firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Cisco AnyConnect Remote Access to L2L tunnels (Chris Myers)
----------------------------------------------------------------------
Message: 1
Date: Wed, 17 Jun 2009 21:48:28 -0500
From: Chris Myers <clmmacunix@charter.net>
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <99EAF26E-20A9-4E0B-8299-A80FC80A4818@charter.net>
Content-Type: text/plain; charset="us-ascii"; Format="flowed";
DelSp="yes"
You might play around with intra vs. inter interface, because they may
not go to the internet because they are going back out the same
interface they came in. This would create a spoofing incident. It may
not be seen in the logs. Cisco is synonymous with dropping things
silently.
Chris Myers
clmmacunix@charter.net
John 1:17
For the Law was given through Moses; grace and truth were realized
through Jesus Christ.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedGraphic.tiff
Type: image/tiff
Size: 18654 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090617/9af20715/attachment.tiff>
-------------- next part --------------
Go Vols!!!!
On Jun 14, 2009, at 9:41 AM, Todd Simons wrote:
> Eric-
>
> This ASA doesn't handle connecting SiteA to SiteB or SiteC, they have
> their own connections in their own ASAs.
>
> This is technically "SiteD", which locally uses 192.168.168.0 for all
> internal hosts and remote access hosts. The local and remote access
> hosts need to access SiteA, SiteB, and SiteC.
>
> At this point I have this working via Hairpinning, my only problem at
> this point is that RemoteAccess VPNs (which are a global vpn setup)
> can't browse the internet or use external hosts that are not part of
> my
> sites.
>
> ~Todd
>
> -----Original Message-----
> From: firewall-wizards-bounces@listserv.icsalabs.com
> [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
> Eric Gearhart
> Sent: Saturday, June 13, 2009 2:40 PM
> To: Firewall Wizards Security Mailing List
> Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels
>
> Todd - in your config this section really piqued my interest:
>
> access-list SiteA extended permit ip 192.168.168.0 255.255.255.0 host
> A.x.x.66
> access-list SiteA extended permit ip 192.168.168.0 255.255.255.0
> 63.x.x.208 255.255.255.248
> access-list SiteB extended permit ip 192.168.168.0 255.255.255.0 host
> B.x.x.162
> access-list SiteC extended permit ip 192.168.168.0 255.255.255.0
> 63.x.x.224 255.255.255.224
> access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
> host B.x.x.162
> access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
> host A.x.x.66
> access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
> 63.x.x.208 255.255.255.248
> access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
> 63.x.x.224 255.255.255.224
>
> It looks to me like you have each site defined in the same class C
> subnet, 192.168.168. Is that correct?
>
> AFAIK that won't work... you have to break out different sites into
> their own individual subnets.
>
> Also you only need to define interesting traffic ACLs and nonat ACLs
> for your inside subnets on both sides of the tunnel, not to the peer
> IP... here's an example that I hope illustrates things:
>
> In my example:
> SiteA is 192.168.10.0/24
> SiteB is 192.168.20.0/24
> SiteC is 192.168.30.0/24
>
> ! So you're defining your 'SiteA to SiteB' interesting traffic here...
> basically you're saying 'from SiteA to SiteB encrypt this traffic':
> access-list SiteAtoSiteB extended permit ip 192.168.168.10
> 255.255.255.0 192.168.20.0 255.255.255.0
>
> ! Here is SiteA to SiteC:
> access-list SiteAtoSiteC extended permit ip 192.168.168.10
> 255.255.255.0 192.168.30.0 255.255.255.0
>
> ! Here the nonat statements are defined... you want to tell the ASA to
> not nat from SiteA's subnet to SiteB's subnet, not the peer IP
> address of the L2L tunnel:
> access-list insideNoNat extended permit ip 192.168.168.10
> 255.255.255.0 192.168.20.0 255.255.255.0
> access-list insideNoNat extended permit ip 192.168.168.10
> 255.255.255.0 192.168.30.0 255.255.255.0
>
> --
> Eric
> http://nixwizard.net
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> ## Scanned by Delphi Technology, Inc. ##
>
> CONFIDENTIALITY NOTICE
> This e-mail message from Delphi Technology, Inc. is intended only
> for the individual or entity to which it is addressed. This e-mail
> may contain information that is privileged, confidential and exempt
> from disclosure under applicable law. If you are not the intended
> recipient, you are hereby notified that any dissemination,
> distribution or copying of this communication is strictly
> prohibited. If you received this e-mail by accident, please notify
> the sender immediately and destroy this e-mail and all copies of it.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 38, Issue 8
***********************************************
No comments:
Post a Comment