ASA 5510 Configuration - Basic 1

[RMurr34]

Hello Forum Members,

This is my first attempt at configuring an ASA device.
I have limited experience with the Pix 515E. I'm looking
for some experienced folks to look over my config and point
out anything that is incorrect. Any help would be greatly
appreciated. In particular, my ACLs and NAT entries.


WHAT I NEED

On my INSIDE interface my Exchange 2007 server will sit.
We only allow HTTPS access to it.

On my DMZ interface I have an FTP and Web Server. I need
to be able to allow site visitors to submit an email from
a page on the site.

I need a site-to-site VPN connection between two offices.


WHAT I'M EXPERIENCING

I have Internet connectivity from the inside.

I cannot connect via my site-to-site

I cannot get to my FTP or Web servers


MY CONFIGURATION


ASA Version 8.0(2)
!
hostname asa5510
domain-name my.domainname.com
enable password riBdCf1fnvp8w.If encrypted
names
name 76.191.xxx.xx PERIM-RTR
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 76.191.xxx.xx 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.60.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 50
ip address 192.168.61.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
domain-name my.domainname.com
access-list outside_access_dmz extended permit tcp any host 76.191.xxx.xx eq ftp
access-list outside_access_dmz extended permit tcp any host 76.191.xxx.xx eq 3389
access-list outside_access_dmz extended permit tcp any host 76.191.xxx.xx eq www
access-list outside_access_dmz extended permit tcp any host 76.191.xxx.xx eq smtp
access-list outside_access_dmz extended permit icmp any host 76.191.xxx.xx echo
access-list outside_access_dmz extended permit icmp any host 76.191.xxx.xx echo
access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_access_inside extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_access_inside extended permit ip 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_access_inside extended permit ip 192.168.60.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_access_inside extended permit ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list inside_access_inside extended permit ip 192.168.60.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_access_inside extended permit tcp any host 76.191.xxx.xx eq https
access-list outside_access_inside extended permit tcp any host 76.191.xxx.xx eq smtp
access-list outside_access_inside extended permit tcp any host 76.191.xxx.xx eq www
access-list outside_access_inside extended permit icmp any host 76.191.xxx.xx echo
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit 192.168.10.0 255.255.255.0 inside
icmp permit 192.168.20.0 255.255.255.0 inside
icmp permit 192.168.30.0 255.255.255.0 inside
icmp permit 192.168.40.0 255.255.255.0 inside
icmp permit 192.168.50.0 255.255.255.0 inside
icmp permit 192.168.60.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (dmz,outside) 76.191.xxx.xx 192.168.61.75 netmask 255.255.255.255
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (inside,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,dmz) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (inside,dmz) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (inside,dmz) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (inside,dmz) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (inside,outside) 76.191.xxx.xx 192.168.60.94 netmask 255.255.255.255
access-group inside_access_inside in interface outside
access-group outside_access_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 PERIM-RTR 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
http 192.168.60.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 67.40.xxx.xxx
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username ggoasa password LfNpagedAlpUdogd encrypted
tunnel-group 67.40.xxx.xxx type ipsec-l2l
tunnel-group 67.40.xxx.xxx ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:4dd6ee8a34ae35600a3543496aaac949
: end

 

[unclerico]

It looks like your tunnel is established to me. The one thing I notice is that your PIX is at MM_IDLE and your ASA is as MM_ACTIVE. Have you tried to ping your remote network using the inside interface of either the ASA or the PIX as the source? How is your topology setup? Do you use the PIX/ASA as the default gateway on your LANs or do you have another device doing the routing? If you've made any changes to your configs can you post the entire config again??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

Okay, here's a really stupid question

How do I choose what interface to ping from?

Thanks for being patient and very helpful.

 

[unclerico]

do the following:

ASA# ping inside <ip of a host on the inside of the remote network>

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

Still no luck

dumdumium(config)# ping inside 192.168.10.94
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.94, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
dumdumium(config)# ping inside 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

 

[RMurr34]

Well, half-way there. This is from the PIX side pinging the ASA side:

ununnilium(config)# ping inside 192.168.60.99
192.168.60.99 response received -- 30ms
192.168.60.99 response received -- 20ms
192.168.60.99 response received -- 20ms
ununnilium(config)# ping 192.168.60.1
192.168.60.1 NO response received -- 1000ms
192.168.60.1 NO response received -- 1000ms
192.168.60.1 NO response received -- 1000ms
ununnilium(config)# ping 192.168.60.99
192.168.60.99 NO response received -- 1000ms
192.168.60.99 NO response received -- 1000ms
192.168.60.99 NO response received -- 1000ms

 

[unclerico]

On the ASA did you add that nat (inside) 0 statement??

As for the ping from the PIX to the ASA, you can see that since you used the inside interface as the source on the first ping that it worked as where the second ping to the same address without the inside keyword failed. That's because the traffic needs to be sourced from the network included in the ACL and without the inside keyword it will use the outside interface as the source. By default you will not be able to ping the inside interface of the ASA from the PIX. You can if you add a command, but it's not necessarily needed.

So from teh looks of it there is something wrong with either the ACL or the NAT 0 statement on the ASA so if you can post a full scrubbed config one last time so I can have a look.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

I feel we're getting close

Here's the config from the ASA

dumdumium# show config
: Saved
: Written by enable_15 at 11:56:09.274 PST Thu Dec 18 2008
!
ASA Version 8.0(2)
!
hostname dumdumium
domain-name mydomain.com
enable password riBdCf1fnvp8w.If encrypted
names
name 76.xxx.xxx.xx PERIM-RTR
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 76.xxx.xxx.xx 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.60.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 50
ip address 192.168.61.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
domain-name mydomain.com
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list 101 extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq ftp
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq 3389
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq www
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq smtp
access-list outside_access_in extended permit icmp any host 76.xxx.xxx.xx echo
access-list outside_access_in extended permit icmp any host 76.xxx.xxx.xx echo
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq https
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq smtp
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq www
access-list outside_access_in extended permit icmp any host 76.xxx.xxx.xx echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit 192.168.10.0 255.255.255.0 inside
icmp permit 192.168.20.0 255.255.255.0 inside
icmp permit 192.168.30.0 255.255.255.0 inside
icmp permit 192.168.40.0 255.255.255.0 inside
icmp permit 192.168.50.0 255.255.255.0 inside
icmp permit 192.168.60.0 255.255.255.0 inside
icmp permit 192.168.61.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
static (dmz,outside) 76.xxx.xxx.xx 192.168.61.75 netmask 255.255.255.255
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (inside,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,dmz) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (inside,dmz) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (inside,dmz) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (inside,dmz) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (inside,outside) 76.xxx.xxx.xx 192.168.60.94 netmask 255.255.255.255
static (dmz,outside) 76.xxx.xxx.xx 192.168.61.55 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 PERIM-RTR 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.60.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
crypto map newmap 10 match address 101
crypto map newmap 10 set peer 67.xxx.xxx.xx
crypto map newmap 10 set transform-set FirstSet
crypto map newmap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 1000
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username asa password LfNpagedAlpUdogd encrypted
tunnel-group 67.xxx.xxx.xx type ipsec-l2l
tunnel-group 67.xxx.xxx.xx ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:674d105974f9b55619ab587a3acf82e5

 

[unclerico]

Hmmm, everything looks fine in that config. Do this on the ASA:

- debug icmp and perform the ping inside 192.168.10.x. Post taht output here
- Take a look through your logs to see if anything jumps out.
- Post contents of sh xlate. I want to make sure that the traffic is bypassing NAT

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

Here's SHOW XLATE

dumdumium(config)# sh xlate
9 in use, 244 most used
Global 192.168.10.0 Local 192.168.10.0
Global 192.168.20.0 Local 192.168.20.0
Global 192.168.30.0 Local 192.168.30.0
Global 192.168.40.0 Local 192.168.40.0
Global 192.168.50.0 Local 192.168.50.0
Global 192.168.60.0 Local 192.168.60.0
Global 76.xxx.xxx.xx Local 192.168.61.75
Global 76.xxx.xxx.xx Local 192.168.60.94
Global 76.xxx.xxx.xx Local 192.168.61.55

Here's DEBUG ICMP TRACE

dumdumium(config)# ping inside 19ICMP echo request from outside:128.107.248.220 to dmz:76.xxx.xxx ID=11011 seq =2337 len=32
ICMP echo request untranslating outside:76.xxx.xxx.xx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:128.107.248.220 ID=11011 seq=2337 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from outside:128.107.248.220 to dmz:76.xxx.xxx ID=11011 seq=2338 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:128.107.248.220 ID=11011 seq=2338 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
dumdumium(config)# ping inside 192.168.10.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.40, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
dumdumium(config)# sh xlate
9 in use, 244 most used
Global 192.168.10.0 Local 192.168.10.0
Global 192.168.20.0 Local 192.168.20.0
Global 192.168.30.0 Local 192.168.30.0
Global 192.168.40.0 Local 192.168.40.0
Global 192.168.50.0 Local 192.168.50.0
Global 192.168.60.0 Local 192.168.60.0
Global 76.xxx.xxx Local 192.168.61.75
Global 76.xxx.xxx Local 192.168.60.94
Global 76.xxx.xxx Local 192.168.61.55
dumdumium(config)# ICMP echo request from outside:192.168.10.94 to inside:192.168.60.99 ID=512 seq=34742 len=32
ICMP echo reply from inside:192.168.60.99 to outside:192.168.10.94 ID=512 seq=34742 len=32
ICMP echo request from outside:192.168.10.94 to inside:192.168.60.99 ID=512 seq=34998 len=32
ICMP echo reply from inside:192.168.60.99 to outside:192.168.10.94 ID=512 seq=34998 len=32
ICMP echo request from outside:128.107.248.220 to dmz:76.xxx.xxx ID=11044 seq=2343 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:128.107.248.220 ID=11044 seq=2343 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from outside:128.107.248.220 to dmz:76.xxx.xxx ID=11044 seq=2344 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:128.107.248.220 ID=11044 seq=2344 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from outside:67.188.208.23 to dmz:76.xxx.xxx ID=512 seq=12800 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:67.188.208.23 ID=512 seq=12800 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from outside:67.188.208.23 to dmz:76.xxx.xxx ID=512 seq=13056 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:67.188.208.23 ID=512 seq=13056 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from outside:67.188.208.23 to dmz:76.xxx.xxx ID=512 seq=13312 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:67.188.208.23 ID=512 seq=13312 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from outside:128.107.248.220 to dmz:76.xxx.xxx ID=11044 seq=2345 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:128.107.248.220 ID=11044 seq=2345 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from outside:128.107.248.220 to dmz:76.xxx.xxx ID=11044 seq=2346 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:128.107.248.220 ID=11044 seq=2346 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from outside:128.107.248.220 to dmz:76.xxx.xxx ID=11044 seq=2347 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:128.107.248.220 ID=11044 seq=2347 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from outside:128.107.248.220 to dmz:76.xxx.xxx ID=11044 seq=2348 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:128.107.248.220 ID=11044 seq=2348 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from outside:128.107.248.220 to dmz:76.xxx.xxx ID=11044 seq=2349 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:128.107.248.220 ID=11044 seq=2349 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from outside:128.107.248.220 to dmz:76.xxx.xxx ID=11044 seq=2350 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:128.107.248.220 ID=11044 seq=2350 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from outside:128.107.248.220 to dmz:76.xxx.xxx ID=11044 seq=2351 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:128.107.248.220 ID=11044 seq=2351 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from outside:68.166.96.90 to dmz:76.xxx.xxx ID=1852 seq=35637 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:68.166.96.90 ID=1852 seq=35637 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from outside:68.166.96.90 to dmz:76.xxx.xxx ID=1852 seq=35893 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:68.166.96.90 ID=1852 seq=35893 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from outside:68.166.96.90 to dmz:76.xxx.xxx ID=1852 seq=36149 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:68.166.96.90 ID=1852 seq=36149 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
ICMP echo request from inside:192.168.60.99 to outside:192.168.10.40 ID=512 seq=32512 len=32
ICMP echo reply from outside:192.168.10.40 to inside:192.168.60.99 ID=512 seq=32512 len=32
ICMP echo request from inside:192.168.60.99 to outside:192.168.10.40 ID=512 seq=32768 len=32
ICMP echo reply from outside:192.168.10.40 to inside:192.168.60.99 ID=512 seq=32768 len=32
ICMP echo request from outside:192.168.10.40 to inside:192.168.60.99 ID=512 seq=30276 len=32
ICMP echo reply from inside:192.168.60.99 to outside:192.168.10.40 ID=512 seq=30276 len=32

dumdumium(config)# ping inside 192.168.10.94
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.94, timeout is 2 seconds:
???ICMP echo request from outside:128.107.248.220 to dmz:76.xxx.xxx ID=11076 seq=2356 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:128.107.248.220 ID=11076 seq=2356 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx
??
Success rate is 0 percent (0/5)
dumdumium(config)# ICMP echo request from outside:128.107.248.220 to dmz:76.xxx.xxx ID=11076 seq=2357 len=32
ICMP echo request untranslating outside:76.xxx.xxx to dmz:192.168.61.55
ICMP echo reply from dmz:192.168.61.55 to outside:128.107.248.220 ID=11076 seq=2357 len=32
ICMP echo reply translating dmz:192.168.61.55 to outside:76.xxx.xxx

 

[unclerico]

ICMP echo request from inside:192.168.60.99 to outside:192.168.10.40 ID=512 seq=32512 len=32
ICMP echo reply from outside:192.168.10.40 to inside:192.168.60.99 ID=512 seq=32512 len=32
ICMP echo request from inside:192.168.60.99 to outside:192.168.10.40 ID=512 seq=32768 len=32
ICMP echo reply from outside:192.168.10.40 to inside:192.168.60.99 ID=512 seq=32768 len=32
ICMP echo request from outside:192.168.10.40 to inside:192.168.60.99 ID=512 seq=30276 len=32
ICMP echo reply from inside:192.168.60.99 to outside:192.168.10.40 ID=512 seq=30276 len=32

So traffic is flowing from your .60 to your .10 network. It looks like you were successfully pinging from the .99 host to the .40 host is this correct??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

Here's what I get when I try to ping two of my servers and a workstation inside the .10

Sending 5, 100-byte ICMP Echos to 192.168.10.40, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
dumdumium(config)# ping inside 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
dumdumium(config)# ping inside 192.168.10.153
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.153, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

 

[unclerico]

Can you try from the 60.99 host to the .10.40 host?? This has got to work lol, everything looks good.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

Good morning UncleRico,

I AM able to ping from my domain controller on the .60 to my domain controller on my .10!!

I can also RDP to the .60.99 server. This is great news.

So it looks like my tunnel is indeed up. Thank you sir!!!

Now, I need to set the tunnel up from all our other offices as well. That should be pretty simple now. I just need to follow your steps above and I'm sure it will work.

I'm also moving my Exchange server from the .10 into the .60. Looking at my config do you see anything that I'm missing that may cause me problems?

access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq smtp
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq www
access-list outside_access_in extended permit icmp any host 76.xxx.xxx.xxx echo

static (inside,outside) 76.xxx.xxx.xxx 192.168.60.94 netmask 255.255.255.255

 

[unclerico]

That's fantastic news!!! I'm glad to be able to have helped you out.

As for your Exchange config, I would definitely configure SSL for OWA as opposed to just letting it use normal unecrypted web access. If you are comfortable with it the way it is then your ACE's in your ACL look good as does your static NAT statement.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

Great point! I would have forgotten about SSL. I do have a cert through Thawte but I think my webmail host name is tied to that rather than by IP. But then again...

 

[RMurr34]

Actually, here's what I have for my Exch Server:

access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq https
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq smtp
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq www
access-list outside_access_in extended permit icmp any host 76.xxx.xxx.xx echo

 

[unclerico]

Looks good to me mayn!!! Now on to ruling the world right??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

I'm trying to establish the tunnel from one of my remote offices now.
On one of the remote sites I get this when I run SH CRYPTO ISAKMP SA

Actinium(config)# sh crypto isakmp sa
Total : 5
Embryonic : 2
dst src state pending created
68.xxx.xxx.xx 76.xxx.xxx.xx MM_KEY_EXCH 0 0
68.xxx.xxx.xx 67.xxx.xxx.xx QM_IDLE 0 0
68.xxx.xxx.xx 67.xxx.xxx.xx QM_IDLE 0 0
66.xxx.xxx.xx 68.xxx.xxx.xx QM_IDLE 0 0

The same command on the ASA shows this:

dumdumium(config)# sho crypto isakmp sa

Active SA: 4
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 4

1 IKE Peer: 66.xxx.xxx.xx
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 67.xxx.xxx.xx
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
3 IKE Peer: 66.xxx.xxx.xx
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
4 IKE Peer: 68.xxx.xxx.xx
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6



Here's my entries from the remote PIX:


access-list 110 permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 permit icmp any any
access-list 100 permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 100 permit ip 192.168.30.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list 100 permit ip 192.168.30.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 100 permit ip 192.168.30.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list 120 permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 140 permit ip 192.168.30.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list 150 permit ip 192.168.30.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 160 permit ip 192.168.30.0 255.255.255.0 192.168.60.0 255.255.255.0

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer 67.xxx.xxx.xx
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 120
crypto map newmap 20 set peer 67.xxx.xxx.xx
crypto map newmap 20 set transform-set myset
crypto map newmap 40 ipsec-isakmp
crypto map newmap 40 match address 140
crypto map newmap 40 set peer 66.xxx.xxx.xx
crypto map newmap 40 set transform-set myset
crypto map newmap 50 ipsec-isakmp
crypto map newmap 50 match address 150
crypto map newmap 50 set peer 99.xxx.xxx.xx
crypto map newmap 50 set transform-set myset
crypto map newmap 60 ipsec-isakmp
crypto map newmap 60 match address 160
crypto map newmap 60 set peer 76.xxx.xxx.xx
crypto map newmap 60 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 67.xxx.xxx.xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 67.xxx.xxx.xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 66.xxx.xxx.xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 99.xxx.xxx.xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 76.xxx.xxx.xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400



Here's my entries from the ASA



access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list 101 extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nonat extended permit ip 192.168.60.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list nonat extended permit ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list nonat extended permit ip 192.168.60.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq ftp
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq 3389
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq www
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq smtp
access-list outside_access_in extended permit icmp any host 76.xxx.xxx.xx echo
access-list outside_access_in extended permit icmp any host 76.xxx.xxx.xx echo
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq https
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq smtp
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xx eq www
access-list outside_access_in extended permit icmp any host 76.xxx.xxx.xx echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list 102 extended permit ip 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 103 extended permit ip 192.168.60.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list 104 extended permit ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list 105 extended permit ip 192.168.60.0 255.255.255.0 192.168.50.0 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit 192.168.10.0 255.255.255.0 inside
icmp permit 192.168.20.0 255.255.255.0 inside
icmp permit 192.168.30.0 255.255.255.0 inside
icmp permit 192.168.40.0 255.255.255.0 inside
icmp permit 192.168.50.0 255.255.255.0 inside
icmp permit 192.168.60.0 255.255.255.0 inside
icmp permit 192.168.61.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
static (dmz,outside) 76.xxx.xxx.xx 192.168.61.75 netmask 255.255.255.255
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (inside,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,dmz) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (inside,dmz) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (inside,dmz) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (inside,dmz) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (inside,outside) 76.xxx.xxx.xx 192.168.60.94 netmask 255.255.255.255
static (dmz,outside) 76.xxx.xxx.xx 192.168.61.55 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 PERIM-RTR 1

crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
crypto map newmap 10 match address 101
crypto map newmap 10 set peer 67.xxx.xxx.xx
crypto map newmap 10 set transform-set FirstSet
crypto map newmap 20 match address 102
crypto map newmap 20 set peer 67.xxx.xxx.xx
crypto map newmap 20 set transform-set FirstSet
crypto map newmap 30 match address 103
crypto map newmap 30 set peer 68.xxx.xxx.xx
crypto map newmap 30 set transform-set FirstSet
crypto map newmap 40 match address 104
crypto map newmap 40 set peer 66.xxx.xxx.xx
crypto map newmap 40 set transform-set FirstSet
crypto map newmap 50 match address 105
crypto map newmap 50 set peer 66.xxx.xxx.xx
crypto map newmap 50 set transform-set FirstSet
crypto map newmap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 1000
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400

tunnel-group 67.xxx.xxx.xx type ipsec-l2l
tunnel-group 67.xxx.xxx.xx ipsec-attributes
pre-shared-key *
tunnel-group 67.xxx.xxx.xx type ipsec-l2l
tunnel-group 67.xxx.xxx.xx ipsec-attributes
pre-shared-key *
tunnel-group 66.xxx.xxx.xx type ipsec-l2l
tunnel-group 66.xxx.xxx.xx ipsec-attributes
pre-shared-key *
tunnel-group 68.xxx.xxx.xx type ipsec-l2l
tunnel-group 68.xxx.xxx.xx ipsec-attributes
pre-shared-key *
tunnel-group 66.xxx.xxx.xx type ipsec-l2l
tunnel-group 66.xxx.xxx.xx ipsec-attributes
pre-shared-key *

 

[RMurr34]

Belay my last. Looks like I got the pre-share key wrong on one side. DOH!

Now my next challenge is to configure VPN access to my new site. Do you have any recommended documentation?

 

[unclerico]

Are you referring to remote access VPN or more site to site stuff???

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)