LAN:LAN VPN zwischen Cisco ASA 5510 und Lancom 1711

[markusmattes]

Hallo,

leider hänge ich mal wieder an einer LAN:LAN VPN Konfiguration fest und weiß nicht weiter.

Eigentlich stimmt die Konfiguration zumindest wird der VPN Tunnel bereits korrekt aufgebaut und das Pingen und Tracen von Stationen im anderen Netz ist möglich. Nur funktionieren andere dienste wie z.B. der benötigte Remotedesktop nicht.

Das hier wäre die Komplette Konfiguration der ASA 5510 (Wurde von einer Firma vor ort Konfiguriert)

Code: Alles auswählen

asdm image disk0:/asdm521.bin

no asdm history enable

: Saved

:

ASA Version 7.2(1) 

!

hostname General

domain-name default.domain.invalid

enable password sAXFjYGveB78YldC encrypted

names

name 87.61.24.81 proxywin01-glob description Proxywin01 global address

name 192.168.2.200 proxywin01 description proxywin01

name 192.168.2.204 proxycom01 description Communicator server (Test)

name 87.61.24.83 proxycom01-glob description External address of communicator server (Test)

name 87.61.24.84 proxyback01-glob description ProxyCo Drift Backup Server 01

name 192.168.2.202 proxyback01 description Proxy DRIFT backupserver

name 192.168.2.203 proxylcsweb01 description Proxy VIRTUEL webserver

name 87.61.24.82 proxylcsweb01-glob description Proxyweb01 global address

dns-guard

!

interface Ethernet0/0

 speed 10

 nameif outside

 security-level 0

 ip address 80.166.84.174 255.255.255.252 

 ospf cost 10

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.2.1 255.255.255.0 

 ospf cost 10

!

interface Ethernet0/2

 speed 100

 duplex full

 nameif DMZ

 security-level 50

 ip address 172.20.0.1 255.255.0.0 

 ospf cost 10

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

 ospf cost 10

 management-only

!

passwd sAXFjYGveB78YldC encrypted

banner exec ***************************************

banner exec *                                     *

banner exec *  This Node is Private Property      *

banner exec *                                     *

banner exec *   UNAUTHORISED ACCESS PROHIBITED    *

banner exec *                                     *

banner exec ***************************************

banner exec This system is for the use of authorized users only. Individuals using this

banner exec computer system without authority, or in excess of their authority, are

banner exec subject to having all of their activities on this system monitored and

banner exec recorded by system personnel.

boot system disk0:/asa721-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup DMZ

dns domain-lookup management

dns server-group DefaultDNS

 name-server 194.239.134.83

 name-server 193.162.153.164

 domain-name default.domain.invalid

same-security-traffic permit inter-interface

object-group service ProxyCo_TCP_Access_Group tcp

 description TCP Acces group for TCP protocols

 port-object eq ssh

 port-object eq smtp

 port-object eq https

 port-object eq www

 port-object eq pptp

object-group service Proxy_Access_Group tcp-udp

 description Protocols allowed through to Proxy DMZ servers

 port-object eq www

object-group network Proxy_Priviledged_sites

 description Sites with extended acces priviledges

 network-object host 85.235.232.17

object-group service ProxyCo_FTP_access tcp

 description Access to Proxy FTP server

 port-object eq ftp-data

 port-object eq ftp

object-group network Proxy_DMZ_servers

 description All proxyco servers on the DMZ

 network-object host proxywin01-glob

 network-object host proxylcsweb01-glob

 network-object host proxycom01-glob

 network-object host proxyback01-glob

object-group service Proxy_Policy_services tcp-udp

 description Allow domain controler processes through from DMZ

 port-object eq 3268

 port-object eq 389

 port-object eq domain

 port-object eq 88

access-list 101 extended permit ip 192.168.12.0 255.255.255.0 172.16.1.0 255.255.255.0 

access-list 101 extended permit ip 192.168.17.0 255.255.255.0 172.16.1.0 255.255.255.0 

access-list 101 extended deny ip any any 

access-list 110 remark Don't NAT traffic to Sotea L2L VPN tunnel for OPUS adress range

access-list 110 extended permit ip 192.168.12.0 255.255.255.0 172.16.1.0 255.255.255.0 

access-list 110 remark Don't NAT traffic to EickeMeyer L2L VPN tunnel for HM-ADM adress range

access-list 110 extended permit ip 192.168.18.0 255.255.255.0 192.168.0.0 255.255.255.0 

access-list 110 remark Don't NAT traffic to Sotea L2L VPN tunnel for HM-ADM adress range

access-list 110 extended permit ip 192.168.17.0 255.255.255.0 172.16.1.0 255.255.255.0 

access-list 110 remark No NAT from VPN Adress Range to Public Opus LAN address range

access-list 110 extended permit ip 192.168.2.0 255.255.255.0 172.16.150.0 255.255.255.0 

access-list 110 remark No nat on VPN dial in to DMZ

access-list 110 extended permit ip 172.16.150.0 255.255.255.0 172.20.0.0 255.255.0.0 

access-list 110 extended permit ip 192.168.2.0 255.255.255.0 host 192.168.1.200 

access-list 110 remark No NAT til DMZ

access-list 110 extended permit ip 192.168.0.0 255.255.0.0 172.20.0.0 255.255.0.0 

access-list inside_access_in extended permit ip any any 

access-list outside_cryptomap extended permit ip any 192.168.150.0 255.255.255.128 

access-list VPN_Local_LAN_Access remark Permit VPN local LAN access

access-list VPN_Local_LAN_Access standard permit 192.168.2.0 255.255.255.0 

access-list outside_cryptomap_1.1 extended permit ip any 172.16.150.0 255.255.255.0 

access-list outside_cryptomap_1.21 extended permit ip any 172.16.150.0 255.255.255.0 

access-list outside_access_in extended permit icmp object-group Proxy_Priviledged_sites object-group Proxy_DMZ_servers 

access-list outside_access_in remark Access to proxyback01server

access-list outside_access_in extended permit tcp any host proxyback01-glob object-group ProxyCo_TCP_Access_Group 

access-list outside_access_in remark Access to proxywin01server

access-list outside_access_in extended permit tcp any host proxywin01-glob object-group ProxyCo_TCP_Access_Group 

access-list outside_access_in remark Permit selected tcp to Proxylcsweb01

access-list outside_access_in extended permit tcp any host proxylcsweb01-glob object-group ProxyCo_TCP_Access_Group 

access-list outside_access_in remark Permit selected tcp to Proxylcsweb01

access-list outside_access_in extended permit tcp any host proxylcsweb01-glob object-group ProxyCo_FTP_access 

access-list outside_access_in remark Permit selected tcp to Proxycom01

access-list outside_access_in extended permit tcp any host proxycom01-glob object-group ProxyCo_TCP_Access_Group 

access-list outside_access_in remark Permit IP to DMZ servers from selected IP's

access-list outside_access_in extended permit ip object-group Proxy_Priviledged_sites object-group Proxy_DMZ_servers 

access-list outside_access_in extended permit ip 192.168.18.0 255.255.255.0 192.168.0.0 255.255.255.0 inactive 

access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.18.0 255.255.255.0 inactive 

access-list outside_30_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host 192.168.1.200 

access-list outside_70_cryptomap extended permit ip 192.168.18.0 255.255.255.0 192.168.0.0 255.255.255.0 

pager lines 24

logging enable

logging timestamp

logging list VPN-events level debugging class vpn

logging buffered informational

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

ip local pool VPNpool 192.168.150.10-192.168.150.100

ip local pool vpnpool1 172.16.150.10-172.16.150.100 mask 255.255.255.0

no failover

monitor-interface outside

monitor-interface inside

monitor-interface DMZ

monitor-interface management

icmp permit any inside

asdm image disk0:/asdm521.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (DMZ) 200 172.20.1.20-172.20.1.200 netmask 255.255.0.0

nat (inside) 0 access-list 110

nat (inside) 1 192.168.0.0 255.255.0.0

static (inside,outside) proxyback01-glob proxyback01 netmask 255.255.255.255 dns 

static (inside,outside) proxylcsweb01-glob proxylcsweb01 netmask 255.255.255.255 dns 

static (inside,outside) proxycom01-glob proxycom01 netmask 255.255.255.255 dns 

static (inside,outside) proxywin01-glob proxywin01 netmask 255.255.255.255 dns 

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 80.166.84.173 1

route outside 192.168.0.0 255.255.255.0 80.166.84.173 1

route inside 192.168.0.0 255.255.0.0 192.168.2.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy TunnelGrp2 internal

group-policy TunnelGrp2 attributes

 dns-server value 194.239.134.83 193.162.153.164

 vpn-tunnel-protocol IPSec 

group-policy RemoteVPNaccess internal

group-policy RemoteVPNaccess attributes

 address-pools value vpnpool1

username mike password jItVWuAkQC4yJEZw encrypted privilege 15

username admin password fVtXSicG44TqNCZy encrypted privilege 15

username bjarne.engelstock password cXIalG.JKSvVswLw encrypted

username bjarne.engelstock attributes

 vpn-group-policy TunnelGrp2

username birg password m7dWvBQjcdLBkNgU encrypted privilege 7

username birg attributes

 vpn-group-policy TunnelGrp2

username claus password BzmBceOgbcckDG7K encrypted privilege 15

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Firstset esp-3des esp-md5-hmac 

crypto ipsec transform-set X_FORM1 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map dyn1 1 match address outside_cryptomap_1.1

crypto dynamic-map dyn1 1 set transform-set Firstset

crypto dynamic-map dyn1 21 match address outside_cryptomap_1.21

crypto dynamic-map dyn1 21 set transform-set X_FORM1

crypto map opusmap 20 match address outside_70_cryptomap

crypto map opusmap 20 set peer 217.91.63.220 

crypto map opusmap 20 set transform-set ESP-3DES-SHA ESP-DES-MD5 ESP-3DES-MD5

crypto map opusmap 25 match address 101

crypto map opusmap 25 set peer 195.140.135.66 

crypto map opusmap 25 set transform-set X_FORM1

crypto map opusmap 30 match address outside_30_cryptomap

crypto map opusmap 30 set peer 85.235.232.17 

crypto map opusmap 30 set transform-set ESP-3DES-SHA

crypto map opusmap 90 ipsec-isakmp dynamic dyn1

crypto map opusmap interface outside

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp policy 1

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 43200

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp policy 20

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

tunnel-group DefaultRAGroup general-attributes

 address-pool vpnpool1

tunnel-group 195.140.135.66 type ipsec-l2l

tunnel-group 195.140.135.66 ipsec-attributes

 pre-shared-key *

tunnel-group VPNgroup type ipsec-ra

tunnel-group VPNgroup general-attributes

 address-pool vpnpool1

 default-group-policy RemoteVPNaccess

tunnel-group VPNgroup ipsec-attributes

 pre-shared-key *

tunnel-group 85.235.232.17 type ipsec-l2l

tunnel-group 85.235.232.17 ipsec-attributes

 pre-shared-key *

tunnel-group 217.91.63.220 type ipsec-l2l

tunnel-group 217.91.63.220 ipsec-attributes

 pre-shared-key *

telnet 192.168.0.0 255.255.0.0 inside

telnet 192.168.0.0 255.255.0.0 management

telnet timeout 5

ssh 80.198.186.166 255.255.255.255 outside

ssh 85.235.232.17 255.255.255.255 outside

ssh 80.197.189.181 255.255.255.255 outside

ssh timeout 30

console timeout 60

management-access management

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns 

  inspect http 

  inspect pptp 

  inspect ftp 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:62b87e64eff1f105f0d4aacb756c6dc8

: end

Laut dem Herren vor Ort geht der Komplette Trafic für das netz 192.168.0.0 durch den VPN Tunnel nur erscheint bei einem Trace des Traffics von meiner Seite nur etwas wenn er eine Station in unserem Netz hier anpingt. Sonst sehe ich keinen traffic???

Komischerweiße musste ich bei der VPN Verbindung als PFS = kein PFS einrichten? Wieso das so ist versteh ich leider nicht??

Ich hoffe das reicht an informationen wenn nicht lasst mich wissen was ihr sonst noch braucht und ich werde diese noch posten.

vielen dank im vorraus

[mviel]

oh ... die Antwort wuerde mich auch interessieren , mich wundert es ehrlich gesagt schon etwas das in den FAQ "mainstream" router wie draytek oder Netgear sehr gut beschrieben werden, die einwahl in eine Cisco Asa oder checkpoint nicht , aber mit den Site to Site Erklaerungen kann man ja auch etwas anfangen und man will ja schliesslich auch den guten aber teuren VPN Advanced Client verkaufen.