINE_NETWORK_1
network-object 144.226.X.0 255.255.0.0
network-object 207.X.X.0 255.255.0.0
object-group network VPN
network-object 144.226.X.0 255.255.0.0
network-object 207.X.X.0 255.255.0.0
network-object 144.229.X.0 255.255.254.0
object-group network PRIVATE
network-object 10.X.X.0 255.255.255.0
object-group network OUTSIDE
network-object 66.X.X.128 255.255.255.248
object-group network INSIDE
network-object 74.X.X.160 255.255.255.248
access-list 100 extended permit ip host 74.X.X.161 host 207.X.X.5
access-list outside_1_cryptomap extended permit ip 74.X.X.160 255.255.255.248 207.X.X.0 255.255.0.0
access-list outside_1_cryptomap extended deny ip 74.X.X.160 255.255.255.248 144.226.X.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 74.X.X.160 255.255.255.248 144.229.X.0 255.255.254.0
access-list global_access remark Permit ICMP from internal sites to any remote sites.
access-list global_access extended permit icmp 74.X.X.160 255.255.255.248 any
access-list global_access remark Allow servers to do UDP DNS requests
access-list global_access extended permit udp 74.X.X.160 255.255.255.248 any eq domain
access-list global_access remark Global Testing
access-list global_access extended permit ip any any
access-list global_access extended permit icmp interface inside any
access-list global_access remark Permit ICMP from internal sites to any remote sites.
access-list global_access remark Allow servers to do UDP DNS requests
access-list global_access remark Global Testing
access-list 102 extended permit ip host 74.X.X.161 host 207.X.X.5
access-list 102 extended permit ip host 207.X.X.5 host 74.X.X.161
access-list private_access_in extended permit ip any 144.229.X.0 255.255.254.0
pager lines 24
logging enable
mtu inside 1500
mtu outside 1500
mtu private 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (private,outside) source static PRIVATE local_VPN destination static VPN VPN
access-group private_access_in in interface private
access-group global_access global
!
route-map SNO permit 10
!
route outside 0.0.0.0 0.0.0.0 66.X.X.129 1
route inside 10.X.X.0 255.255.255.0 10.X.X.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 10.X.X.0 255.255.255.0 private
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map SNO 1 match address outside_1_cryptomap
crypto map SNO 1 set peer 207.X.X.5
crypto map SNO 1 set transform-set ESP-3DES-SHA
crypto map SNO interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
telnet timeout 5
ssh scopy enable
ssh 10.X.X.0 255.255.255.0 private
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 207.X.X.205
ntp server 207.X.X.204
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc
tunnel-group DefaultL2LGroup ipsec-attributes
tunnel-group 207.X.X.5 type ipsec-l2l
tunnel-group 207.X.X.5 ipsec-attributes
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
prompt hostname context
: end
no asdm history enable
description Internal VPN Subnet
nameif inside
security-level 100
ip address 74.X.X.161 255.255.255.248
!
interface Vlan20
description External VPN Subnet
nameif outside
security-level 0
ip address 66.X.X.134 255.255.255.248
!
interface Vlan30
description Private Network
no forward interface Vlan10
nameif private
security-level 100
ip address 10.X.X.2 255.255.255.0
!
interface Ethernet0/0
description External Firewall (66.X.X.134)
switchport access vlan 20
!
interface Ethernet0/1
description Internal M Server
switchport access vlan 10
!
interface Ethernet0/2
description Internal M Server
switchport access vlan 10
!
interface Ethernet0/3
description Testing VPN
switchport access vlan 10
!
interface Ethernet0/4
!
interface Ethernet0/5
description Cisco ASA Management Interface
switchport access vlan 30
!
interface Ethernet0/6
description ASA PoE Port
!
interface Ethernet0/7
description ASA PoE Port
!
banner exec UNAUTHORIZED ACCESS PROHIBITED
banner exec --------------------------
banner exec
banner exec You are attempting to access a private device. If you are
banner exec not authorized to access this device, please disconnect
banner exec immediately.
banner exec
banner exec All access attempts are monitored and recorded. In the event
banner exec non-authorized access is attempted or obtained, those
banner exec persons will be subject to and prosecuted to the fullest
banner exec extent of the law.
banner exec
banner exec Thank you.
ftp mode passive
clock timezone EDT -5
clock summer-time EDT recurring
dns server-group DefaultDNS
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network DNS_Servers
range 4.2.2.2 4.2.2.3
object network NETWORK_OBJ_74.X.X.160_29
subnet 74.X.X.160 255.255.255.248
object network local_VPN
host 74.X.X.165
object-group network CT
description HTTPS/C traffic (routes from VPN)
network-object 207.X.X.46 255.255.255.255
network-object 207.X.X.27 255.255.255.255
network-object 207.X.X.112 255.255.255.255
network-object 207.X.X.28 255.255.255.255
network-object 207.X.X.0 255.255.255.0
network-object 207.X.X.0 255.255.255.0
network-object 207.X.X.0 255.255.255.0
network-object 144.226.X.0 255.255.255.0
network-object 144.226.X.0 255.255.255.0
network-object 144.226.X.0 255.255.255.0
network-object 144.226.X.0 255.255.255.0
network-object 144.226.X.0 255.255.255.0
network-object 144.226.X.0 255.255.254.0
network-object 144.229.X.0 255.255.254.0
network-object 144.226.X.0 255.255.252.0
object-group service CT tcp
port-object eq www
port-object eq https
port-object eq c-ica
port-object eq 2598
object-group service HTTP-S tcp
port-object eq www
port-object eq https
port-object eq 444
object-group service SSH tcp
port-object eq ssh
object-group network DM_INLINE_NETWORK_1
network-object 144.226.X.0 255.255.0.0
network-object 207.X.X.0 255.255.0.0
object-group network VPN
network-object 144.226.X.0 255.255.0.0
network-object 207.X.X.0 255.255.0.0
network-object 144.229.X.0 255.255.254.0
object-group network PRIVATE
network-object 10.X.X.0 255.255.255.0
object-group network OUTSIDE
network-object 66.X.X.128 255.255.255.248
object-group network INSIDE
network-object 74.X.X.160 255.255.255.248
access-list 100 extended permit ip host 74.X.X.161 host 207.X.X.5
access-list outside_1_cryptomap extended permit ip 74.X.X.160 255.255.255.248 207.X.X.0 255.255.0.0
access-list outside_1_cryptomap extended deny ip 74.X.X.160 255.255.255.248 144.226.X.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 74.X.X.160 255.255.255.248 144.229.X.0 255.255.254.0
access-list global_access remark Permit ICMP from internal sites to any remote sites.
access-list global_access extended permit icmp 74.X.X.160 255.255.255.248 any
access-list global_access remark Allow servers to do UDP DNS requests
access-list global_access extended permit udp 74.X.X.160 255.255.255.248 any eq domain
access-list global_access remark Global Testing
access-list global_access extended permit ip any any
access-list global_access extended permit icmp interface inside any
access-list global_access remark Permit ICMP from internal sites to any remote sites.
access-list global_access remark Allow servers to do UDP DNS requests
access-list global_access remark Global Testing
access-list 102 extended permit ip host 74.X.X.161 host 207.X.X.5
access-list 102 extended permit ip host 207.X.X.5 host 74.X.X.161
access-list private_access_in extended permit ip any 144.229.X.0 255.255.254.0
pager lines 24
logging enable
mtu inside 1500
mtu outside 1500
mtu private 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (private,outside) source static PRIVATE local_VPN destination static VPN VPN
access-group private_access_in in interface private
access-group global_access global
!
route-map SNO permit 10
!
route outside 0.0.0.0 0.0.0.0 66.X.X.129 1
route inside 10.X.X.0 255.255.255.0 10.X.X.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 10.X.X.0 255.255.255.0 private
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map SNO 1 match address outside_1_cryptomap
crypto map SNO 1 set peer 207.X.X.5
crypto map SNO 1 set transform-set ESP-3DES-SHA
crypto map SNO interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
telnet timeout 5
ssh scopy enable
ssh 10.X.X.0 255.255.255.0 private
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 207.X.X.205
ntp server 207.X.X.204
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc
tunnel-group DefaultL2LGroup ipsec-attributes
tunnel-group 207.X.X.5 type ipsec-l2l
tunnel-group 207.X.X.5 ipsec-attributes
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
prompt hostname context
: end
no asdm history enable
ASKER
The subnet network-object 144.229.X.0 255.255.254.0 is the newly added subnet that is not routing through the VPN tunnel.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@MikeKane: Me too but it looks like it's there (static policy nat): nat (private,outside) source static PRIVATE local_VPN destination static VPN VPN
As by the Cisco 8.3 migration guide:
Old Configuration
access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224
static (inside,outside) 209.165.202.129 access-list NET1
Migrated Configuration
object network obj-10.1.2.27
host 10.1.2.27
object network obj-209.165.202.129
host 209.165.202.129
object network obj-10.76.5.0
subnet 10.76.5.0 255.255.255.224
nat (inside,outside) source static obj-10.1.2.27 obj-209.165.202.129 destination static obj-10.76.5.0 obj-10.76.5.0
As by the Cisco 8.3 migration guide:
Old Configuration
access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224
static (inside,outside) 209.165.202.129 access-list NET1
Migrated Configuration
object network obj-10.1.2.27
host 10.1.2.27
object network obj-209.165.202.129
host 209.165.202.129
object network obj-10.76.5.0
subnet 10.76.5.0 255.255.255.224
nat (inside,outside) source static obj-10.1.2.27 obj-209.165.202.129 destination static obj-10.76.5.0 obj-10.76.5.0
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hmmm, tapping too fast on post :(
ASKER
Ernie,
What confuses me is that all other tunnels route fine. I added the 144.229.X.X to the same object groups and added them to the ACL. Are there any additional tasks that need to be done in order to make the traffic route?
What confuses me is that all other tunnels route fine. I added the 144.229.X.X to the same object groups and added them to the ACL. Are there any additional tasks that need to be done in order to make the traffic route?
Oh, and the range that needs to be added?