• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Compete newb needs help with cisco ASA

Started by seandiviney, January 14, 2011, 04:52:23 AM

Previous topic - Next topic

seandiviney

I am unable to setup regular tunnel.

Using ASA 5520 I have NAT'ed one of my public addresses to my PC, enabled ICMP both inbound and outbound, permitted protocol 41 both inbound and outbound (assume this is not required for the system to recognise I have an endpoint).

My intention would be to tunnel from my PC and not the firewall.

Wondering where I am going wrong or if I should be talking to my ISP and getting them to look at their router.

Any suggestions?

Thanks, Sean.

cholzhauer

A couple.

What code version are you running on the ASA?

Are you forwarding all traffic to the ASA?  (EG, if your public address is 1.2.3.4 and your nat address is 192.168.1.2, you're forwarding all traffic inside)

The reason I ask is because if you have multiple public IP addresses, this becomes MUCH easier

seandiviney

Version 8.2(2)

Yes all traffic:
static (inside,Outside) 82.20.x.x 192.168.254.250 netmask 255.255.255.255


cholzhauer

8.3.x makes this easier, but you need a large ram upgrade.

What does the rest of your code look like?

seandiviney

My very lazy acl for icmp and protocol 41

access-list inside_access_in extended permit ip host 192.168.254.250 any log warnings
access-list inside_access_in extended permit 41 any any log warnings

access-list outside_access_in extended permit icmp any any log warnings
access-list outside_access_in extended permit 41 any any

Do you need more, I will work on sanitising the full code.

cholzhauer

When I talked to Cisco about their 8.2.x code, you could not forward a protocol, only ports, which is why I asked if you were forwarding all IP traffic.

Something like


access-list outside_access_in extended permit ip any host 82.20.x.x.x any any


seandiviney

this line:
access-list outside_access_in extended permit 41 any any
should allow the protocol 41 traffic

I have never had problems forwarding protocol 50 and 51 on my other ASA so would have imagined this to be similar, I could understand not being able to do it if I where trying to PAT.

But I assume the problem im having is before this would even come into play. The website pretty much says to ensure icmp connectivity at this stage:
Error: Your IPv4 endpoint is unreachable or unstable. Please make sure ICMP is not blocked. If you are blocking ICMP, please allow 66.220.2.74 through your firewall.

cholzhauer

Oh, I didn't know you were having problems with ping ;)

I guess at this point I'd need to see the rest of the config. 

seandiviney

dns-guard
!
interface GigabitEthernet0/0
shutdown
nameif outsideold
security-level 0
ip address *
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.254.35 255.255.255.0
!
interface GigabitEthernet0/2
description * internet connection
speed 100
duplex full
nameif Outside
security-level 0
ip address 82.20.X.X 255.255.255.224
!
interface GigabitEthernet0/3
shutdown
nameif Maxbond
security-level 20
ip address *
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa822-k8.bin
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.245.245
domain-name *
same-security-traffic permit intra-interface
-cut  object groups-
access-list NTLOutside_cryptomap_89 extended permit ip host 192.168.245.89 192.168.203.0 255.255.255.240
-cut nat0-
access-list NTLOutside_cryptomap_17 extended permit ip host 192.168.245.89 192.168.202.112 255.255.255.240
access-list NTLOutside_cryptomap_76 extended permit ip host 192.168.245.89 192.168.202.96 255.255.255.240
access-list Homeworker03_ACL remark *
access-list Homeworker03_ACL extended permit ip any host 192.168.245.89
access-list NTLOutside_cryptomap_100 extended permit ip host 192.168.245.89 192.168.203.176 255.255.255.240
access-list NTLOutside_cryptomap_73 extended permit ip host 192.168.245.89 192.168.202.64 255.255.255.240
access-list Homeworker05_ACL remark *
access-list Homeworker05_ACL extended permit tcp any host 192.168.230.20 object-group DM_INLINE_TCP_4
access-list Homeworker05_ACL extended permit udp any object-group DM_INLINE_NETWORK_1 eq domain
access-list NTLOutside_cryptomap_96 remark To stay on this line
access-list NTLOutside_cryptomap_96 extended permit ip host 192.168.245.89 192.168.203.160 255.255.255.240
access-list Homeworker04_ACL extended permit tcp any object-group DM_INLINE_NETWORK_39 eq 3389
access-list NTLOutside_cryptomap_80 extended permit ip host 192.168.245.89 192.168.202.176 255.255.255.240
access-list NTLOutside_cryptomap_1 extended permit ip host 192.168.245.89 192.168.202.0 255.255.255.240
access-list inside_access_in extended permit icmp host 192.168.245.20 any object-group DM_INLINE_ICMP_4 log
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip 192.168.208.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.209.0 255.255.255.0 any
access-list inside_access_in extended permit ip host 192.168.250.222 any log warnings
access-list inside_access_in extended permit ip host 192.168.254.250 192.168.208.0 255.255.255.0
access-list inside_access_in extended permit ip host 192.168.254.248 any
access-list inside_access_in extended permit ip host 192.168.254.249 any
access-list inside_access_in extended permit icmp host 192.168.254.250 any log warnings
access-list inside_access_in extended permit ip host 192.168.254.250 any log warnings
access-list inside_access_in extended permit 41 any any log warnings
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2 log inactive
access-list inside_access_in extended permit udp host 192.168.245.183 192.168.208.0 255.255.255.0
access-list inside_access_in remark *
access-list inside_access_in extended permit tcp host 192.168.110.10 host 195.171.110.175 eq ssh
access-list inside_access_in remark *
access-list inside_access_in extended permit tcp host 192.168.245.61 host 195.171.110.175 eq 20025
access-list inside_access_in extended permit tcp any any eq telnet
access-list inside_access_in extended permit tcp any any eq ssh
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit tcp any any eq ftp
access-list inside_access_in remark *
access-list inside_access_in extended permit ip any 192.168.202.0 255.255.255.0
access-list inside_access_in remark *
access-list inside_access_in extended permit ip any 192.168.203.0 255.255.255.0
access-list inside_access_in remark SNMP v3 monitoring
access-list inside_access_in extended permit udp host 192.168.245.20 object-group DM_INLINE_NETWORK_15 eq snmp
access-list Homeworker00_ACL extended permit ip any any
access-list NTLOutside_cryptomap_78 extended permit ip host 192.168.245.89 192.168.202.144 255.255.255.240
access-list NTLOutside_cryptomap_93 extended permit ip host 192.168.245.89 192.168.203.64 255.255.255.240
access-list NTLOutside_cryptomap_95 extended permit ip host 192.168.245.89 192.168.203.96 255.255.255.240
access-list NTLOutside_cryptomap_32 remark Difficult to move
access-list NTLOutside_cryptomap_32 extended permit ip host 192.168.245.89 192.168.203.80 255.255.255.240
access-list Maxbond_access_in extended permit icmp any any log
access-list Maxbond_access_in extended permit ip any any log
access-list Maxbond_access_in_1 extended permit icmp any host 192.168.252.34 echo-reply
access-list Maxbond_access_in_1 remark Connectivity testing
access-list Maxbond_access_in_1 extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list NTLOutside_cryptomap_70 extended permit ip host 192.168.245.89 192.168.202.16 255.255.255.240
access-list NTLOutside_cryptomap_81 extended permit ip host 192.168.245.89 192.168.202.224 255.255.255.224
access-list NTLOutside_cryptomap_16 extended permit ip host 192.168.245.89 192.168.203.112 255.255.255.240
access-list NTLOutside_cryptomap_40 extended permit ip host 192.168.245.89 192.168.203.128 255.255.255.240
access-list NTLOutside_cryptomap_79 extended permit ip host 192.168.245.89 192.168.202.160 255.255.255.240
access-list NTLOutside_cryptomap_90 extended permit ip host 192.168.245.89 192.168.203.16 255.255.255.240
access-list NTLOutside_cryptomap_72 extended permit ip host 192.168.245.89 192.168.202.48 255.255.255.240
access-list inside_nat_static_4 extended permit tcp host 192.168.230.20 eq 990 any
access-list * extended permit ip any host 192.168.245.245
access-list * extended permit ip any host 192.168.245.246
access-list * extended permit ip any host 192.168.245.172
access-list inside_nat_static extended permit tcp host 192.168.254.249 eq 18393 any
access-list inside_nat_static_1 extended permit tcp host 192.168.254.249 eq 3389 any
access-list Homeworker02_ACL extended permit ip any 10.0.0.0 255.192.0.0 inactive
access-list Homeworker02_ACL *
access-list Homeworker02_ACL extended permit tcp any object-group DM_INLINE_NETWORK_32 eq www
access-list Homeworker02_ACL *
access-list Homeworker02_ACL extended permit tcp any object-group DM_INLINE_NETWORK_31 range 2130 2140
access-list Homeworker02_ACL *
access-list Homeworker02_ACL extended permit udp any object-group DM_INLINE_NETWORK_34 range 2120 2130
access-list Homeworker02_ACL *
access-list Homeworker02_ACL extended permit tcp any object-group DM_INLINE_NETWORK_37 eq https
access-list Homeworker02_ACL *
access-list Homeworker02_ACL extended permit tcp any host 10.222.62.35 object-group DM_INLINE_TCP_1
access-list Homeworker02_ACL *
access-list Homeworker02_ACL extended permit tcp any host 192.168.245.60 eq 8085
access-list Homeworker02_ACL extended permit tcp any object-group DM_INLINE_NETWORK_35 object-group DM_INLINE_TCP_3
access-list Homeworker02_ACL extended permit udp any object-group DM_INLINE_NETWORK_33 object-group DM_INLINE_UDP_2
access-list Homeworker02_ACL *
access-list Homeworker02_ACL extended permit tcp any object-group DM_INLINE_NETWORK_36 eq www
access-list Homeworker02_ACL extended permit udp any object-group DM_INLINE_NETWORK_38 object-group DM_INLINE_UDP_1
access-list Homeworker02_ACL remark *
access-list Homeworker02_ACL extended permit tcp any host 192.168.245.23 eq 8081
access-list Homeworker02_ACL extended permit ip any any inactive
access-list inside_nat_static_2 extended permit tcp host 192.168.245.61 eq www any
access-list *_Group_PolicyACL_N3 extended permit tcp any host 192.168.245.89 object-group DM_INLINE_TCP_2
access-list inside_nat0_outbound_1 extended permit ip 192.168.208.0 255.255.255.0 host 192.168.245.89
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_6 inactive
access-list outside_access_in *
access-list outside_access_in extended permit tcp any host 82.20.X.X eq 44000 inactive
access-list outside_access_in *
access-list outside_access_in extended permit tcp host 81.138.X.X host 82.20.X.X eq 50000 inactive
access-list outside_access_in extended permit icmp any any log warnings
access-list outside_access_in extended permit 41 any any
access-list outside_access_in extended permit tcp any host 82.20.X.X eq 990
access-list NTLOutside_cryptomap_75 remark To stay on this line
access-list NTLOutside_cryptomap_75 extended permit ip host 192.168.245.89 192.168.202.80 255.255.255.240
pager lines 24
logging enable
logging timestamp
logging buffered critical
logging trap informational
logging history critical
logging asdm informational
logging mail critical
logging host inside 192.168.245.117 17/1514
logging host inside 192.168.245.90 format emblem
logging debug-trace
logging permit-hostdown
no logging message 313005
logging rate-limit 2 30 level 6
mtu outsideold 1500
mtu inside 1500
mtu Outside 1500
mtu Maxbond 1500
ip local pool Homework_Pool1 192.168.209.1-192.168.209.64 mask 255.255.255.0
ip local pool Homework_Pool2 192.168.209.65-192.168.209.75 mask 255.255.255.0
ip local pool Homework_Pool5 192.168.209.90-192.168.209.110 mask 255.255.255.0
ip local pool Homework_Pool3 192.168.209.80-192.168.209.82 mask 255.255.255.0
ip local pool Homework_Pool4 192.168.209.83-192.168.209.85 mask 255.255.255.0
ip local pool VPNIPPOOL 192.168.208.0-192.168.208.254 mask 255.255.255.0
ip audit name Attack attack action drop
ip audit interface outsideold Attack
ip audit interface Maxbond Attack
ip audit info action
ip audit attack action drop
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
global (outsideold) 101 interface
global (inside) 1 interface
global (Outside) 101 interface
global (Maxbond) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outsideold) tcp interface 50000 access-list inside_nat_static_2
static (inside,outsideold) tcp interface 18393 access-list inside_nat_static
static (inside,outsideold) tcp interface 3389 access-list inside_nat_static_1
static (inside,Outside) tcp 82.20.X.X 990 access-list inside_nat_static_4
static (inside,Outside) 82.20.X.X 192.168.254.250 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface Outside
access-group Maxbond_access_in_1 in interface Maxbond
route Outside 0.0.0.0 0.0.0.0 82.20.71.222 1
route inside 192.168.13.0 255.255.255.0 192.168.254.254 1
route inside 192.168.33.0 255.255.255.0 192.168.254.254 1
route inside 192.168.35.0 255.255.255.0 192.168.254.254 1
route inside 192.168.110.0 255.255.255.0 192.168.254.254 1
route inside 192.168.230.0 255.255.255.0 192.168.254.254 1
route inside 192.168.245.0 255.255.255.0 192.168.254.254 1
route inside 192.168.250.0 255.255.255.0 192.168.254.254 1
route inside 0.0.0.0 0.0.0.0 192.168.254.254 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS protocol tacacs+
accounting-mode simultaneous
aaa-server TACACS (inside) host 192.168.254.41
key *****
aaa-server SecureIT protocol radius
aaa-server SecureIT (inside) host 192.168.245.160
timeout 5
key *****
authentication-port 1812
accounting-port 1813
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa accounting enable console TACACS
aaa accounting ssh console TACACS
aaa accounting telnet console TACACS
aaa accounting command privilege 15 TACACS
http server enable
http 192.168.245.0 255.255.255.0 inside
http 192.168.250.0 255.255.255.0 inside
http 192.168.254.0 255.255.255.0 inside
snmp-server host inside 192.168.245.20 community ***** version 2c
snmp-server location Server Room 1
snmp-server contact *
snmp-server enable traps snmp authentication linkup linkdown coldstart
-cut cryptomaps-
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint2
id-usage code-signer
crl configure
crypto ca trustpoint ASDM_TrustPoint3
id-usage code-signer
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name *
keypair RemoteAccess
crl configure
crypto isakmp identity address
crypto isakmp enable outsideold
crypto isakmp enable inside
crypto isakmp enable Outside
crypto isakmp enable Maxbond
crypto isakmp policy 20
-cut-
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
vpn-sessiondb max-session-limit 100
telnet timeout 5
ssh 192.168.245.0 255.255.255.0 inside
ssh 192.168.250.0 255.255.255.0 inside
ssh 192.168.254.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.254.0 255.255.255.0
threat-detection scanning-threat shun duration 10
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.254.2 source inside
ntp server 192.168.254.1 source inside prefer
tftp-server inside 192.168.254.250 asa721-k8.bin
webvpn
port 444
enable inside
enable Outside
csd image disk0:/securedesktop-asa-3.3.0.151-k9.pkg
csd enable
tunnel-group-list enable
smart-tunnel list TestList Outlook outlook.exe platform windows
group-policy WebVPNGrp internal
group-policy WebVPNGrp attributes
vpn-tunnel-protocol webvpn
webvpn
 homepage none
 http-proxy enable
 sso-server none
 customization value DfltCustomization
 http-comp gzip
 hidden-shares visible
 smart-tunnel auto-start TestList
 activex-relay enable
 file-entry enable
 file-browsing enable
 url-entry enable
 deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 480
vpn-tunnel-protocol IPSec l2tp-ipsec
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
 svc keepalive none
 svc dpd-interval client none
 svc dpd-interval gateway none
 customization value DfltCustomization
group-policy GroupPolicy1 internal
group-policy Homeworker01_Policy internal
group-policy Homeworker01_Policy attributes
banner value VPN tunnel now established.
dns-server value 192.168.245.245 192.168.245.246
vpn-tunnel-protocol IPSec svc
default-domain value *
group-policy Homeworker02_Policy internal
group-policy Homeworker02_Policy attributes
banner value VPN is now connected.
vpn-filter value Homeworker02_ACL
vpn-tunnel-protocol IPSec
group-policy Homeworker03_Policy internal
group-policy Homeworker03_Policy attributes
banner value DRSS VPN is now connected.
vpn-filter value Homeworker03_ACL
vpn-tunnel-protocol IPSec
group-policy Homeworker04_Policy internal
group-policy Homeworker04_Policy attributes
banner value VPN is now connected.
vpn-filter value Homeworker04_ACL
vpn-tunnel-protocol IPSec
group-policy Homeworker00_Policy internal
group-policy Homeworker00_Policy attributes
banner value You are here!
dns-server value 192.168.245.245 192.168.245.246
vpn-filter value Homeworker00_ACL
vpn-tunnel-protocol IPSec svc
default-domain value *
webvpn
 homepage value http://192.168.230.20:81
group-policy Homeworker05_Policy internal
group-policy Homeworker05_Policy attributes
banner value VPN is now connected. Next Usename and Password is domain one.
vpn-filter value Homeworker05_ACL
vpn-tunnel-protocol IPSec webvpn
webvpn
 homepage value http://192.168.230.20:81
group-policy RemoteAccessGroup1 internal
group-policy RemoteAccessGroup1 attributes
dns-server value 192.168.245.245 192.168.245.246
vpn-tunnel-protocol svc
default-domain value *
-cut backup usernames-
-cut tunnel groups-
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
 inspect icmp
 inspect ip-options
!
service-policy global_policy global
smtp-server 192.168.245.211
prompt hostname context
call-home
profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
 destination address email callhome@cisco.com
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily

seandiviney

Thanks for looking at this I am thinking the problem is my PC, not sure how this has happened but routing table has got messed up:

C:\>route print
===========================================================================
Interface List
31...00 1f 29 3c 22 3d ......Intel(R) 82566DM-2 Gigabit Network Connection
  1...........................Software Loopback Interface 1
34...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  192.168.254.250               1f    276
          0.0.0.0          0.0.0.0  192.168.254.254               1f    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link                1f    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link                1f    276
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0  192.168.254.250  Default
          0.0.0.0          0.0.0.0  192.168.254.254  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
31    276 fe80::/64                On-link
31    276 fe80::9c64:c9a6:4824:2b31/128
                                    On-link
  1    306 ff00::/8                 On-link
31    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

cholzhauer


seandiviney

I now have a connection. YAY. Thanks for help. and that was the easy bit!!!