Help cisco ASA 5505

pookie -  
brupala Messages postés 111132 Date d'inscription   Statut Membre Dernière intervention   -
Bonjour à tous,

Je cherche à faire passer tout le trafic par le tunnel VPN, actuellement quand je browse sur le web, je me rends compte que je passe en direct et non par le tunnel ( my ipaddress).

Auriez vous une idée ?

Merci
Configuration: ASA 5505 V8.01

5 réponses

  1. brupala Messages postés 111132 Date d'inscription   Statut Membre Dernière intervention   14 440
     
    Salut,
    tu es coté vpn client ?
    0
  2. pookie
     
    Salut,

    C'est pour une interconnexion entre deux site donc il y a d'un coté un 5505 et de l'autre un 55xx (08 ou 20).

    Pas de soucis de tunnels, tout est ok mais c'est sur le flux internet que je souhaite sécuriser et donc qu'il soit fourni coté infra centrale et donc filtré. D'où ma volonté de faire passer tout le flux dans le tunnel .
    0
    1. brupala Messages postés 111132 Date d'inscription   Statut Membre Dernière intervention   14 440
       
      la route par défaut, c'est quoi ?
      0
  3. pookie
     
    voici ma conf :)

    hostname xxxxxxxxx
    enable password xxxxxxxx encrypted
    passwd xxxxxxxxxxxxx encrypted
    no names
    name 10.118.164.0 OFFICE_DATA-LAN
    !
    interface Vlan1
    no nameif
    no security-level
    no ip address
    !
    interface Vlan2
    description LAN Data
    nameif inside
    security-level 90
    ip address 10.118.164.1 255.255.255.0
    !
    interface Vlan99
    description Internet
    nameif outside
    security-level 0
    ip address adresse pub 255.255.255.0
    !
    interface Ethernet0/0
    description internet interface
    switchport access vlan 99
    !
    interface Ethernet0/1
    description Data port
    switchport access vlan 2
    !
    interface Ethernet0/2
    description Data port
    switchport access vlan 2
    !
    interface Ethernet0/3
    description Data port
    switchport access vlan 2
    !
    interface Ethernet0/4
    description Data port
    switchport access vlan 2
    !
    interface Ethernet0/5
    description Data port
    switchport access vlan 2
    !
    interface Ethernet0/6
    description Data port
    switchport access vlan 2
    !
    interface Ethernet0/7
    description Data port
    switchport access vlan 2
    !

    boot system disk0:/asa804-k8.bin
    ftp mode passive
    clock timezone CET 1
    object-group network SMALL-OFFICE
    description Small Office for site-to-site VPN
    network-object 10.118.164.0 255.255.255.0
    object-group network EU
    description data and FR LAN for VPN tunnel
    !
    ! reseaux de mon data
    object-group network 1
    object-group network 2

    access-list OUTSIDE-IN extended deny ip any any
    access-list CRYPTO-ACL extended permit ip object-group SMALL-OFFICE object-group
    EU
    access-list NONAT-ACL extended permit ip object-group SMALL-OFFICE object-group
    EU
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 8192
    logging console warnings
    logging buffered informational
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any echo inside
    icmp permit any echo-reply inside
    icmp permit any unreachable inside
    icmp permit any time-exceeded inside
    icmp permit any echo outside
    icmp permit any echo-reply outside
    icmp permit any unreachable outside
    icmp permit any time-exceeded outside
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT-ACL
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group OUTSIDE-IN in interface outside
    route outside 0.0.0.0 0.0.0.0 passerelle de l'acces public 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL

    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set TS-IPSEC esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map VPN-MAP 1 match address CRYPTO-ACL
    crypto map VPN-MAP 1 set pfs group5
    crypto map VPN-MAP 1 set peer passerelle VPN distante
    crypto map VPN-MAP 1 set transform-set TS-IPSEC
    crypto map VPN-MAP 1 set security-association lifetime seconds 28800
    crypto map VPN-MAP 1 set security-association lifetime kilobytes 4608000
    crypto map VPN-MAP 1 set nat-t-disable
    crypto map VPN-MAP 1 set reverse-route
    crypto map VPN-MAP interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    no crypto isakmp nat-traversal
    telnet timeout 5

    ssh timeout 5
    console timeout 0
    dhcprelay server zzzzzzzzz outside
    dhcprelay enable inside
    dhcprelay timeout 60

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username admin password zzzzzzz encrypted privilege 15
    tunnel-group passerelle VPN distante type ipsec-l2l
    tunnel-group passerelle VPN distante ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context

    : end
    0
  4. pookie
     
    voici ma conf :)

    hostname xxxxxxxxx
    enable password xxxxxxxx encrypted
    passwd xxxxxxxxxxxxx encrypted
    no names
    name 10.118.164.0 OFFICE_DATA-LAN
    !
    interface Vlan1
    no nameif
    no security-level
    no ip address
    !
    interface Vlan2
    description LAN Data
    nameif inside
    security-level 90
    ip address 10.118.164.1 255.255.255.0
    !
    interface Vlan99
    description Internet
    nameif outside
    security-level 0
    ip address adresse pub 255.255.255.0
    !
    interface Ethernet0/0
    description internet interface
    switchport access vlan 99
    !
    interface Ethernet0/1
    description Data port
    switchport access vlan 2
    !
    interface Ethernet0/2
    description Data port
    switchport access vlan 2
    !
    interface Ethernet0/3
    description Data port
    switchport access vlan 2
    !
    interface Ethernet0/4
    description Data port
    switchport access vlan 2
    !
    interface Ethernet0/5
    description Data port
    switchport access vlan 2
    !
    interface Ethernet0/6
    description Data port
    switchport access vlan 2
    !
    interface Ethernet0/7
    description Data port
    switchport access vlan 2
    !

    boot system disk0:/asa804-k8.bin
    ftp mode passive
    clock timezone CET 1
    object-group network SMALL-OFFICE
    description Small Office for site-to-site VPN
    network-object 10.118.164.0 255.255.255.0
    object-group network EU
    description data and FR LAN for VPN tunnel
    !
    ! reseaux de mon data
    object-group network 1
    object-group network 2

    access-list OUTSIDE-IN extended deny ip any any
    access-list CRYPTO-ACL extended permit ip object-group SMALL-OFFICE object-group
    EU
    access-list NONAT-ACL extended permit ip object-group SMALL-OFFICE object-group
    EU
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 8192
    logging console warnings
    logging buffered informational
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any echo inside
    icmp permit any echo-reply inside
    icmp permit any unreachable inside
    icmp permit any time-exceeded inside
    icmp permit any echo outside
    icmp permit any echo-reply outside
    icmp permit any unreachable outside
    icmp permit any time-exceeded outside
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT-ACL
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group OUTSIDE-IN in interface outside
    route outside 0.0.0.0 0.0.0.0 passerelle de l'acces public 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL

    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set TS-IPSEC esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map VPN-MAP 1 match address CRYPTO-ACL
    crypto map VPN-MAP 1 set pfs group5
    crypto map VPN-MAP 1 set peer passerelle VPN distante
    crypto map VPN-MAP 1 set transform-set TS-IPSEC
    crypto map VPN-MAP 1 set security-association lifetime seconds 28800
    crypto map VPN-MAP 1 set security-association lifetime kilobytes 4608000
    crypto map VPN-MAP 1 set nat-t-disable
    crypto map VPN-MAP 1 set reverse-route
    crypto map VPN-MAP interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    no crypto isakmp nat-traversal
    telnet timeout 5

    ssh timeout 5
    console timeout 0
    dhcprelay server zzzzzzzzz outside
    dhcprelay enable inside
    dhcprelay timeout 60

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username admin password zzzzzzz encrypted privilege 15
    tunnel-group passerelle VPN distante type ipsec-l2l
    tunnel-group passerelle VPN distante ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context

    : end
    0
    1. brupala Messages postés 111132 Date d'inscription   Statut Membre Dernière intervention   14 440
       
      route outside 0.0.0.0 0.0.0.0 passerelle de l'acces public 1
      c'est ça qui ne va pas ,
      il faut mettre la route par défaut vers ton tunnel (vers le réseau privé distant)
      0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. pookie
     
    Salut,

    Je ne pense pas que ce soit si simple, là le route outside 0.0.0.0 0.0.0.0 passerelle de l'acces public 1 permet au boitier de savoir par où passer sur l'interface outside pour joindre la passerelle distante sur Internet, si je supprime cette information il ne saura plus contacter l'autre boiter vpn. C'est la route par défaut coté outside et ça me parait logique, bon je teste demain et te dis si c'est ça.

    Par contre quand tu me dis : il faut mettre la route par défaut vers ton tunnel (vers le réseau privé distant)
    Le principe est bon mais étant donné que tu viens de me faire couper le tunnel en supprimant la passerelle de la route publique par défaut, là je ne sais pas quelle route tu veux mettre.

    Merci

    Pook
    0
    1. brupala Messages postés 111132 Date d'inscription   Statut Membre Dernière intervention   14 440
       
      oui, tu as raison,
      2 possibilités:
      un route statique explicite vers l'adresse tunnel distante par l'interface outside et la route par défaut dans le tunnel.
      une route par defaut vers internet avec un certain poids administratif et une route par défaut dynamique (par rip par exemple) qui vient remplacer la route par défaut dès que le tunnel est connecté et que rip vient annoncer les routes du site central.
      ha aussi,
      j'oubliais,
      aussi la route statique avec l'option tunnelled qui permet de passer la route par défaut par le tunnel une fois qu'il est connecté:
      http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_static.html
      0