1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Site to Site VPN one way taffic

Discussion in 'Servers and Enterprise Solutions' started by teaboy5, 10 Jun 2010.

  1. teaboy5

    Soldato

    Joined: 12 Jan 2006

    Posts: 5,578

    Location: UK

    Hi all,


    I have set up a site to site Vpn and everything works fine from the remote site to the corporate site, however from the corporate site asa 5510 i can't get any access to the remote site asa 5505. I have checked logging on the ASA and i can see the packets being dropped but i can't find what i need to do to allow this traffic through. Below is most of my 5510 config i am sure it is something simple that i am missing but i just can't get it working please help.


    REMOTE Network is 192.168.72.0



    : Saved

    : Written by enable_15 at 10:29:17.163 GMT/BDT Thu Jun 10 2010

    !

    ASA Version 8.0(5)

    !

    hostname Casa

    domain-name uk

    enable password VgZT0UwPdkSV9l7N encrypted

    passwd zlo5ImUVRkHl4lcl encrypted

    names

    name 192.168.103.14 CITRIX-Appliance description CITRIX-Appliance

    name 192.168.3.12 tney description tney

    dns-guard

    !

    interface Ethernet0/0

    nameif outside

    security-level 0

    ip address x.x.x.123 255.255.255.224

    !

    interface Ethernet0/1

    nameif inside

    security-level 100

    ip address 192.168.3.254 255.255.255.0

    !

    interface Ethernet0/2

    nameif dmz

    security-level 50

    ip address 192.168.103.254 255.255.255.0

    !

    interface Ethernet0/3

    shutdown

    no nameif

    no security-level

    no ip address

    !

    interface Management0/0

    nameif management

    security-level 100

    ip address 192.168.1.1 255.255.255.0

    management-only

    !

    boot system disk0:/asa805-k8.bin

    boot system disk0:/asa707-k8.bin

    ftp mode passive

    clock timezone GMT/BST 0

    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

    dns server-group DefaultDNS

    domain-name uk

    object-group network ExternalAccess

    description Hosts allowed direct web access

    network-object SVR-01 255.255.255.255

    network-object SVR-GIS 255.255.255.255

    network-object host Tntu

    network-object host tney

    object-group network ExternalAccessFromDMZ

    description Hosts allowed direct web access from DMZ

    network-object CITRIX-Appliance 255.255.255.255

    network-object IRONPORT1 255.255.255.255

    network-object worker 255.255.255.255

    object-group service MitelUDPinternet udp

    description Mitel UDP services needed from internet

    port-object range 20000 27000

    port-object eq sip

    port-object eq 5064

    object-group service MitelTCPinternet tcp

    description Mitel TCP services needed from internet

    port-object eq 2114

    port-object eq 2116

    port-object eq 35000

    port-object eq 37000

    port-object eq 3998

    port-object range 6801 6802

    port-object eq 6880

    port-object eq www

    port-object eq https

    port-object eq 6800

    port-object eq 3478

    port-object eq sip

    port-object eq ssh

    object-group service MitelTCPinternetOpt tcp

    description Mitel TCP optional services from internet

    port-object eq 3300

    port-object range 6806 6807

    port-object range 36005 36005

    port-object range 36005 36006

    port-object eq 3478

    port-object eq sip

    object-group service MitelUDP2LAN udp

    description Mitel UDP services needed to LAN

    port-object range 1024 65535

    port-object eq sip

    object-group service MitelTCP2LAN tcp

    description Mitel TCP services needed to LAN

    port-object eq 2114

    port-object eq 2116

    port-object eq 35000

    port-object eq 37000

    port-object eq 1606

    port-object eq 4443

    port-object eq 3998

    port-object eq 3999

    port-object range 6801 6802

    port-object eq 6880

    port-object eq www

    port-object eq https

    port-object eq 3478

    port-object eq sip

    access-list acl_outside extended permit icmp any any echo-reply

    access-list acl_outside extended permit icmp any any unreachable

    access-list acl_outside extended permit icmp any any source-quench

    access-list acl_outside extended permit tcp any host Mail_Outside_AGH eq smtp

    access-list acl_outside extended permit tcp any host Mail_Outside_AGH eq https

    access-list acl_outside extended permit tcp any host x.x.x.123 eq ssh

    access-list acl_outside extended permit tcp host x.x.x.x host Icritical_Outside eq ssh

    access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq 8088

    access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq https

    access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq 8081

    access-list acl_outside extended permit tcp any host Mail_Outside_AVON eq smtp

    access-list acl_outside extended permit tcp any host Mail_Outside_AVON eq https

    access-list acl_outside extended permit udp host x.x.x.x host Icritical_Outside eq snmp

    access-list acl_outside extended permit udp host x.x.x.x host Icritical_Outside eq snmp

    access-list acl_outside extended permit tcp any host teleworker_outside object-group MitelTCPinternet

    access-list acl_outside extended permit udp any host teleworker_outside object-group MitelUDPinternet

    access-list acl_outside extended permit tcp any host teleworker_outside object-group MitelTCPinternetOpt

    access-list acl_outside extended permit tcp host x.x.x.x host Icritical_Outside eq ssh

    access-list acl_outside extended permit udp any host PAL-ESX-01 eq ntp

    access-list acl_outside extended permit udp any host PAL-ESX-02 eq ntp

    access-list acl_outside extended permit udp any host PAL-ESX-03 eq ntp

    access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 172.30.100.0 255.255.255.224 inactive

    access-list inside_outbound_nat0_acl extended permit ip any 172.31.1.0 255.255.255.0

    access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.103.0 255.255.255.0

    access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0

    access-list inside_pnat_outbound extended permit ip object-group ExternalAccess any

    access-list acl_dmz extended permit ip host IRONPORT1 host Mail_Inside_AGH

    access-list acl_dmz extended permit udp host IRONPORT1 host pal-svr-22 eq domain

    access-list acl_dmz extended permit tcp host IRONPORT1 host pal-svr-22 eq 3268

    access-list acl_dmz extended permit udp host IRONPORT1 host ARM-SVR-01 eq domain

    access-list acl_dmz extended permit tcp host IRONPORT1 host ARM-SVR-01 eq 3268

    access-list acl_dmz extended permit udp host IRONPORT1 host Pal-Svr-17 eq domain

    access-list acl_dmz extended permit icmp host IRONPORT1 host Mail_Inside_AGH

    access-list acl_dmz extended permit ip 192.168.103.0 255.255.255.0 any

    access-list acl_dmz extended permit tcp host CITRIX-Appliance host CITRIXCSG-lan eq https inactive

    access-list acl_dmz extended permit ip any host CITRIXCSG-lan inactive

    access-list acl_dmz extended permit tcp host IRONPORT1 host Mail_Outside_AGH eq smtp

    access-list acl_dmz extended permit tcp host Teleworker host 192.168.20.1 object-group MitelTCP2LAN

    access-list acl_dmz extended permit udp host Teleworker host 192.168.20.1 object-group MitelUDP2LAN

    access-list dmz_pnat_outbound extended permit ip object-group ExternalAccessFromDMZ any

    access-list dmz_nat0_inbound extended permit ip 192.168.103.0 255.255.255.0 192.168.3.0 255.255.255.0

    access-list dmz_nat0_inbound extended permit ip host Teleworker host 192.168.20.1

    access-list inside_pnat_outbound_AVON extended permit ip 192.168.21.0 255.255.255.0 any

    access-list inside_pnat_outbound_AVON extended permit ip 192.168.22.0 255.255.255.0 any

    access-list inside_pnat_outbound_AVON extended permit ip 192.168.23.0 255.255.255.0 any

    access-list inside_pnat_outbound_AVON extended permit ip 192.168.24.0 255.255.248.0 any

    access-list inside_pnat_outbound_AVON extended permit ip 192.168.32.0 255.255.240.0 any

    access-list inside_pnat_outbound_AVON extended permit ip 192.168.48.0 255.255.248.0 any

    access-list inside_pnat_outbound_AVON extended permit ip 192.168.56.0 255.255.252.0 any

    access-list inside_pnat_outbound_AVON extended permit ip 192.168.60.0 255.255.255.0 any

    access-list any extended permit ip any any

    access-list inside_nat_AVON_Marshall extended permit ip host Mail_Inside_AVON any

    access-list dmz_pnat1_outbound extended permit ip host Teleworker any

    access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0

    pager lines 24

    logging enable

    logging asdm informational

    logging mail notifications

    logging from-address uk

    logging recipient-address [email protected] level critical

    mtu outside 1500

    mtu inside 1500

    mtu dmz 1500

    mtu management 1500

    ip local pool vpnpool 172.31.1.1-172.31.1.254 mask 255.255.255.0

    no failover

    icmp unreachable rate-limit 1 burst-size 1

    icmp permit any inside

    icmp permit any echo dmz

    icmp permit any dmz

    asdm image disk0:/asdm-625-53.bin

    asdm location SVR-01 255.255.255.255 inside

    asdm location svr-02 255.255.255.255 inside

    asdm location IRONPORT1 255.255.255.255 dmz

    asdm location 194.81.55.226 255.255.255.255 dmz

    asdm location Server 255.255.255.255 inside

    asdm location CITRIX-Appliance 255.255.255.255 dmz

    asdm group ExternalAccess inside

    asdm group ExternalAccessFromDMZ dmz

    no asdm history enable

    arp timeout 14400

    global (outside) 2 x.x.x.121

    global (outside) 1 x.x.x.125

    global (outside) 3 Mail_Outside_AVON

    global (outside) 4 Mail_Outside_AGH

    global (outside) 5 teleworker_outside

    nat (inside) 0 access-list inside_outbound_nat0_acl

    nat (inside) 2 access-list inside_pnat_outbound_AVON

    nat (inside) 3 access-list inside_nat_AVON_Marshall

    nat (inside) 1 access-list inside_pnat_outbound

    nat (dmz) 0 access-list dmz_nat0_inbound outside

    nat (dmz) 4 access-list dmz_pnat_outbound

    nat (dmz) 5 access-list dmz_pnat1_outbound

    static (inside,outside) tcp Icritical_Outside ssh Icritical ssh netmask 255.255.255.255

    static (inside,outside) tcp Mail_Outside_AGH https Mail_Inside_AGH https netmask 255.255.255.255

    static (dmz,outside) tcp Mail_Outside_AGH smtp IRONPORT1 smtp netmask 255.255.255.255

    static (inside,outside) tcp Mail_Outside_AVON https Exchange_Inside_AVON https netmask 255.255.255.255

    static (inside,outside) tcp Mail_Outside_AVON smtp Mail_Inside_AVON smtp netmask 255.255.255.255

    static (inside,outside) udp Icritical_Outside snmp Icritical snmp netmask 255.255.255.255

    static (dmz,outside) Citrix_Portal_outside CITRIX-Appliance netmask 255.255.255.255

    static (inside,outside) Mail_Outside_AVON Mail_Inside_AVON netmask 255.255.255.255

    static (dmz,outside) teleworker_outside Teleworker netmask 255.255.255.255

    access-group acl_outside in interface outside

    access-group acl_dmz in interface dmz

    route outside 0.0.0.0 0.0.0.0 X.X.X.254 1

    route inside 192.168.0.0 255.255.0.0 192.168.3.3 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-record DfltAccessPolicy

    http server enable

    http oner 255.255.255.255 inside

    http 192.168.1.0 255.255.255.0 management

    no snmp-server location

    no snmp-server contact

    snmp-server enable traps snmp authentication linkup linkdown coldstart

    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

    crypto ipsec security-association lifetime seconds 28800

    crypto ipsec security-association lifetime kilobytes 4608000

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

    crypto map outside_map 1 match address outside_1_cryptomap

    crypto map outside_map 1 set pfs group1

    crypto map outside_map 1 set peer r.r.r.244

    crypto map outside_map 1 set transform-set ESP-3DES-SHA

    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

    crypto map outside_map interface outside

    crypto isakmp enable outside

    crypto isakmp policy 10

    authentication pre-share

    encryption 3des

    hash sha

    group 2

    lifetime 86400

    no crypto isakmp nat-traversal

    telnet timeout 5

    ssh x.x.x.x 255.255.255.255 outside

    ssh Mail_Inside_AGH 255.255.255.255 inside

    ssh timeout 5

    console timeout 0

    dhcpd address 192.168.1.2-192.168.1.254 management

    dhcpd enable management

    !

    threat-detection basic-threat

    threat-detection statistics port

    threat-detection statistics protocol

    threat-detection statistics access-list

    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

    ntp server SVR-DC1 source inside prefer

    group-policy VPN internal

    group-policy VPN attributes

    wins-server value 192.168.x.x 192.168.x.x

    dns-server value 192.168.x.x 192.168.x.x

    ipsec-udp enable

    default-domain value ACE

    username VPN password pmmPwcDD/inpnNfB encrypted privilege 0

    username VPN attributes

    vpn-group-policy VPN

    tunnel-group VPN type remote-access

    tunnel-group VPN general-attributes

    address-pool vpnpool

    default-group-policy VPN

    tunnel-group VPN ipsec-attributes

    pre-shared-key ******

    tunnel-group r.r.r.244 type ipsec-l2l

    tunnel-group r.r.r.244 ipsec-attributes

    pre-shared-key ****

    tunnel-group-map default-group r.r.r.244

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    policy-map type inspect dns migrated_dns_map_1

    parameters

    message-length maximum 512

    policy-map global_policy

    class inspection_default

    inspect dns migrated_dns_map_1

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect rsh

    inspect rtsp

    inspect esmtp

    inspect sqlnet

    inspect skinny

    inspect sunrpc

    inspect xdmcp

    inspect netbios

    inspect tftp

    inspect sip

    !

    service-policy global_policy global

    prompt hostname context

    Cryptochecksum:8360816431357f109b3c4b950d545c86

    : end