captsnappy
Programmer
On our network we have a pair of PIX in failover mode and an ASA5505. The ASA is there solely for a VPN to a customer's site. Here's my crude network diagram.
DNS is handled by a server on the inside LAN at x.x.1.7.
There is only one person whose gateway is set to the ASA, that being the one person who needs access to the customer VPN. That one person cannot access the webserver that is in the DMX of the PIXen from inside. He gets the correct ip address for the webserver x.x.4.10) and can get to any other website on the internet.
I put a route statement in the ASA config in an attempt to correct this but it ain't workin'. Here's my ASA config:
vpnfirewall# show config
: Saved
!
ASA Version 8.2(1)
!
hostname vpnfirewall
domain-name mydomain.com
enable password * encrypted
passwd * encrypted
names
name x.x.10.0 VPNFarEnd
!
interface Vlan1
nameif inside
security-level 100
ip address x.x.1.16 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address y.y.y.148 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name mydomain MyDomain.com
access-list outside_cryptomap extended permit ip x.x.1.0 255.255.255.0 VPNFarEnd 255.255.255.0
access-list acl_inside extended permit ip any any
access-list acl_out extended permit icmp any any
access-list outside_cryptomap_1 extended permit ip x.x.1.0 255.255.255.0 VPNFarEnd 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list outside_cryptomap_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_inside in interface inside
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 MY.PUBLIC.IP.129 1
route inside x.x.4.0 255.255.255.0 x.x.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http x.x.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 set peer z.z.z.158
crypto map outside_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA SP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 2 match address outside_cryptomap_1
crypto map outside_map0 2 set peer z.z.z.158
crypto map outside_map0 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA SP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet x.x.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password * encrypted
tunnel-group MyTunnelGroup type ipsec-l2l
tunnel-group MyTunnelGroup general-attributes
annotation CryptoMapEntry=outside_map0[1]
tunnel-group MyTunnelGroup ipsec-attributes
pre-shared-key *
tunnel-group z.z.z.158 type ipsec-l2l
tunnel-group z.z.z.158 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
I deleted the "dns server-group DefaultDNS" statement as an experiment to no avail.
Any ideas, oh great firewall gurus?
DNS is handled by a server on the inside LAN at x.x.1.7.
There is only one person whose gateway is set to the ASA, that being the one person who needs access to the customer VPN. That one person cannot access the webserver that is in the DMX of the PIXen from inside. He gets the correct ip address for the webserver x.x.4.10) and can get to any other website on the internet.
I put a route statement in the ASA config in an attempt to correct this but it ain't workin'. Here's my ASA config:
vpnfirewall# show config
: Saved
!
ASA Version 8.2(1)
!
hostname vpnfirewall
domain-name mydomain.com
enable password * encrypted
passwd * encrypted
names
name x.x.10.0 VPNFarEnd
!
interface Vlan1
nameif inside
security-level 100
ip address x.x.1.16 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address y.y.y.148 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name mydomain MyDomain.com
access-list outside_cryptomap extended permit ip x.x.1.0 255.255.255.0 VPNFarEnd 255.255.255.0
access-list acl_inside extended permit ip any any
access-list acl_out extended permit icmp any any
access-list outside_cryptomap_1 extended permit ip x.x.1.0 255.255.255.0 VPNFarEnd 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list outside_cryptomap_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_inside in interface inside
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 MY.PUBLIC.IP.129 1
route inside x.x.4.0 255.255.255.0 x.x.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http x.x.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 set peer z.z.z.158
crypto map outside_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA SP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 2 match address outside_cryptomap_1
crypto map outside_map0 2 set peer z.z.z.158
crypto map outside_map0 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA SP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet x.x.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password * encrypted
tunnel-group MyTunnelGroup type ipsec-l2l
tunnel-group MyTunnelGroup general-attributes
annotation CryptoMapEntry=outside_map0[1]
tunnel-group MyTunnelGroup ipsec-attributes
pre-shared-key *
tunnel-group z.z.z.158 type ipsec-l2l
tunnel-group z.z.z.158 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
I deleted the "dns server-group DefaultDNS" statement as an experiment to no avail.
Any ideas, oh great firewall gurus?