• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 312
  • Last Modified:

Cisco ASA 5505 routes VPN traffic bound to the internet

I have a Cisco ASA 5505 being used as a VPN router. This unit was setup by the previous IT staff and has working routes already in place. I tried adding the new subnet to the object group and to the ACL which did not pass traffic through the VPN but rather the internet. Please help.
0
asktech
Asked:
asktech
  • 4
  • 3
2 Solutions
 
Ernie BeekCommented:
Could you show us a sanitized config?
Oh, and the range that needs to be added?
0
 
asktechAuthor Commented:
interface Vlan10
 description Internal VPN Subnet
 nameif inside
 security-level 100
 ip address 74.X.X.161 255.255.255.248
!
interface Vlan20
 description External VPN Subnet
 nameif outside
 security-level 0
 ip address 66.X.X.134 255.255.255.248
!
interface Vlan30
 description Private Network
 no forward interface Vlan10
 nameif private
 security-level 100
 ip address 10.X.X.2 255.255.255.0
!
interface Ethernet0/0
 description External Firewall (66.X.X.134)
 switchport access vlan 20
!
interface Ethernet0/1
 description Internal M Server
 switchport access vlan 10
!
interface Ethernet0/2
 description Internal M Server
 switchport access vlan 10
!
interface Ethernet0/3
 description Testing VPN
 switchport access vlan 10
!
interface Ethernet0/4
!
interface Ethernet0/5
 description Cisco ASA Management Interface
 switchport access vlan 30
!
interface Ethernet0/6
 description ASA PoE Port
!
interface Ethernet0/7
 description ASA PoE Port
!
banner exec        UNAUTHORIZED ACCESS PROHIBITED
banner exec         ------------------------------
banner exec
banner exec You are attempting to access a private device.  If you are
banner exec not authorized to access this device, please disconnect
banner exec immediately.
banner exec
banner exec All access attempts are monitored and recorded.  In the event
banner exec non-authorized access is attempted or obtained, those
banner exec persons will be subject to and prosecuted to the fullest
banner exec extent of the law.
banner exec
banner exec Thank you.
ftp mode passive
clock timezone EDT -5
clock summer-time EDT recurring
dns server-group DefaultDNS
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network DNS_Servers
 range 4.2.2.2 4.2.2.3
object network NETWORK_OBJ_74.X.X.160_29
 subnet 74.X.X.160 255.255.255.248
object network local_VPN
 host 74.X.X.165
object-group network CT
 description HTTPS/C traffic (routes from VPN)
 network-object 207.X.X.46 255.255.255.255
 network-object 207.X.X.27 255.255.255.255
 network-object 207.X.X.112 255.255.255.255
 network-object 207.X.X.28 255.255.255.255
 network-object 207.X.X.0 255.255.255.0
 network-object 207.X.X.0 255.255.255.0
 network-object 207.X.X.0 255.255.255.0
 network-object 144.226.X.0 255.255.255.0
 network-object 144.226.X.0 255.255.255.0
 network-object 144.226.X.0 255.255.255.0
 network-object 144.226.X.0 255.255.255.0
 network-object 144.226.X.0 255.255.255.0
 network-object 144.226.X.0 255.255.254.0
 network-object 144.229.X.0 255.255.254.0
 network-object 144.226.X.0 255.255.252.0

object-group service CT tcp
 port-object eq www
 port-object eq https
 port-object eq c-ica
 port-object eq 2598
object-group service HTTP-S tcp
 port-object eq www
 port-object eq https
 port-object eq 444
object-group service SSH tcp
 port-object eq ssh
object-group network DM_INLINE_NETWORK_1
 network-object 144.226.X.0 255.255.0.0
 network-object 207.X.X.0 255.255.0.0
object-group network VPN
 network-object 144.226.X.0 255.255.0.0
 network-object 207.X.X.0 255.255.0.0
 network-object 144.229.X.0 255.255.254.0
object-group network PRIVATE
 network-object 10.X.X.0 255.255.255.0
object-group network OUTSIDE
 network-object 66.X.X.128 255.255.255.248
object-group network INSIDE
 network-object 74.X.X.160 255.255.255.248
access-list 100 extended permit ip host 74.X.X.161 host 207.X.X.5
access-list outside_1_cryptomap extended permit ip 74.X.X.160 255.255.255.248 207.X.X.0 255.255.0.0
access-list outside_1_cryptomap extended deny ip 74.X.X.160 255.255.255.248 144.226.X.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 74.X.X.160 255.255.255.248 144.229.X.0 255.255.254.0
access-list global_access remark Permit ICMP from internal sites to any remote sites.
access-list global_access extended permit icmp 74.X.X.160 255.255.255.248 any
access-list global_access remark Allow servers to do UDP DNS requests
access-list global_access extended permit udp 74.X.X.160 255.255.255.248 any eq domain
access-list global_access remark Global Testing
access-list global_access extended permit ip any any
access-list global_access extended permit icmp interface inside any
access-list global_access remark Permit ICMP from internal sites to any remote sites.
access-list global_access remark Allow servers to do UDP DNS requests
access-list global_access remark Global Testing
access-list 102 extended permit ip host 74.X.X.161 host 207.X.X.5
access-list 102 extended permit ip host 207.X.X.5 host 74.X.X.161
access-list private_access_in extended permit ip any 144.229.X.0 255.255.254.0
pager lines 24
logging enable

mtu inside 1500
mtu outside 1500
mtu private 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (private,outside) source static PRIVATE local_VPN destination static VPN VPN
access-group private_access_in in interface private
access-group global_access global
!
route-map SNO permit 10
!
route outside 0.0.0.0 0.0.0.0 66.X.X.129 1
route inside 10.X.X.0 255.255.255.0 10.X.X.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.X.X.0 255.255.255.0 private
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map SNO 1 match address outside_1_cryptomap
crypto map SNO 1 set peer 207.X.X.5
crypto map SNO 1 set transform-set ESP-3DES-SHA
crypto map SNO interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
telnet timeout 5
ssh scopy enable
ssh 10.X.X.0 255.255.255.0 private
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 207.X.X.205
ntp server 207.X.X.204
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec svc
tunnel-group DefaultL2LGroup ipsec-attributes


tunnel-group 207.X.X.5 type ipsec-l2l
tunnel-group 207.X.X.5 ipsec-attributes
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect icmp
!
service-policy global_policy global
prompt hostname context
: end
no asdm history enable

0
 
asktechAuthor Commented:
The subnet network-object 144.229.X.0 255.255.254.0 is the newly added subnet that is not routing through the VPN tunnel.
0
Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

 
MikeKaneCommented:
I'm still getting used the new command structure, but it looks like you are missing a nonat for the 144.229.x.0 subnet.  
0
 
Ernie BeekCommented:
@MikeKane: Me too but it looks like it's there (static policy nat): nat (private,outside) source static PRIVATE local_VPN destination static VPN VPN

As by the Cisco 8.3 migration guide:

Old Configuration

access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224
static (inside,outside) 209.165.202.129 access-list NET1

Migrated Configuration

object network obj-10.1.2.27
host 10.1.2.27
object network obj-209.165.202.129
host 209.165.202.129
object network obj-10.76.5.0
subnet 10.76.5.0 255.255.255.224

nat (inside,outside) source static obj-10.1.2.27 obj-209.165.202.129 destination static obj-10.76.5.0 obj-10.76.5.0
0
 
Ernie BeekCommented:
@MikeKane: Me too but it looks like it's there (static policy nat): nat (private,outside) source static PRIVATE local_VPN destination static VPN VPN

As by the Cisco 8.3 migration guide:

Old Configuration

access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224
static (inside,outside) 209.165.202.129 access-list NET1

Migrated Configuration

object network obj-10.1.2.27
host 10.1.2.27
object network obj-209.165.202.129
host 209.165.202.129
object network obj-10.76.5.0
subnet 10.76.5.0 255.255.255.224

nat (inside,outside) source static obj-10.1.2.27 obj-209.165.202.129 destination static obj-10.76.5.0 obj-10.76.5.0
0
 
Ernie BeekCommented:
Hmmm, tapping too fast on post :(
0
 
asktechAuthor Commented:
Ernie,

What confuses me is that all other tunnels route fine. I added the 144.229.X.X to the same object groups and added them to the ACL. Are there any additional tasks that need to be done in order to make the traffic route?
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now