Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Route traffic (public IP) from a remote site through a VPN tunnel

Status
Not open for further replies.
robi999

robi999

IS-IT--Management
Feb 14, 2012
2
BA
Hello,


On remote site I have Cisco ASA 5505, on cental site I have Cisco 2811 router, site-to-site VPN tunnel working without problems. Internet access working on both sides.
How can I route some traffic (to public host on Internet) from a remote site through a site-to-site vpn ?
I tried add host Ip to protected network but it does not work (ACL 119 on central site and inside_nat0_outbound_1 on ASA).

ASA log (icmp and http traffic):

6 Feb 06 2012 06:25:59 302020 66.39.41.1 10.110.17.11 Built outbound ICMP connection for faddr public_host_IP/0 gaddr 10.110.17.11/512 laddr 10.110.17.11/512
6 Feb 06 2012 06:26:47 302021 66.39.41.1 10.110.17.11 Teardown ICMP connection for faddr public_host_IP/0 gaddr 10.110.17.11/512 laddr 10.110.17.11/512



6 Feb 07 2012 00:05:25 302013 public_host_IP 10.110.17.11 Built outbound TCP connection 278843 for outside:public_host_IP/80 (public_host_IP/80) to inside:10.110.17.11/3936 (10.110.17.11/3936)
6 Feb 07 2012 00:05:55 302014 public_host_IP 10.110.17.11 Teardown TCP connection 278843 for outside:public_host_IP/80 to inside:10.110.17.11/3936 duration 0:00:30 bytes 0 SYN Timeout



Cisco ASA 5505 on remote site :


Outside interface - ISP Internet
Inside interface - 10.110.17.1 (local lan. 10.110.17.0/24)


Central site :


FastEthernet0/0 - 10.110.0.1 (local lan 10.110.0.0/24)
FastEthernet0/1- ISP Internet


Cisco ASA configuration :


object-group network DM_INLINE_NETWORK_1
network-object 10.110.0.0 255.255.255.0
network-object host public_host_IP


access-list outside_1_cryptomap extended permit ip 10.110.17.0 255.255.255.0 object-group DM_INLINE_NETWORK_1


access-list inside_nat0_outbound_1 extended permit ip 10.110.17.0 255.255.255.0 10.110.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.110.17.0 255.255.255.0 host public_host_IP


global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 101 0.0.0.0 0.0.0.0

access-group 121 in interface inside

route outside 0.0.0.0 0.0.0.0 ISP_gateway_IP 1


Central site :


access-list 119 remark IPSec Rule
access-list 119 permit ip 10.110.0.0 0.0.0.255 10.110.17.0 0.0.0.255
access-list 119 permit ip host public_host_IP 10.110.17.0 0.0.0.255


crypto map SDM_CMAP_1 16 ipsec-isakmp
set peer remote_site_public_IP
set transform-set ESP-DES-SHA
match address 119


interface FastEthernet0/0
ip address 10.110.0.1 255.255.255.0
ip access-group 121 in
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
no mop enabled

!

interface FastEthernet0/1
ip address Public_IP
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
no mop enabled
crypto map SDM_CMAP_1


route-map SDM_RMAP_1 permit 1
match ip address 101


ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload


route-map SDM_RMAP_1 permit 1
match ip address 101


access-list 101 deny ip 10.110.0.0 0.0.0.255 10.110.17.0 0.0.0.255
access-list 101 permit ip 10.110.0.0 0.0.0.255 any


Any help is much appreciated.


Thanks.
 
Sort by date Sort by votes
Result of the command: "packet-tracer input inside tcp 10.110.17.11 1024 xxx.xxx.xxx.xxx http detailed"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in xxx.xxx.xxx.xxx 255.255.255.255 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 121 in interface inside
access-list 121 extended permit ip any host xxx.xxx.xxx.xxx
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc61ff3e0, priority=12, domain=permit, deny=false
hits=84, user_data=0xc61ff3a0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=xxx.xxx.xxx.xxx, mask=255.255.255.255, port=0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc6129db0, priority=0, domain=permit-ip-option, deny=true
hits=2370, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.110.17.0 255.255.255.0 outside host xxx.xxx.xxx.xxx
NAT exempt
translate_hits = 85, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc61a0a68, priority=6, domain=nat-exempt, deny=false
hits=84, user_data=0xc61a09c8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=10.110.17.0, mask=255.255.255.0, port=0
dst ip=xxx.xxx.xxx.xxx, mask=255.255.255.255, port=0

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 101 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 101 (ASA_Public_IP [Interface PAT])
translate_hits = 8, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc619a0b8, priority=1, domain=nat, deny=false
hits=1851, user_data=0xc619a018, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 101 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 101 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc61c1f28, priority=1, domain=host, deny=false
hits=2506, user_data=0xc61c1c40, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc612c418, priority=0, domain=host-limit, deny=false
hits=1851, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc7131118, priority=70, domain=encrypt, deny=false
hits=83, user_data=0x11c624, cs_id=0xc66017b8, reverse, flags=0x0, protocol=0
src ip=10.110.17.0, mask=255.255.255.0, port=0
dst ip=xxx.xxx.xxx.xxx, mask=255.255.255.255, port=0

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc7131098, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=82, user_data=0x13dc84, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=xxx.xxx.xxx.xxx, mask=255.255.255.255, port=0
dst ip=10.110.17.0, mask=255.255.255.0, port=0

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc61be560, priority=0, domain=permit-ip-option, deny=true
hits=2597, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 72379, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
 
Upvote 0 Downvote
6 Feb 07 2012 00:05:25 302013 public_host_IP 10.110.17.11 Built outbound TCP connection 278843 for outside:public_host_IP/80 (public_host_IP/80) to inside:10.110.17.11/3936 (10.110.17.11/3936)
6 Feb 07 2012 00:05:55 302014 public_host_IP 10.110.17.11 Teardown TCP connection 278843 for outside:public_host_IP/80 to inside:10.110.17.11/3936 duration 0:00:30 bytes 0 SYN Timeout


are they coming through the right interface?
If im reading this right, its coming from outbound going to inbound and you're acl's rules are allowing the other way around...

probably source address is not being set correctly ...


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
135
quazimotto
quazimotto
DTGMI
  • Locked
  • Question
Moving from Juniper SRX-240 to Cisco ??
Replies
0
Views
207
DTGMI
DTGMI
jarod_paris
  • Locked
  • Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
303
jarod_paris
jarod_paris
steel_bender
  • Locked
  • Question
Allow HTTPS TCP Traffic through ASA5525
Replies
1
Views
190
Mogles49
Mogles49
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
196
bfordz
bfordz

Part and Inventory Search

Sponsor

Back
Top