problema con vpn
Inviato: mar 01 apr , 2008 8:05 am
ciao a tutti
ho un asa 5505
ho una vpn attiva site-to-site con un altra sede.
mi succede questo:
il tunnel vpn va sù ma non fa passare il traffico se abilito la rules LANIN su interfaccia inside; se disabilito la regola,passa tutto il traffico vpn (lotus notes,as400).
LAININ fa passare solamente traffico udp verso dns /http,https da un proxy/ ftp da tutta la rete inside
avrei bisogno di abilitare la rules per l'interfaccia inside e di far passare tutto il traffico vpn
questo è una parte di configurazione
dns domain-lookup inside
dns server-group DefaultDNS
name-server 151.99.0.100
name-server 151.99.125.1
name-server 151.99.125.3
domain-name deroma.local
object-group network Lan_Deroma
network-object 172.16.0.0 255.255.0.0
object-group icmp-type Icmp_WanIn
icmp-object time-exceeded
icmp-object unreachable
icmp-object traceroute
icmp-object echo
icmp-object echo-reply
object-group network Proxy_Web
network-object host 192.168.13.1
access-list WanIn2 extended permit icmp any any object-group Icmp_WanIn log disable
access-list LanIn remark traffico dns
access-list LanIn extended permit udp 192.168.13.0 255.255.255.0 any eq domain log disable
access-list LanIn remark traffico http
access-list LanIn extended permit tcp object-group Proxy_Web any eq www log disable
access-list LanIn remark traffico https
access-list LanIn extended permit tcp object-group Proxy_Web any eq https log disable
access-list LanIn remark traffico ftp
access-list LanIn extended permit tcp object-group Proxy_Web any eq ftp log disable
access-list LanIn remark traffico ftp data(20)
access-list LanIn extended permit tcp object-group Proxy_Web any eq ftp-data log disable
access-list LanIn extended deny ip 192.168.13.0 255.255.255.0 any log critical
access-list outside_1_cryptomap extended permit ip 192.168.13.0 255.255.255.0 object-group Lan_Deroma
access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 object-group Lan_Deroma log disable
!
snmp-map asa_snmp_map
deny version 1
deny version 2c
deny version 2
deny version 3
!
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.13.0 255.255.255.0 echo inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 netmask 255.255.255.248
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.13.0 255.255.255.0
access-group LanIn in interface inside
access-group WanIn2 in interface outside
route outside 0.0.0.0 0.0.0.0 85.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa local authentication attempts max-fail 3
http server enable
http 192.168.13.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no snmp-server enable
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 62.xxx.xxx.xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 21600
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 192.168.13.0 255.255.255.0 inside
ssh timeout 5
console timeout 5
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
!
class-map type inspect http match-all asdm_medium_security_methods
match not request method head
match not request method post
match not request method get
class-map type inspect http match-all asdm_high_security_methods
match not request method head
match not request method get
!
!
policy-map type inspect ftp FTP
parameters
mask-banner
mask-syst-reply
policy-map type inspect netbios NETBIOS
parameters
protocol-violation action drop
policy-map type inspect sip SIP
parameters
max-forwards-validation action drop log
state-checking action drop-connection log
software-version action mask log
strict-header-validation action drop log
no traffic-non-sip
uri-non-sip action mask log
rtp-conformance enforce-payloadtype
policy-map type inspect im Messaging
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map type inspect http HTTP
parameters
protocol-violation action drop-connection log
class asdm_high_security_methods
drop-connection
match request header non-ascii
drop-connection
policy-map type inspect dns DNS
parameters
message-length maximum 512
id-randomization
id-mismatch action log
tsig enforced action drop log
policy-map type inspect esmtp SMTP
parameters
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
drop-connection log
policy-map type inspect h323 H323
parameters
call-party-numbers
state-checking h225
state-checking ras
call-duration-limit 1:00:00
rtp-conformance enforce-payloadtype
!
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
username administrator password BvKMUtxD8c9n1yV5 encrypted privilege 15
tunnel-group 62.xxx.xxx.xxx type ipsec-l2l
tunnel-group 62.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:2085f1a4e0de865dada6324eb263d255
: end
asdm image disk0:/asdm-602.bin
no asdm history enable
ho un asa 5505
ho una vpn attiva site-to-site con un altra sede.
mi succede questo:
il tunnel vpn va sù ma non fa passare il traffico se abilito la rules LANIN su interfaccia inside; se disabilito la regola,passa tutto il traffico vpn (lotus notes,as400).
LAININ fa passare solamente traffico udp verso dns /http,https da un proxy/ ftp da tutta la rete inside
avrei bisogno di abilitare la rules per l'interfaccia inside e di far passare tutto il traffico vpn
questo è una parte di configurazione
dns domain-lookup inside
dns server-group DefaultDNS
name-server 151.99.0.100
name-server 151.99.125.1
name-server 151.99.125.3
domain-name deroma.local
object-group network Lan_Deroma
network-object 172.16.0.0 255.255.0.0
object-group icmp-type Icmp_WanIn
icmp-object time-exceeded
icmp-object unreachable
icmp-object traceroute
icmp-object echo
icmp-object echo-reply
object-group network Proxy_Web
network-object host 192.168.13.1
access-list WanIn2 extended permit icmp any any object-group Icmp_WanIn log disable
access-list LanIn remark traffico dns
access-list LanIn extended permit udp 192.168.13.0 255.255.255.0 any eq domain log disable
access-list LanIn remark traffico http
access-list LanIn extended permit tcp object-group Proxy_Web any eq www log disable
access-list LanIn remark traffico https
access-list LanIn extended permit tcp object-group Proxy_Web any eq https log disable
access-list LanIn remark traffico ftp
access-list LanIn extended permit tcp object-group Proxy_Web any eq ftp log disable
access-list LanIn remark traffico ftp data(20)
access-list LanIn extended permit tcp object-group Proxy_Web any eq ftp-data log disable
access-list LanIn extended deny ip 192.168.13.0 255.255.255.0 any log critical
access-list outside_1_cryptomap extended permit ip 192.168.13.0 255.255.255.0 object-group Lan_Deroma
access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 object-group Lan_Deroma log disable
!
snmp-map asa_snmp_map
deny version 1
deny version 2c
deny version 2
deny version 3
!
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.13.0 255.255.255.0 echo inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 netmask 255.255.255.248
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.13.0 255.255.255.0
access-group LanIn in interface inside
access-group WanIn2 in interface outside
route outside 0.0.0.0 0.0.0.0 85.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa local authentication attempts max-fail 3
http server enable
http 192.168.13.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no snmp-server enable
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 62.xxx.xxx.xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 21600
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 192.168.13.0 255.255.255.0 inside
ssh timeout 5
console timeout 5
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
!
class-map type inspect http match-all asdm_medium_security_methods
match not request method head
match not request method post
match not request method get
class-map type inspect http match-all asdm_high_security_methods
match not request method head
match not request method get
!
!
policy-map type inspect ftp FTP
parameters
mask-banner
mask-syst-reply
policy-map type inspect netbios NETBIOS
parameters
protocol-violation action drop
policy-map type inspect sip SIP
parameters
max-forwards-validation action drop log
state-checking action drop-connection log
software-version action mask log
strict-header-validation action drop log
no traffic-non-sip
uri-non-sip action mask log
rtp-conformance enforce-payloadtype
policy-map type inspect im Messaging
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map type inspect http HTTP
parameters
protocol-violation action drop-connection log
class asdm_high_security_methods
drop-connection
match request header non-ascii
drop-connection
policy-map type inspect dns DNS
parameters
message-length maximum 512
id-randomization
id-mismatch action log
tsig enforced action drop log
policy-map type inspect esmtp SMTP
parameters
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
drop-connection log
policy-map type inspect h323 H323
parameters
call-party-numbers
state-checking h225
state-checking ras
call-duration-limit 1:00:00
rtp-conformance enforce-payloadtype
!
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
username administrator password BvKMUtxD8c9n1yV5 encrypted privilege 15
tunnel-group 62.xxx.xxx.xxx type ipsec-l2l
tunnel-group 62.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:2085f1a4e0de865dada6324eb263d255
: end
asdm image disk0:/asdm-602.bin
no asdm history enable