Search This Blog

Sunday, March 01, 2009

firewall-wizards Digest, Vol 35, Issue 1

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. LinkSys RV042 to ASA 5505 IPsec tunnel (Christopher J. Wargaski)


----------------------------------------------------------------------

Message: 1
Date: Wed, 18 Feb 2009 16:31:55 -0600
From: "Christopher J. Wargaski" <wargo1@gmail.com>
Subject: [fw-wiz] LinkSys RV042 to ASA 5505 IPsec tunnel
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<17065120902181431u2c4fe8dalbef2a2899ec8235b@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hello--

I have a Linksys RV042 running the latest firmware and an ASA 5505
running 8.0(4). I have successfully established an IPsec LAN to LAN
tunnel by specifying actual local and remote networks.

Now, I would like to configure the tunnel so that all traffic from
the LinkSys "inside" network (192.168.25.0/24) is sent across the VPN
no matter what the destination address is. The idea here is to force
the branch office to send all traffic through the main office and
force that traffic out one content filter. (BTW, the ASA "inside"
network is 192.168.17.0/24).

To achieve this, I configured the Linksys as such:

Local Group:
Gateway type--IP only
IP address 75.2.2.2
Group type--Subnet IP
IP--192.168.25.0
Mask--255.255.255.0

Remote Group:
Gateway type--IP only
IP address 75.2.2.3
Group type--Subnet IP
IP--0.0.0.0
Mask--0.0.0.0

Of course, this does not work.

I enabled crypto debugs (ISAKMP and IPsec) on the ASA and saw
nothing. OK, so if the ASA is not seeing any crypto traffic, is it
seeing ANY traffic on the outside interface? I set up a capture on the
outside interface from any to any. I saw no crypto traffic, only the
ICMP echo requests that I was sending from inside the Linksys.

Any thoughts on this? If I could configure the Linksys to be a
hardware client, that would be just fine too.

cjw


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 35, Issue 1
***********************************************

No comments: