Re: [c-nsp] ASA 5520 Remote Access VPN
Sigurbjörn Birkir Lárusson wrote: Hmm, assuming you are using the Cisco VPN client you shouldn't be getting a default if the split-tunnel configuration is working http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 86a0080702999.shtml#s2 Has pretty good ASDM instructions on how to do this, I don't use the ASDM :) BR, Sibbi Can be this because of routing metrics? default gateway on asa has metric set to 1 vpnclient uses vodafone mobile connection. Maybe, because of this vpn default route overrides vodafone default route? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
It shouldn't be sending you a default route at all, just the tunnel routes BR, Sibbi On 4.2.2009 14:05, Eimantas Zdanevičius eiman...@occ.lt wrote: Sigurbjörn Birkir Lárusson wrote: Hmm, assuming you are using the Cisco VPN client you shouldn't be getting a default if the split-tunnel configuration is working http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 86a0080702999.shtml#s2 Has pretty good ASDM instructions on how to do this, I don't use the ASDM :) BR, Sibbi Can be this because of routing metrics? default gateway on asa has metric set to 1 vpnclient uses vodafone mobile connection. Maybe, because of this vpn default route overrides vodafone default route? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Sigurbjörn Birkir Lárusson wrote: It shouldn't be sending you a default route at all, just the tunnel routes BR, Sibbi Problem solved. Default route was overrided by linux NetworkManager (vpnc) software on vpnclient machine. I need to set 'Use this connection only for resources on this network' in vpn connection configuration. Cisco vpn client software don't overrides default route. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Hmm, assuming you are using the Cisco VPN client you shouldn't be getting a default if the split-tunnel configuration is working http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 86a0080702999.shtml#s2 Has pretty good ASDM instructions on how to do this, I don't use the ASDM :) BR, Sibbi On 4.2.2009 07:45, Eimantas Zdanevičius eiman...@occ.lt wrote: Sigurbjörn Birkir Lárusson wrote: Something along these lines if you wanted to just send 10.10.53.0/24 and 10.10.54.0/24 through the VPN tunnel tunnel-group testgroup general-attributes default-group-policy testpolicy group-policy testpolicy internal group-policy testpolicy attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value TunnelList access-list TunnelList standard permit 10.10.53.0 255.255.255.0 access-list TunnelList standard permit 10.10.54.0 255.255.255.0 BR, Sibbi This perfectly sets routes for specified networks. But how to disable default gateway setting on vpn client? If i go to ASA ASDM-Configuration-VPN-Default Tunnel Gateway it says: To configure default tunnel gateway, go to Static Route. i have two static routes configured: Saaa.bbb.ccc.ddd 255.255.255.255 [1/0] via 10.10.1.2, inside S* 0.0.0.0 0.0.0.0 [1/0] via 10.10.4.254, outside ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Peter Rathlev wrote: ... What does the log say? Where's the ACLs for the interfaces? Are you sure the firewall isn't denying the traffic as it does default? Regards, Peter Its hard to find anything in log, because this is a production firewall and there is a lot of messages in syslog. if i'm greeping on ip addresses vpnclient real address or vpn address in syslog i cant find anything wrong. on outside interface i have acl which accepts pings from any source to inside interface computers. and i can ping from any computer from outside to any computer on inside. Even in ASDM real time logging i can't see any message about dropping packets from vpn tunnel. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15 I guess this is a routing problem, since you assign 192.168.0.x to vpn client which is located on different segment with PIX's own interface. The pix must response to arp request for 192.168.0.10 to 15 on behalf of the vpn client. This is can be done with proxy arp setting on the inside interface of the PIX... I forgot the command. Or if you have a router in PIX's inside I/F, just create a route to 192.168.0.x pointing back to your PIX's inside I/F. HTH Engel ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
If you're connecting through a natted host to the VPN you might try adding crypto isakmp nat-traversal 30 I have a fairly similar setup to yours which works just fine. BR, Sibbi III On 3.2.2009 14:33, Eimantas Zdanevičius eiman...@occ.lt wrote: Engelhard Labiro wrote: hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15 I guess this is a routing problem, since you assign 192.168.0.x to vpn client which is located on different segment with PIX's own interface. The pix must response to arp request for 192.168.0.10 to 15 on behalf of the vpn client. This is can be done with proxy arp setting on the inside interface of the PIX... I forgot the command. Or if you have a router in PIX's inside I/F, just create a route to 192.168.0.x pointing back to your PIX's inside I/F. HTH Engel When client connects to the asa, asa automaticaly adds a route: S192.168.0.10 255.255.255.255 [1/0] via default_gw, outside Eimantas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Sigurbjörn Birkir Lárusson wrote: If you're connecting through a natted host to the VPN you might try adding crypto isakmp nat-traversal 30 I have a fairly similar setup to yours which works just fine. This solved the problem, thanks! Another problem is that client sets default gateway to tunnel. How can i configure only some networks to go trough tunnel? Eimantas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Something along these lines if you wanted to just send 10.10.53.0/24 and 10.10.54.0/24 through the VPN tunnel tunnel-group testgroup general-attributes default-group-policy testpolicy group-policy testpolicy internal group-policy testpolicy attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value TunnelList access-list TunnelList standard permit 10.10.53.0 255.255.255.0 access-list TunnelList standard permit 10.10.54.0 255.255.255.0 BR, Sibbi On 3.2.2009 15:22, Eimantas Zdanevičius eiman...@occ.lt wrote: Sigurbjörn Birkir Lárusson wrote: If you're connecting through a natted host to the VPN you might try adding crypto isakmp nat-traversal 30 I have a fairly similar setup to yours which works just fine. This solved the problem, thanks! Another problem is that client sets default gateway to tunnel. How can i configure only some networks to go trough tunnel? Eimantas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Engelhard Labiro wrote: hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15 I guess this is a routing problem, since you assign 192.168.0.x to vpn client which is located on different segment with PIX's own interface. The pix must response to arp request for 192.168.0.10 to 15 on behalf of the vpn client. This is can be done with proxy arp setting on the inside interface of the PIX... I forgot the command. Or if you have a router in PIX's inside I/F, just create a route to 192.168.0.x pointing back to your PIX's inside I/F. HTH Engel When client connects to the asa, asa automaticaly adds a route: S192.168.0.10 255.255.255.255 [1/0] via default_gw, outside Eimantas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Alasdair Gow wrote: Hi, It looks like eth0 and eth1 are on the same network. they need to be on separate networks IIRC. Cheers, Ally sorry about my mistake. interfaces are on diferent networks maske are 255.255.255.0 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Not unless you configure RRI, see http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 86a00809d07de.shtml BR, Sibbi On 3.2.2009 14:33, Eimantas Zdanevičius eiman...@occ.lt wrote: Engelhard Labiro wrote: hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15 I guess this is a routing problem, since you assign 192.168.0.x to vpn client which is located on different segment with PIX's own interface. The pix must response to arp request for 192.168.0.10 to 15 on behalf of the vpn client. This is can be done with proxy arp setting on the inside interface of the PIX... I forgot the command. Or if you have a router in PIX's inside I/F, just create a route to 192.168.0.x pointing back to your PIX's inside I/F. HTH Engel When client connects to the asa, asa automaticaly adds a route: S192.168.0.10 255.255.255.255 [1/0] via default_gw, outside Eimantas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
On Tue, 2009-02-03 at 11:12 +0200, Eimantas Zdanevičius wrote: I have configured vpn on asa 5520 (software version 7.2). vpnclient connect to asa and says everything is ok. But i cannot ping any computer in inside network. asa is working in router mode, single context. No nat on inside or outside interface ... What does the log say? Where's the ACLs for the interfaces? Are you sure the firewall isn't denying the traffic as it does default? Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Sigurbjörn Birkir Lárusson wrote: Something along these lines if you wanted to just send 10.10.53.0/24 and 10.10.54.0/24 through the VPN tunnel tunnel-group testgroup general-attributes default-group-policy testpolicy group-policy testpolicy internal group-policy testpolicy attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value TunnelList access-list TunnelList standard permit 10.10.53.0 255.255.255.0 access-list TunnelList standard permit 10.10.54.0 255.255.255.0 BR, Sibbi This perfectly sets routes for specified networks. But how to disable default gateway setting on vpn client? If i go to ASA ASDM-Configuration-VPN-Default Tunnel Gateway it says: To configure default tunnel gateway, go to Static Route. i have two static routes configured: Saaa.bbb.ccc.ddd 255.255.255.255 [1/0] via 10.10.1.2, inside S* 0.0.0.0 0.0.0.0 [1/0] via 10.10.4.254, outside ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/