So do you have the route for 22.22.22.0/24 to go via the outside? is it caught by the default route or is there something else in place? hence why I asked for output of "sh route"
On 01/04/2008, at 9:31 PM, William wrote: > Network behind the 800 is 22.22.22.0/24 > > W > > On 01/04/2008, Ben Steele <[EMAIL PROTECTED]> wrote: >> Ok just to save me any confusion here, is the network behind the 800 >> 11.11.11.0/24 or 22.22.22.0/24? >> >> Either way you need to have your network behind the 800 being routed >> to the outside interface via your outside gateway as thats where the >> crypto terminates, if the network behind the 800 happens to be >> 11.11.11.0/24 then your split tunnel is the wrong way around also, if >> it's 22.22.22.0/24 then try adding "route outside 22.22.22.0 >> 255.255.255.0 <OUTSIDE GATEWAY> 1" >> >> >> Ben >> >> >> On 01/04/2008, at 9:16 PM, William wrote: >> >>> Hi Ben, >>> >>> The VPN is establishing, show crypto isakmp sa displays it, the logs >>> on the ASA show P1&2 and I'm able to communicate only if I originate >>> the connection from the 800 series router. >>> >>> Routing seems fine from the box also, there are no routes on the ASA >>> for destinations it reaches via VPN. >>> >>> Routing to the net on my core network: >>> >>> S 11.11.11.0 255.255.255.0 [1/0] via 192.168.0.254, inside >>> >>> >>> On 01/04/2008, Ben Steele <[EMAIL PROTECTED]> wrote: >>>> I thought I saw earlier a mention of the traffic hair-pinning, yet >>>> your crypto map is bound to the outside interface. >>>> >>>> Is the IPSEC tunnel being established on the outside or the inside >>>> interface? can you sh the output of a "sh route" also. >>>> >>>> >>>> >>>> On 01/04/2008, at 9:00 PM, William wrote: >>>> >>>>> Can't paste the whole thing, but here are the bits: >>>>> >>>>> access-list inside_nat0_outbound extended permit ip 11.11.11.0 >>>>> 255.255.255.0 22.22.22.0 255.255.255.0 >>>>> >>>>> access-list inside_access_in extended permit ip 11.11.11.0 >>>>> 255.255.255.0 22.22.22.0 255.255.255.0 >>>>> access-list inside_access_in extended permit icmp any any >>>>> >>>>> access-list Split-Tunnel extended permit ip 11.11.11.0 >>>>> 255.255.255.0 >>>>> 22.22.22.0 255.255.255.0 >>>>> >>>>> nat (inside) 0 access-list inside_nat0_outbound >>>>> access-group inside_access_in in interface inside >>>>> >>>>> group-policy 800vpn internal >>>>> group-policy 800vpn attributes >>>>> password-storage enable >>>>> pfs enable >>>>> split-tunnel-policy tunnelspecified >>>>> split-tunnel-network-list value Split-Tunnel >>>>> nem enable >>>>> >>>>> >>>>> >>>>> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac >>>>> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac >>>>> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac >>>>> crypto dynamic-map outside_dyn_map 20 set pfs >>>>> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES- >>>>> SHA >>>>> crypto dynamic-map outside_dyn_map 40 set pfs >>>>> crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES- >>>>> SHA >>>>> crypto dynamic-map outside_dyn_map 60 set pfs >>>>> crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES- >>>>> SHA >>>>> crypto dynamic-map outside_dyn_map 80 set pfs >>>>> crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES- >>>>> SHA >>>>> crypto dynamic-map outside_dyn_map 100 set pfs >>>>> crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES- >>>>> MD5 >>>>> crypto dynamic-map outside_dyn_map 120 set pfs >>>>> crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES- >>>>> MD5 >>>>> >>>>> >>>>> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map >>>>> crypto map outside_map interface outside >>>>> >>>>> crypto isakmp policy 1 >>>>> authentication pre-share >>>>> encryption 3des >>>>> hash md5 >>>>> group 2 >>>>> lifetime 86400 >>>>> >>>>> >>>>> tunnel-group Uname type ipsec-ra >>>>> tunnel-group Uname general-attributes >>>>> default-group-policy 800vpn >>>>> tunnel-group Uname ipsec-attributes >>>>> pre-shared-key * >>>>> isakmp ikev1-user-authentication none >>>>> >>>>> On 01/04/2008, Ben Steele <[EMAIL PROTECTED]> wrote: >>>>>> Maybe it would be easier if you just pasted your config in rather >>>>>> than >>>>>> us keep guessing, but I can add to the guess list.. :) >>>>>> >>>>>> do you have nat-control turned on? if so have you got your nat 0 >>>>>> statement setup for the IPSEC traffic? >>>>>> >>>>>> >>>>>> Ben >>>>>> >>>>>> >>>>>> On 01/04/2008, at 8:08 PM, William wrote: >>>>>> >>>>>>> Hi Peter, >>>>>>> >>>>>>> I went ahead and enabled it in the end, it stopped the error >>>>>>> messages >>>>>>> (denys) coming up in the logs but my data still isnt passing >>>>>>> through. >>>>>>> I'm still abit lost as to whats causing my issue, do you think >>>>>>> it >>>>>>> could be to with my ISAKMP/IPSEC settings? I'm not so sure >>>>>>> because >>>>>>> the >>>>>>> logs show PHASE1&2 completed without any problems. :( >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> >>>>>>> On 01/04/2008, Peter Rathlev <[EMAIL PROTECTED]> wrote: >>>>>>>> On Tue, 2008-04-01 at 09:05 +0100, William wrote: >>>>>>>>> The command same-security-traffic permit intra-interface is >>>>>>>>> not in >>>>>>>>> the >>>>>>>>> config but am I likely to break anything if I use it? >>>>>>>> >>>>>>>> >>>>>>>> Well, you're likely to break the security that is there from >>>>>>>> the >>>>>>>> beginning, without this command. You could compare it to "local >>>>>>>> proxy >>>>>>>> arp". It will not stop any traffic flows that already work, >>>>>>>> just >>>>>>>> allow >>>>>>>> some more ones. >>>>>>>> >>>>>>>> Reference for the command: >>>>>>>> >>>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167 >>>>>>>> http://tinyurl.com/2ateua >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> Peter >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>>>>> _______________________________________________ >>>>>>> cisco-nsp mailing list cisco-nsp@puck.nether.net >>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>> >>>>>> >>>> >>>> >> >> _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/