Wednesday, November 8, 2017

ASA tunnel routing config

To start with: I've got zero ASA experience, other than some small changes to this box adding subnets to the tunnel.

We have one remote location that has an ASA. This location had two separate DIA circuits, one was used for local internet breakout, the other was dedicated for a site-to-site back to our data center. Apparently the site has lost the VPN circuit and has no chance of getting it back. In order to get connectivity back, we changed a couple of lines to point to the internet interface instead of the VPN (physical interfaces named internet and vpns). I changed the route statements (lines 245-254) to reflect the internet interface, and the cryptomap ACL (line 295) as well. At this point, all tunnels are up enough for DCs to sync, but I've got no other connectivity. No ICMP, no RDP, nothing. I've tracerouted from the inside interface on the ASA and it's clear that the traffic is exiting to public internet and not getting put in the tunnel. I can assume that this is because of the route statements pointing at the 'internet' label. So if I understand the config correctly, I need to be able to point those private subnets into the tunnel...which is no longer on a dedicated named interface. Can I just remove the static routes on the subnets that are tunnelled and let the box figure it out?

Also-I know there are a ton of issues in this config. At present, I can't fix a lot of what is wrong.

config: > > hostname ASA5510

enable password redacted encrypted passwd redacted encrypted names ! interface GigabitEthernet0/0 nameif internet security-level 0 ip address public-ip 255.255.255.248 ! interface GigabitEthernet0/1 nameif vpns security-level 0 ip address public-ip 255.255.255.248 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 nameif inside security-level 100 ip address 192.168.13.254 255.255.255.0 ! interface Management0/0 nameif management security-level 100 no ip address management-only ! boot system disk0:/asa847-30-k8.bin ftp mode passive same-security-traffic permit inter-interface object network obj-192.168.13.0 subnet 192.168.13.0 255.255.255.0 object network obj-192.168.0.0 subnet 192.168.0.0 255.255.255.0 object network obj-10.1.60.0 subnet 10.1.60.0 255.255.255.0 object network obj-192.168.0.0-01 subnet 192.168.0.0 255.255.0.0 object network obj-192.168.16.0 subnet 192.168.16.0 255.255.255.0 object network obj-10.3.60.0 subnet 10.3.60.0 255.255.255.0 object network obj-10.254.60.0 subnet 10.254.60.0 255.255.255.0 object network obj-192.168.1.0 subnet 192.168.1.0 255.255.255.0 object network obj-10.2.10.0 subnet 10.2.10.0 255.255.255.0 object network obj-10.2.60.0 subnet 10.2.60.0 255.255.255.0 object network obj-192.168.13.41 host 192.168.13.41 object network obj-192.168.13.41-01 host 192.168.13.41 object network obj-192.168.13.41-02 host 192.168.13.41 object network obj-192.168.13.41-03 host 192.168.13.41 object network obj-192.168.13.41-04 host 192.168.13.41 object network obj-192.168.13.41-05 host 192.168.13.41 object network obj-192.168.13.41-06 host 192.168.13.41 object network obj-192.168.13.41-07 host 192.168.13.41 object network obj-192.168.13.41-08 host 192.168.13.41 object network obj-192.168.13.41-09 host 192.168.13.41 object network obj-192.168.13.41-10 host 192.168.13.41 object network obj-192.168.13.41-11 host 192.168.13.41 object network obj-192.168.13.41-12 host 192.168.13.41 object network obj-192.168.13.41-13 host 192.168.13.41 object network obj-192.168.13.41-14 host 192.168.13.41 object network obj-192.168.13.41-15 host 192.168.13.41 object network obj-192.168.13.41-16 host 192.168.13.41 object network obj-192.168.13.41-17 host 192.168.13.41 object network obj-192.168.13.41-18 host 192.168.13.41 object network obj-192.168.13.41-19 host 192.168.13.41 object network obj-192.168.13.41-20 host 192.168.13.41 object network obj-192.168.13.6 host 192.168.13.6 object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj-192.168.13.5 host 192.168.13.5 object-group service rdp tcp port-object eq 10338 port-object eq 10339 access-list nat-internet extended permit ip 192.168.13.0 255.255.255.0 any access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 10.1.60.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 192.168.16.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 10.254.60.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 10.3.60.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 10.2.10.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 10.2.60.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 10.254.225.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 10.1.60.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 192.168.0.0 255.255.0.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 192.168.16.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 10.3.60.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 10.254.60.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 10.2.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 10.2.60.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 10.254.225.0 255.255.255.0 access-list inside-in extended permit icmp any any access-list inside-in extended permit ip any any access-list vpns-in extended permit icmp any any access-list vpns-in extended permit ip any any access-list internet-in extended permit gre any host 192.168.13.6 log access-list internet-in extended permit ip host public-ip any access-list internet-in extended permit ip public-ip 255.255.248.0 any access-list internet-in extended permit ip public-ip 255.255.255.0 any access-list internet-in extended permit icmp any any access-list internet-in extended permit ip host public-ip any access-list internet-in remark Migration, ACE (line 11) expanded: permit tcp any 150.101.227.56 255.255.255.248 object-group rdp access-list internet-in remark Migration: End of expansion access-list internet-in extended permit tcp any host 192.168.13.41 eq 8015 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8020 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8000 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8001 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8002 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8003 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8004 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8005 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8006 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8007 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8008 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8009 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8010 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8011 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8012 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8013 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8014 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8016 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8017 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8018 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8019 access-list internet-in extended permit tcp any host 192.168.13.6 eq pptp access-list internet-in extended permit tcp any host 192.168.13.5 eq 3389 access-list acl-conn-param-tcp-01 extended permit tcp host 192.168.13.253 any access-list acl-conn-param-tcp-01 extended permit tcp host 192.168.13.5 any access-list acl-conn-param-tcp-01 extended permit tcp host 192.168.13.41 any pager lines 30 logging enable logging buffered debugging logging asdm debugging mtu internet 1500 mtu vpns 1500 mtu inside 1500 mtu management 1500 ip verify reverse-path interface internet no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any internet icmp permit any vpns icmp permit any inside asdm image disk0:/asdm-733.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-10.1.60.0 obj-10.1.60.0 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-192.168.0.0-01 obj-192.168.0.0-01 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-192.168.16.0 obj-192.168.16.0 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-10.3.60.0 obj-10.3.60.0 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-10.254.60.0 obj-10.254.60.0 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-10.2.10.0 obj-10.2.10.0 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-10.2.60.0 obj-10.2.60.0 no-proxy-arp route-lookup ! object network obj-192.168.13.41 nat (inside,internet) static interface service tcp 8015 8015 object network obj-192.168.13.41-01 nat (inside,internet) static interface service tcp 8000 8000 object network obj-192.168.13.41-02 nat (inside,internet) static interface service tcp 8001 8001 object network obj-192.168.13.41-03 nat (inside,internet) static interface service tcp 8002 8002 object network obj-192.168.13.41-04 nat (inside,internet) static interface service tcp 8003 8003 object network obj-192.168.13.41-05 nat (inside,internet) static interface service tcp 8004 8004 object network obj-192.168.13.41-06 nat (inside,internet) static interface service tcp 8005 8005 object network obj-192.168.13.41-07 nat (inside,internet) static interface service tcp 8006 8006 object network obj-192.168.13.41-08 nat (inside,internet) static interface service tcp 8007 8007 object network obj-192.168.13.41-09 nat (inside,internet) static interface service tcp 8008 8008 object network obj-192.168.13.41-10 nat (inside,internet) static interface service tcp 8009 8009 object network obj-192.168.13.41-11 nat (inside,internet) static interface service tcp 8010 8010 object network obj-192.168.13.41-12 nat (inside,internet) static interface service tcp 8011 8011 object network obj-192.168.13.41-13 nat (inside,internet) static interface service tcp 8012 8012 object network obj-192.168.13.41-14 nat (inside,internet) static interface service tcp 8013 8013 object network obj-192.168.13.41-15 nat (inside,internet) static interface service tcp 8014 8014 object network obj-192.168.13.41-16 nat (inside,internet) static interface service tcp 8016 8016 object network obj-192.168.13.41-17 nat (inside,internet) static interface service tcp 8017 8017 object network obj-192.168.13.41-18 nat (inside,internet) static interface service tcp 8018 8018 object network obj-192.168.13.41-19 nat (inside,internet) static interface service tcp 8019 8019 object network obj-192.168.13.41-20 nat (inside,internet) static interface service tcp 8020 8020 object network obj-192.168.13.6 nat (inside,internet) static 150.101.227.60 object network obj_any nat (inside,internet) dynamic interface object network obj-192.168.13.5 nat (inside,internet) static interface service tcp 3389 10339 access-group internet-in in interface internet access-group vpns-in in interface vpns access-group inside-in in interface inside route internet 0.0.0.0 0.0.0.0 public-ip 1 route vpns 10.1.60.0 255.255.255.0 public-ip 1 route vpns 10.2.10.0 255.255.255.0 public-ip 1 route vpns 10.2.60.0 255.255.255.0 public-ip 1 route vpns 10.3.60.0 255.255.255.0 public-ip 1 route vpns 10.254.60.0 255.255.255.0 public-ip 1 route vpns 10.254.225.0 255.255.255.0 public-ip 1 route vpns public-ip 255.255.255.255 public-ip 1 route vpns 192.168.0.0 255.255.255.0 public-ip 1 route vpns 192.168.1.0 255.255.255.0 public-ip 1 route vpns 192.168.16.0 255.255.255.0 public-ip 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 management http public-ip 255.255.248.0 internet http public-ip 255.255.255.255 internet http 192.168.13.0 255.255.255.0 inside http 192.168.0.0 255.255.255.0 inside http public-ip 255.255.255.255 internet http public-ip 255.255.255.255 internet http 10.2.10.0 255.255.255.0 inside snmp-server host inside redacted version 2c no snmp-server location no snmp-server contact snmp-server community redacted snmp-server enable traps snmp authentication linkup linkdown coldstart service resetinbound crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 86400 crypto map vpns_map0 3 match address vpns_cryptomap crypto map vpns_map0 3 set peer public-ip crypto map vpns_map0 3 set ikev1 transform-set ESP-AES-128-SHA crypto map vpns_map0 interface vpns crypto ikev1 enable vpns crypto ikev1 policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption 3des hash md5 group 1 lifetime 86400 crypto ikev1 policy 50 authentication pre-share encryption aes hash sha group 5 lifetime 86400 telnet 192.168.13.0 255.255.255.0 inside telnet 192.168.0.0 255.255.255.0 inside telnet 10.1.60.200 255.255.255.255 inside telnet timeout 5 ssh public-ip 255.255.255.255 internet ssh public-ip 255.255.248.0 internet ssh public-ip 255.255.255.0 internet ssh public-ip 255.255.255.255 internet ssh public-ip 255.255.255.255 internet ssh public-ip 255.255.255.255 internet ssh public-ip 255.255.255.255 vpns ssh 192.168.13.0 255.255.255.0 inside ssh 192.168.0.0 255.255.255.0 inside ssh 10.1.60.0 255.255.255.0 inside ssh 10.1.60.200 255.255.255.255 inside ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes vpn-filter none vpn-tunnel-protocol ikev1 ssl-client

username redacted tunnel-group public-ip type ipsec-l2l tunnel-group public-ip general-attributes default-group-policy GroupPolicy1 tunnel-group public-ip ipsec-attributes ikev1 pre-shared-key ***** peer-id-validate nocheck tunnel-group public-ip type ipsec-l2l tunnel-group public-ip ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic class-map class-conn-param-tcp-01 match access-list acl-conn-param-tcp-01 ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map policy-conn-param-inside class class-conn-param-tcp-01 set connection random-sequence-number disable policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect pptp inspect ip-options ! service-policy global_policy global service-policy policy-conn-param-inside interface inside prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http http://ift.tt/115Gun1 destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:86d07c34f0ea522f7b6bbc9fa96d0081



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)