Search This Blog

Sunday, June 14, 2009

firewall-wizards Digest, Vol 38, Issue 5

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Cisco AnyConnect Remote Access to L2L tunnels
(Christopher J. Wargaski)
2. Re: Cisco AnyConnect Remote Access to L2L tunnels (Todd Simons)
3. Re: Cisco AnyConnect Remote Access to L2L tunnels (Eric Gearhart)


----------------------------------------------------------------------

Message: 1
Date: Fri, 12 Jun 2009 10:26:04 -0500
From: "Christopher J. Wargaski" <wargo1@gmail.com>
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels
To: Todd Simons <tsimons@delphi-tech.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<17065120906120826q7d367062lee2d50538d1e3e6f@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hey Todd--

I have not tried this before with AnyConnect VPNs, however, at one
time, I think I had a similar set up with remote access IPsec VPNs and
L2L tunnels.

OK, you have the hairpin enabled and you the SSLClientPool IP block
is included in the ACL that marks interesting traffic. Good.

Have you watched the logs when an AnyConnect client is trying to
access one of the remote L2L VPN locations? I am thinking right now
that the "crypto map OutsideVPN 192 set nat-t-disable" may be the
issue. Can you try enabling NAT-T

cjw

On Thu, Jun 11, 2009 at 7:47 AM, Todd Simons<tsimons@delphi-tech.com> wrote:
> Inline...
>
> A couple questions:
> 1) Is the ASA a peer for the L2L tunnels?
>>>Yes
>
> 2) Are crypto maps for the L2L tunnels on the same interface as the AnyConnect VPN?
>>>Yes
>
> 3) Do you have the hairpin enabled?
>>>I think so (lines 48/49 in attached txt)
>
> 4) Can you send a copy of the ASA configuration?
>>>Attached. ? Note that this is not a production ASA, config is still a work in progress. ?This should be considered "MainSite" and SiteA, SiteB, SiteC are satellites, RA VPNs terminate here at MainSite and should give access to SiteA, Site and (eventually) SiteC. ? SiteA has 2 IPSEC Networks, the remote gateway & a /29, SiteB just has the remote gateway, Site C will just be a /27. ? The tunnels that use the remote gateway are actually used for ingress traffic from Sites.
>
> Thanks


------------------------------

Message: 2
Date: Fri, 12 Jun 2009 15:30:48 -0400
From: "Todd Simons" <tsimons@delphi-tech.com>
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels
To: "Christopher J. Wargaski" <wargo1@gmail.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<6BEB7C2F4C712045AA210FC242934F75081D9DF7@NJ-EXCHANGE1.AD.dti>
Keywords: disclaimer
Content-Type: text/plain; charset="iso-8859-1"

I got it running (hairpin +NAT solved it), but I don't have external traffic (it's a global tunnel). For example Internal hosts to www.google.com works, but it doesn't work from a RA VPN. The RA VPN's use an IP Pool of addresses in my LAN subnet

In my logs I see the "Built inbound TCP" connection, but I never get a response.

Here's my NAT statements:
global (outside) 1 interface
nat (inside) 0 access-list insideNoNat
nat (inside) 1 0.0.0.0 0.0.0.0

the insideNoNat contains our known addresses, no references to public subnets.

~Todd

-----Original Message-----
From: Christopher J. Wargaski [mailto:wargo1@gmail.com]
Sent: Friday, June 12, 2009 11:26 AM
To: Todd Simons
Cc: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels

Hey Todd--

I have not tried this before with AnyConnect VPNs, however, at one
time, I think I had a similar set up with remote access IPsec VPNs and
L2L tunnels.

OK, you have the hairpin enabled and you the SSLClientPool IP block
is included in the ACL that marks interesting traffic. Good.

Have you watched the logs when an AnyConnect client is trying to
access one of the remote L2L VPN locations? I am thinking right now
that the "crypto map OutsideVPN 192 set nat-t-disable" may be the
issue. Can you try enabling NAT-T

cjw

On Thu, Jun 11, 2009 at 7:47 AM, Todd Simons<tsimons@delphi-tech.com> wrote:
> Inline...
>
> A couple questions:
> 1) Is the ASA a peer for the L2L tunnels?
>>>Yes
>
> 2) Are crypto maps for the L2L tunnels on the same interface as the AnyConnect VPN?
>>>Yes
>
> 3) Do you have the hairpin enabled?
>>>I think so (lines 48/49 in attached txt)
>
> 4) Can you send a copy of the ASA configuration?
>>>Attached. Note that this is not a production ASA, config is still a work in progress. This should be considered "MainSite" and SiteA, SiteB, SiteC are satellites, RA VPNs terminate here at MainSite and should give access to SiteA, Site and (eventually) SiteC. SiteA has 2 IPSEC Networks, the remote gateway & a /29, SiteB just has the remote gateway, Site C will just be a /27. The tunnels that use the remote gateway are actually used for ingress traffic from Sites.
>
> Thanks

## Scanned by Delphi Technology, Inc. ##

CONFIDENTIALITY NOTICE
This e-mail message from Delphi Technology, Inc. is intended only for the individual or entity to which it is addressed. This e-mail may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you received this e-mail by accident, please notify the sender immediately and destroy this e-mail and all copies of it.

------------------------------

Message: 3
Date: Sat, 13 Jun 2009 11:39:48 -0700
From: Eric Gearhart <eric@nixwizard.net>
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5792267e0906131139l46ebfacbk8d740ad9ce9884aa@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Todd - in your config this section really piqued my interest:

access-list SiteA extended permit ip 192.168.168.0 255.255.255.0 host A.x.x.66
access-list SiteA extended permit ip 192.168.168.0 255.255.255.0
63.x.x.208 255.255.255.248
access-list SiteB extended permit ip 192.168.168.0 255.255.255.0 host B.x.x.162
access-list SiteC extended permit ip 192.168.168.0 255.255.255.0
63.x.x.224 255.255.255.224
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
host B.x.x.162
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
host A.x.x.66
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
63.x.x.208 255.255.255.248
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
63.x.x.224 255.255.255.224

It looks to me like you have each site defined in the same class C
subnet, 192.168.168. Is that correct?

AFAIK that won't work... you have to break out different sites into
their own individual subnets.

Also you only need to define interesting traffic ACLs and nonat ACLs
for your inside subnets on both sides of the tunnel, not to the peer
IP... here's an example that I hope illustrates things:

In my example:
SiteA is 192.168.10.0/24
SiteB is 192.168.20.0/24
SiteC is 192.168.30.0/24

! So you're defining your 'SiteA to SiteB' interesting traffic here...
basically you're saying 'from SiteA to SiteB encrypt this traffic':
access-list SiteAtoSiteB extended permit ip 192.168.168.10
255.255.255.0 192.168.20.0 255.255.255.0

! Here is SiteA to SiteC:
access-list SiteAtoSiteC extended permit ip 192.168.168.10
255.255.255.0 192.168.30.0 255.255.255.0

! Here the nonat statements are defined... you want to tell the ASA to
not nat from SiteA's subnet to SiteB's subnet, not the peer IP
address of the L2L tunnel:
access-list insideNoNat extended permit ip 192.168.168.10
255.255.255.0 192.168.20.0 255.255.255.0
access-list insideNoNat extended permit ip 192.168.168.10
255.255.255.0 192.168.30.0 255.255.255.0

--
Eric
http://nixwizard.net


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 38, Issue 5
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)