Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Same-security-traffic problems 2 2
- Thread starter pgatt62
- Start date
-
1
- #2
- Thread starter
- #3
hi Unclerico
Sorry about the delay in my reply but i've had to drive home from Edinburgh and the traffics been a bit crazy during the Pope's visit today. Wonder how he is with ASA 5520s?
Anyway, the cofig below is meant to hopefully act as a firewall and as the routing device between both inside networks, Data and VoIP, and as a point of connection that will point to VPN tunnels on other devices via a static route to the related default gateways using the route inside command until such times when all systems have been migrated onto the ASA. I managed to get a ping between both inside networks and a connection to the internet all with very good speeds but as I added tunnels and AnyConnect configs lost the ping capability to the ASA interfaces but not to outside sites like Then when trying to regain ping began to lose tunnels and even at one point caused a switching loop with a static nat command that brought the network down. Oops.
There is an inspect icmp and other icmp commands in the config that I thought would do the trick but no luck there.
Any advice and pointers would be great and hopefully I'll end up with a config that I can study and see where I've made an error, or three. Thanks again pgatt62
: Saved
:
ASA Version 8.2(1)
!
hostname ISC-EDI-ASWFW
domain-name iscinternal.com
enable password DVYtjzRh.k2l3Eyj encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address XX.XX.XX.154 255.255.255.248
!
interface GigabitEthernet0/1
speed 100
duplex full
nameif inside1
security-level 100
ip address 172.24.19.252 255.255.252.0
!
interface GigabitEthernet0/2
speed 100
duplex full
nameif inside2
security-level 100
ip address 172.24.23.254 255.255.252.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup inside1
dns domain-lookup inside2
dns domain-lookup outside
dns server-group DefaultDNS
name-server 172.24.16.2
name-server 172.24.0.10
name-server XX.196.0.6
domain-name company.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list VPN-NONAT extended permit ip 172.24.16.0 255.255.252.0 192.168.10.0 255.255.255.0
access-list VPN-NONAT extended permit ip 172.24.16.0 255.255.252.0 172.24.8.0 255.255.252.0
access-list VPN-NONAT extended permit ip 172.24.16.0 255.255.252.0 172.24.20.0 255.255.252.0
access-list VPN-NONAT extended permit ip 172.24.20.0 255.255.252.0 172.24.16.0 255.255.252.0
access-list EDI-BRUSS extended permit ip 172.24.16.0 255.255.252.0 172.24.8.0 255.255.252.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging monitor notifications
logging trap errors
logging asdm informational
logging host inside1 172.24.16.2
mtu management 1500
mtu inside1 1500
mtu inside2 1500
mtu outside 1500
ip local pool VPN-POOL 192.168.10.1-192.168.10.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 172.24.20.0 255.255.252.0 inside1
icmp permit 172.24.16.0 255.255.252.0 inside2
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list VPN-NONAT
nat (inside1) 1 0.0.0.0 0.0.0.0
nat (inside2) 0 access-list VPN-NONAT
nat (inside2) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.153 1
route inside1 172.24.0.0 255.255.252.0 172.24.19.254 1
route inside1 172.24.0.0 255.255.252.0 172.24.23.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACCESS-SRVR protocol radius
aaa-server ACCESS-SRVR (inside1) host 172.24.16.2
key Fountain42!
aaa authentication serial console ACCESS-SRVR LOCAL
aaa authentication ssh console ACCESS-SRVR LOCAL
aaa authentication enable console ACCESS-SRVR LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.24.16.0 255.255.252.0 inside1
http 172.24.20.0 255.255.252.0 inside2
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN-TRSET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map EDI-BRUSS 10 match address EDI-BRUSS
crypto map EDI-BRUSS 10 set pfs
crypto map EDI-BRUSS 10 set peer XX.XX.XX.18
crypto map EDI-BRUSS 10 set transform-set VPN-TRSET
crypto map EDI-BRUSS 10 set security-association lifetime seconds 25200
crypto map EDI-BRUSS interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 25200
telnet timeout 5
ssh 172.24.16.0 255.255.252.0 inside1
ssh 172.24.20.0 255.255.252.0 inside2
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 62.206.250.163 source outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy ANYCONNECT-POLICY internal
group-policy ANYCONNECT-POLICY attributes
dns-server value 172.24.16.2 172.24.0.10
vpn-tunnel-protocol svc webvpn
webvpn
svc keep-installer installed
svc ask enable default svc timeout 20
username admin password we1JsUwd6pW4pQ2W encrypted
username dancoop password NFAr6PJhZEifx4Wo encrypted
username dancoop attributes
service-type remote-access
tunnel-group telecommuters type remote-access
tunnel-group TELECOMMUTERS type remote-access
tunnel-group TELECOMMUTERS general-attributes
address-pool VPN-POOL
default-group-policy ANYCONNECT-POLICY
tunnel-group TELECOMMUTERS webvpn-attributes
group-alias sslgroup-users enable
tunnel-group XX.XX.XX.18 type ipsec-l2l
tunnel-group XX.XX.XX.18 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c410cd0af890f5fb81df2852aea8f4fb
: end
no asdm history enable
Sorry about the delay in my reply but i've had to drive home from Edinburgh and the traffics been a bit crazy during the Pope's visit today. Wonder how he is with ASA 5520s?
Anyway, the cofig below is meant to hopefully act as a firewall and as the routing device between both inside networks, Data and VoIP, and as a point of connection that will point to VPN tunnels on other devices via a static route to the related default gateways using the route inside command until such times when all systems have been migrated onto the ASA. I managed to get a ping between both inside networks and a connection to the internet all with very good speeds but as I added tunnels and AnyConnect configs lost the ping capability to the ASA interfaces but not to outside sites like Then when trying to regain ping began to lose tunnels and even at one point caused a switching loop with a static nat command that brought the network down. Oops.
There is an inspect icmp and other icmp commands in the config that I thought would do the trick but no luck there.
Any advice and pointers would be great and hopefully I'll end up with a config that I can study and see where I've made an error, or three. Thanks again pgatt62
: Saved
:
ASA Version 8.2(1)
!
hostname ISC-EDI-ASWFW
domain-name iscinternal.com
enable password DVYtjzRh.k2l3Eyj encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address XX.XX.XX.154 255.255.255.248
!
interface GigabitEthernet0/1
speed 100
duplex full
nameif inside1
security-level 100
ip address 172.24.19.252 255.255.252.0
!
interface GigabitEthernet0/2
speed 100
duplex full
nameif inside2
security-level 100
ip address 172.24.23.254 255.255.252.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup inside1
dns domain-lookup inside2
dns domain-lookup outside
dns server-group DefaultDNS
name-server 172.24.16.2
name-server 172.24.0.10
name-server XX.196.0.6
domain-name company.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list VPN-NONAT extended permit ip 172.24.16.0 255.255.252.0 192.168.10.0 255.255.255.0
access-list VPN-NONAT extended permit ip 172.24.16.0 255.255.252.0 172.24.8.0 255.255.252.0
access-list VPN-NONAT extended permit ip 172.24.16.0 255.255.252.0 172.24.20.0 255.255.252.0
access-list VPN-NONAT extended permit ip 172.24.20.0 255.255.252.0 172.24.16.0 255.255.252.0
access-list EDI-BRUSS extended permit ip 172.24.16.0 255.255.252.0 172.24.8.0 255.255.252.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging monitor notifications
logging trap errors
logging asdm informational
logging host inside1 172.24.16.2
mtu management 1500
mtu inside1 1500
mtu inside2 1500
mtu outside 1500
ip local pool VPN-POOL 192.168.10.1-192.168.10.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 172.24.20.0 255.255.252.0 inside1
icmp permit 172.24.16.0 255.255.252.0 inside2
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list VPN-NONAT
nat (inside1) 1 0.0.0.0 0.0.0.0
nat (inside2) 0 access-list VPN-NONAT
nat (inside2) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.153 1
route inside1 172.24.0.0 255.255.252.0 172.24.19.254 1
route inside1 172.24.0.0 255.255.252.0 172.24.23.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACCESS-SRVR protocol radius
aaa-server ACCESS-SRVR (inside1) host 172.24.16.2
key Fountain42!
aaa authentication serial console ACCESS-SRVR LOCAL
aaa authentication ssh console ACCESS-SRVR LOCAL
aaa authentication enable console ACCESS-SRVR LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.24.16.0 255.255.252.0 inside1
http 172.24.20.0 255.255.252.0 inside2
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN-TRSET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map EDI-BRUSS 10 match address EDI-BRUSS
crypto map EDI-BRUSS 10 set pfs
crypto map EDI-BRUSS 10 set peer XX.XX.XX.18
crypto map EDI-BRUSS 10 set transform-set VPN-TRSET
crypto map EDI-BRUSS 10 set security-association lifetime seconds 25200
crypto map EDI-BRUSS interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 25200
telnet timeout 5
ssh 172.24.16.0 255.255.252.0 inside1
ssh 172.24.20.0 255.255.252.0 inside2
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 62.206.250.163 source outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy ANYCONNECT-POLICY internal
group-policy ANYCONNECT-POLICY attributes
dns-server value 172.24.16.2 172.24.0.10
vpn-tunnel-protocol svc webvpn
webvpn
svc keep-installer installed
svc ask enable default svc timeout 20
username admin password we1JsUwd6pW4pQ2W encrypted
username dancoop password NFAr6PJhZEifx4Wo encrypted
username dancoop attributes
service-type remote-access
tunnel-group telecommuters type remote-access
tunnel-group TELECOMMUTERS type remote-access
tunnel-group TELECOMMUTERS general-attributes
address-pool VPN-POOL
default-group-policy ANYCONNECT-POLICY
tunnel-group TELECOMMUTERS webvpn-attributes
group-alias sslgroup-users enable
tunnel-group XX.XX.XX.18 type ipsec-l2l
tunnel-group XX.XX.XX.18 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c410cd0af890f5fb81df2852aea8f4fb
: end
no asdm history enable
-
1
- #4
- Thread starter
- #5
- Status