Allow IPSEC traffic thru 871?
I am using Cisco 871's with Advanced IP Sec IOS for remote offices. I need to allow IPSEC traffic to pass thru the 871 to establish a client IPSEC tunnel. The client VPN software is Nortel's Contivity VPN.
How can I allow IPSEC traffic to pass thru the 871?
If you are initiating vpn client connectivity from behind the 871 to outside you need to allow through the IPsec ports udp 500, udp 4500 and protocol 50 esp. I don't know Nortel's vpn client but Im sure they follow the Ipsec security standards.
try this on your 871 router.
access-list 101 permit udp any any eq 500 log
access-list 101 permit udp any any eq 4500 log
access-list 101 permit esp any any log
apply acl-101 to your outbound interface
access-group 101 in
HTH
Jorge
Similar Messages
-
WRVS4400N Won't allow L2TP traffic to passthrough
The latest in a series of issues with the WRVS4400N:
As any Mac user knows, you cannot connect to this device with QuickVPN, as there is no Mac version of QuickVPN. That leaves us with one of two options:
1) Obtain iPSecuritas and configure an IPSec tunnel with it. Problematic for many, but it can be done. I've been doing it for two years, but recently learned that with this configuration, you can't route all network traffic over the VPN (email, web browsing, etc), which is sometimes a security concern when on public wifi. This leaves you with solution 2:
2) Get some other VPN device and put it behind the Linksys Router and setup the Linksys to passthrough VPN traffic, and/or forward the necessary ports.
I am running both a PPTP and L2TP server on Mac OS X server behind the WRVS4400N. I have the 4400N setup to passthrough all VPN traffic (select the enable circle for IPSec, PPTP, and L2TP on the VPN Passthrough tab).
After forwarding the appropriate port (1723) to the OS X server's ip address, PPTP goes through just fine.
L2TP is a problem, though. Nothing I try gets through this 4400N. As stated above I have L2TP passthrough enabled. I have also forwarded ports UDP 500, UDP 4500 and even tcp/udp 1701 to the L2TP server's ip address. No go, no traffic gets through.
Suspecting it was something wrong with my L2TP server or client settings, I put the L2TP server into a DMZ zone. Voila! L2TP traffic connects as expected. This proves it is the WRVS4400N not doing its thing.
I have checked the logs on the WRVS4400N and nothing appears at all. I thought maybe that it is reading the L2TP traffic as IPSec traffic destined for its internal IPSec server, even though I don't have any IPSec tunnels or QuickVPN accounts setup on the WRVS4400N, but with the lousy logging and no ipconntrak tables in this version of the firmware, i don't know what else to check.
I am using Firmware v1.0.16 because v1.1.03 is not stable on my router. Using that firmware leaves the router in a corrupted state requiring a power cycle to reset it after any IPSec connection is shut down.
Can anyone suggest what I am missing or doing wrong in getting the WRVS4400N to actually passthrough my L2TP traffic to the working L2TP server?
/rant: I have to say I am begining to hate the WRVS4400N. This temperamental beast has a lot of frustration and long hours over the past two years; in hindsight, considering the hours (in excess of 100, seriously) I have put in to trying to get various forms of VPN working on it, I should have just moved on to a more stable and flexible router.gv wrote:
1. Never ever forward L2TP port 1701. That's a security risk. Port 1701 is not supposed to be accessible from the internet.
2. Running an IPSec server behind a NAT gateway is a very bad idea and is either very difficult or impossible depending on the server software and kernel version on the server machine. In particular you usually see a lot of problems if the client as well is behind a NAT gateway.
3. Turn off the L2TP and IPSec passthrough options. Passthrough is difficult because NAT will modify the packets passing. When you disable the passthrough options the VPN client and server should switch to encapsulation through UDP port 4500.
Thanks for the reply. Comments/follow-up on each of your numbered responses:
1) Port 1701 is off. Plenty of sites insist it must be open, so I tried it out of desperation. Lots of bad information on the internet, as we all know.
2a) My IPSec server has always been the NAT gateway itself (the WRVS4400N). That's not the problem. My issue with leaving the setup that way is that Linksys has ZERO support for Mac OS X to connect to the WRVS4400N's IPSec VPN. QuickVPN is only offered for Windows OS, and Cisco VPN Client for OS X will not connect with the WRVS4400N. THis leaves me with having to use 3rd partyclient solutions which work flawlessly and completely with other hardware but not with the WRVS4400N.
I'd actually be happy with that solution if I could route all traffic (web and email especially) over the VPN tunnel. THis won't work with the only solutions I have to using IPSec on a Mac to connect to the network. I've considered establishing SSH tunnels binding the various ports, but proxies, slower performance and other issues make that less than desirable. Very frustrating.
I guess since L2TP uses IPSec, your point is relevant, but I don't understand why, if IPSec behind a NAT gateway is such a bad idea, EVERY router on the market offers IPSec passthrough in its specs.
If it's so problematic, and such a bad idea, why allow it? Especially on devices marketed to SOHO consumers who are bound to have less networking savvy? In fact, the Linksys products ship with these options ENABLED by default.
3) I've done all that.
Here are log entries from the WRVS4400N for a few combinations of passthrough and port forwarding:
Passthrough disabled, ports forwarded
Dec 7 07:38:40 - Drop by Port Scan UDP
Dec 7 07:41:25 - UDP Packet - Source:xxx.xxx.xxx.xxx,500 Destination:192.168.2.11,500 - [Firewall Log-IPSecPass Fail]
Dec 7 07:41:30 - [VPN Log]: shutting down
Dec 7 07:41:30 - IPSEC EVENT: KLIPS device ipsec0 shut down.
Dec 7 07:41:32 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
Dec 7 07:41:32 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
Dec 7 07:41:32 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Dec 7 07:41:32 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Dec 7 07:41:32 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Dec 7 07:41:32 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 7 07:41:32 - [VPN Log]: starting up 1 cryptographic helpers
Dec 7 07:41:32 - [VPN Log]: started helper pid=11543 (fd:5)
Dec 7 07:41:32 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Dec 7 07:41:32 - [VPN Log]: Warning: empty directory
passthrough enabled, ports not forwarded
Dec 7 07:47:28 - [VPN Log]: shutting down
Dec 7 07:47:28 - IPSEC EVENT: KLIPS device ipsec0 shut down.
Dec 7 07:47:31 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
Dec 7 07:47:31 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
Dec 7 07:47:31 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Dec 7 07:47:31 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Dec 7 07:47:31 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Dec 7 07:47:31 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 7 07:47:31 - [VPN Log]: starting up 1 cryptographic helpers
Dec 7 07:47:31 - [VPN Log]: started helper pid=12590 (fd:5)
Dec 7 07:47:31 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Dec 7 07:47:31 - [VPN Log]: Warning: empty directory
passthrough enabled, ports forwarded
BLANK LOG! Not a single entry in the WRVS4400N's log files.
Remember, there is nothing wrong with my client or server software, as demonstrated by bypassing the WRVS4400N. L2TP connections work fine until the WRVS4400N is in the mix.
So, I'm back to the same original question:
How do I enable L2TP traffic to an L2TP server behind a WRVS4400N in a manner that actually works...?
Message Edited by DistortedLoop on 12-07-2008 08:02 AM -
Does the newest IOS allow IPSEC to pass-thru??
Here is my situation. I have have a 2514 with many internal addresses overloaded to one public address and Cisco VPN client doesn't work many to one translation. What is my best bet??Yes, 12.2(13)T should support this now. See http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftnatesp.htm
That command reference is horrible though, I think what it's trying to tell you is that you don't need to do anything on the router other than configure NAT overload, the router should do the rest for you automatically. -
Allow external traffic to access internal computers
We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
ASA Version 8.4(3)
hostname ciscoasa
domain-name default.domain.invalid
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.2.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 152.18.75.132 255.255.255.240
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object network a-152.18.75.133
host 152.18.75.133
object network a-10.2.1.2
host 10.2.1.2
object-group network ext-servers
network-object host 142.21.53.249
network-object host 142.21.53.251
network-object host 142.21.53.195
object-group network ecomm_servers
network-object 142.21.53.236 255.255.255.255
object-group network internal_subnet
network-object 10.2.1.0 255.255.255.0
access-list extended extended permit ip any any
access-list extended extended permit icmp any any
access-list extended extended permit ip any object-group ext-servers
access-list acl_out extended permit tcp any object-group ecomm_servers eq https
access-list outside_in extended permit ip any host 10.2.1.2
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit 10.2.1.0 255.255.255.0 inside
icmp permit any echo-reply outside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static a-10.2.1.2 a-152.18.75.133
route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.2.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.2.1.2 255.255.255.255 inside
ssh 122.31.53.0 255.255.255.0 outside
ssh 122.28.75.128 255.255.255.240 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
dhcpd address 10.2.1.2-10.2.1.254 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c7d7009a051cb0647b402f4acb9a3915
: end
ciscoasa(config)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
translate_hits = 1, untranslate_hits = 112
ciscoasa(config)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
translate_hits = 1, untranslate_hits = 113
ciscoasa(config)#Okay I will bite.
Assuming you have
a. dynamic pat rule for lan users-devices to reach the internet
(missing ???????????????
(should look like a nat rule that makes two entries when you make the one rule)
(with router set at defaults it may make this rule for you already in place)
-object bit
object network obj_any_inside
subnet 0.0.0.0 0.0.0.0
and rule bit
object network obj_any_inside
nat (inside,outside) dynamic interface
b. route rule - tells asa next hop is IP gateway address
route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
c. Nat rule for port forwarding- Using objects it creates two entries (lets say i call it natforward4server)
object bit
object network natforward4server
host 10.2.1.2
Nat bit
object network natforward4server
nat (inside,outside) static interface service tcp 443 443
d. Nat for translated ort.
If you had wanted to translate a port, lets say you have external users that can only use port 80 but need to access https
object bitobject network natfortransl4server
host 10.2.1.2
Nat bit
object network natfortransl4server
nat (inside,outside) static interface service tcp 443 80 -
I created an ACL to allow SNMP traffic through. Once I applied it traffic does not pass. Should be pretty simple. Below is what I used. I am using SNMP v2.
ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IP
Additional permit statements omited.HMidkiff wrote:I created an ACL to allow SNMP traffic through. Once I applied it traffic does not pass. Should be pretty simple. Below is what I used. I am using SNMP v2.ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
HMidkiff wrote:I created an ACL to allow SNMP traffic through. Once I applied it traffic does not pass. Should be pretty simple. Below is what I used. I am using SNMP v2.ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
Where it is applied it to a L3 switch vlan interface or a router interface, which direction etc.,.
Is the SNMP traffic from a specific device, you could add a permit log for that specific device to see what ports it is using.
Also, where is the SNMP coming from in your acl ? if it is the x.x.0.0 network the acl should be -
permit udp x.x.0.0 0.0.255.255 eq snmp host SERVER_IP eq snmp
etc..
Jon -
RV016 Router Allow All Traffic For Outside IP
Hi,
I need to configure the firewall to allow all traffice for an IP address of a sever. What steps in the router do i need to configure this? This is a cloud based voip server and we have IP phones and we need to add an IP address of the phone server to allow all traffic for that IP.
thanks.Hi Jonathan,
I have a similar problem with VOIP traffic being dropped by my new RV016 v3 router.
I have created one Firewall Rule, to allow ALL traffic from the external VOIP PBX provider (single IP) to connect to the internal VOIP phones, which have assigned addresses in a small IP Address range (eg. 10.1.2.50 - 10.1.2.59)
The Aastra VOIP phones continually loose their registration wtih the cloud-based PBX. If you make an outgoing call, it will work, but the PBX will lose connection with the phone, 3 or 4 minutes after you hang up, and will mark it as offline. Incoming calls made within the 3 or 4 minutes will get through, but after that they go right to voicemail on the PBX system.
We used to have an RV016 v2 router and VOIP traffic worked OK, with a similar Firewall Rule. We replaced the v2 router because its CPU crashed.
I tested the VOIP traffic with a WRT160 router with minimal Firewall Rules, and it works OK, as long as SIP-ALG is turned Off. We want to use the RV016 because it provides a larger number of ports for our LAN.
Any suggestions ?
Kirk -
Hi!
We need to allow DNS Traffic from Lan to Wan network for our internal LAN Users through Cisco Router. May we have the lines to add in the router and do we need anything else to apply this access-list?
Thanks.access-list 101 extended permit tcp net_lan sub net_wan sub eq 53
access-list 101 extended permit udp net_lan sub net_wan sub eq 53
access-list 101 extended deny any any
interface Serial 0/0
ip access-group 101 out
N.B. That access-list is only for permit traffic for DNS protocol. All traffic except DNS will be deny -
Firewall Allow all traffic on lan
Is there a way to make a firewall rule to allow all traffic on en1? I have my ip ranges set to allow all traffic, but I still have to turn the firewall off for DHCP to give IP addresses to new devices on the network.
dtich wrote:
thx dean, yes, i had certainly looked at the log, which shows these entries:
Nov 11 21:49:25 north-knoll-server ipfw[8789]: 65534 Deny UDP 169.254.14.242:138 169.254.255.255:138 in via en0
but i have no idea where 169xxx is, nothing on my lan... if the port is 65534, that's an ftp passive port, tried opening that, doesn't solve the problem. if the port is 138, that's netbios, which would be odd, but i tried opening that too. nothing doing. can't figure it out. and the log really isn't helping too much.
traceroute gives me:
traceroute to 169.254.14.242 (169.254.14.242), 64 hops max, 40 byte packets
1 169.254.14.242 (169.254.14.242) 0.593 ms 0.504 ms 0.195 ms
so, i guess that's some internal address that my router uses or something..?? wacky. i'm out of my depth here.
if i allow 169.254.x.x, i still get no joy.
mean anything else to you?
yeah, 169.254.x.x is part of the zeroconf net address range. (See http://en.wikipedia.org/wiki/Zeroconf for more details)
Not sure why the device in particular is trying port 138 unless it's Windows box maybe? Is en0 on your local network or external? -
Firewall blocks Airplay (even under 'allow all traffic')
Hi every body,
I am somewhat at the end of my knowledge. I have a mac mini server running Lion 10.7.2 server. Interestingly, my the server's firewall blocks
a) all airplay traffic and
b) 'reading Airport confirguration' requests
even when the firewall is set to 'allow all traffic'. However, when I completely switch it off, everything works just fine.
Any help would really be appreciated.
Thanks a lot.
Nonresidentalien
P.S. I have also tried to open ports 80 (t), 443(t), 554 (t/u), 3689(t), 5297(t), 5289(t/u), 5353(u), 49159(u) and 49163(u) with no successPointing to the IPv6 thread was a good idea. After reading it, I found out that the firewall preferences in Server Admin only show you IPv4 related firewall rules.
There is a terminal command that allows you to play with IPv6 rules. And by doing so, I was actually able to get AirPlay working again.
First, you want to show you the current IPv6 firewall rules. In my case they looked like this (10.7.2):
reptilehouse:~ sascha$ sudo ip6fw show
01000 285 96163 allow ipv6 from any to any via lo0
01100 66 5750 allow ipv6 from any to ff02::/16
65000 0 0 deny ipv6 from any to any
65535 6 306 allow ipv6 from any to any
As you can see, rule number 01100 only allows traffic to the local subnet, while the next rule (65000) blocks anything else. So you want to get rid of 65000:
reptilehouse:~ sascha$ sudo ip6fw delete 65000
To confirm, show the rule table again and you should see 65000 is gone:
reptilehouse:~ sascha$ sudo ip6fw show
01000 285 96163 allow ipv6 from any to any via lo0
01100 66 5750 allow ipv6 from any to ff02::/16
65535 6 306 allow ipv6 from any to any
Mind you, the rule numbers could be different on your system and you could see more or less rules. But you get the idea.
What I don't know if whether this is sticky, e.g. survives a reboot. -
Hello!!
I'm using the IPSEC Cisco VPN Network property to connect to my company.
Once I get connected, I lose internet access, because all the traffic is redirected through the tunnel and I want both, of course.
If I modify the default getaway in the routing table, with this command
route change default x.x.x.x, where this is the getaway IP when not connected to the VPN,
I gain access to internet, but I lose access through the VPN tunnel.
I was reading about it in google, and what I have to do is to add a static route to the VPN again, but I don't know how.
Could you please help me?
thanks in advance!!Hi Norbert,
I am sorry to say that configuring routes in Azure Virtual network is not supported. I recommend you to submit your reuqirement on Azure Feedback and hope it would be released soon:
http://feedback.azure.com/forums/217313-networking-dns-traffic-manager-vpn-vnet
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
ASA configuration is below!
ASA Version 9.1(1)
hostname ASA
domain-name xxx.xx
names
ip local pool VPN_CLIENT_POOL 192.168.12.1-192.168.12.254 mask 255.255.255.0
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
interface GigabitEthernet0/1
description Interface_to_VPN
nameif outside
security-level 0
ip address 111.222.333.444 255.255.255.240
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name www.ww
same-security-traffic permit intra-interface
object network LAN
subnet 192.168.11.0 255.255.255.0
description LAN
object network SSLVPN_POOL
subnet 192.168.12.0 255.255.255.0
access-list VPN_CLIENT_ACL standard permit 192.168.11.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,inside) source static SSLVPN_POOL SSLVPN_POOL destination static LAN LAN
route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list none
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.5.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
email [email protected]
subject-name CN=ASA
ip-address 111.222.333.444
crl configure
crypto ca trustpoint ASDM_TrustPoint6
enrollment terminal
fqdn vpn.domain.com
email [email protected]
subject-name CN=vpn.domain.com
ip-address 111.222.333.444
keypair sslvpn
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint6
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd address 192.168.5.2-192.168.5.254 management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint6 outside
webvpn
enable outside
csd image disk0:/csd_3.5.2008-k9.pkg
anyconnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy VPN_CLIENT_POLICY internal
group-policy VPN_CLIENT_POLICY attributes
wins-server none
dns-server value 192.168.11.198
vpn-simultaneous-logins 5
vpn-session-timeout 480
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_CLIENT_ACL
default-domain value mycomp.local
address-pools value VPN_CLIENT_POOL
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect dtls compression lzs
anyconnect modules value vpngina
customization value DfltCustomization
group-policy IT_POLICY internal
group-policy IT_POLICY attributes
wins-server none
dns-server value 192.168.11.198
vpn-simultaneous-logins 3
vpn-session-timeout 120
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_CLIENT_ACL
default-domain value company.com
address-pools value VPN_CLIENT_POOL
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect dtls compression lzs
customization value DfltCustomization
username vpnuser password PA$$WORD encrypted
username vpnuser attributes
vpn-group-policy VPN_CLIENT_POLICY
service-type remote-access
username vpnuser2 password PA$$W encrypted
username vpnuser2 attributes
service-type remote-access
username admin password ADMINPA$$ encrypted privilege 15
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPN_CLIENT_POOL
default-group-policy VPN_CLIENT_POLICY
tunnel-group VPN webvpn-attributes
authentication aaa certificate
group-alias VPN_to_R enable
tunnel-group IT_PROFILE type remote-access
tunnel-group IT_PROFILE general-attributes
address-pool VPN_CLIENT_POOL
default-group-policy IT_POLICY
tunnel-group IT_PROFILE webvpn-attributes
authentication aaa certificate
group-alias IT enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: endHi,
here's what you need:
same-security-traffic permit intra-interface
access-list VPN_CLIENT_ACL standard permit 192.168.12.0 255.255.255.0
nat (outside,outside) source static SSLVPN_POOL SSLVPN_POOL destination static SSLVPN_POOL SSLVPN_POOL
Patrick -
Possible to allow any traffic from a certain IP?
Basic question:
I'm using Snow Leopard and want to be able to allow any incoming traffic from a certain IP. I'm not concerned about what ports because it's a local device (PS3) behind the router. Is there a way to accomplish this without resorting to ipfw?
Additional info:
I have tried to add the PS3 Media Server program to the firewall list but even though it's set to allow, the firewall blocks incoming connections for it. I confirmed this through the console logs. I think it's something to do with being a Java based program.
Console:
8/29/09 3:37:59 PM 0x0-0x85085.PS3 Media Server1106 main TRACE 15:37:59.547 Created socket: /10.0.1.2:5001
8/29/09 3:37:59 PM Firewall1028 JavaApplicationS is listening from 10.0.1.2:5001 proto=6
8/29/09 3:38:04 PM Firewall1028 Deny JavaApplicationS connecting from 10.0.1.3:50680 to port 5001 proto=6Don't know anything about the topic, but this might help.
http://forums.macrumors.com/showthread.php?t=774875 -
ACE 4710: Config Allows all traffic except large HTTP downloads
Hi Folks,
Got an ACE 4710 with a basic config that seems to work for all traffic except large downloads.
I've attached the current config
As I mentioned I can do normal HTTP to a standard destination like google or SSH through the ACE or ICMP
If i try to get a large file from the server side of ACE, then a trace shows that the first and subsequent 1460Byte packets dont go through ACE
I've thought of parse lengths, but i cannot see any that seem to affect the generic L4 maps that I am trying to use
Cheers
AlanI've seen a similar fault. I suppose a lower MSS was sent in the TCP SYN handshake packets (1300 or 1380?) and the packets exceeding that value were dropped by the ACE. This is the default behavior which can be switched to a less strict mode by either
exceed-mss allow
or
no normalization
commands.
In our case, a linux web server was whose replies wouldn't keep to the MSS limit. -
HI All,
we are getting ready to do a POC with ACE, Hurray !!!!!!!!!
One problem though. The customer (who is a service provider) is going to loadbalance traffic to a web proxy, but wants to bypass IPSec VPN traffic from getting loadbalanced to proxies.
I think we can do this if the clients are using IPSec tunnel mode, but it seems there would be a problem in identifying the traffic if the clients are using IPSec transport mode or transparent tunneling. Any idea how i can prevent all of the VPN traffic from going to the proxies ?
ThanksIf you only loadbalance traffic with destination port 80 or port 8080 than there is no problem.
I don't think ipsec would use those ports.
Gilles. -
Security zone for IPSec traffic
Hi.
Suppose i have classic static IPSec with remote site like this:
crypto map CRYPTOMAP 10 ipsec-isakmp set peer x.x.x.x set transform-set TS match address crypto_aclip access-list extended crypto_acl permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255interface Fas0/0 ip address <some internet address> crypto map CRYPTOMAP !interface Fas0/1 ip address 10.1.0.1 255.255.0.0!ip route 10.2.0.0 255.255.0.0 <ISP address>
Now i want to establish zone-based-firewall.
I create zones
zone security INETzone security REMOTE_SITEzone security LAN!zone-pair blah-blah...!interface Fas0/0 zone-member INET!interface Fas0/1 zone-member LAN
How do i put traffic passing through IPSec tunnel to zone REMOTE_SITE ???
Note: this is NOT ASA, this is IOS.
Note2: remote site is not Cisco and i connot create Tunnel interface.Hello Utair,
You need only 2 interfaces,
The one that connects to the internal devices
The one that connects to the outside interface (where the crypto-map is usually applied)
Just match the traffic from the internal interface to the outside interface and apply the right action
Same thing for the traffic that will be generated in the other site to the Local Area Network
Do you follow me?
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
Maybe you are looking for
-
hello All, Is there any report or settings to see all orders and their status in CRM.We are using CRM 2007. Thanks and Regards shanto aloor
-
I bought a PDF book (not from the iBookstore) and added it to the books in iTunes for my iPad Air and then ran the sync and it showed the reduced available space showing the book was transferred to the ipad, but when I open iBooks on the iPad the boo
-
I purchased three autobooks from itunes last weekend and after updating my ios to 7 they no longer appear. I looked at my purchse history and they are not showing in my purchase history. I do have the receipts for the charge. How do I restore these?
-
Friends I'm completely new to oracle bpm and would like to know how I can setup a bpm cluster.I'm planning to use bpm 10.3.1 for weblogic and weblogic 10.3.0.The deployment topology is planned as follows: 1.weblogic admin server on 1st machine 2.2 ma
-
Using RoboHelp 9.0.2.271 Chrome browser 32.0.1700.76 Generating WebHelp Note: Moving this discussion from Adobe Community > RoboHelp > Discussions to this forum (Adobe Community > RoboHelp > WebHelp). I apologize up front for the duplicate, but the o