Re: LinkSys RV042 to ASA 5505 IPsec tunnel

["Fetch, Brandon" <bfetch () tpg com>]

ASA needs to have the "same-security-traffic permit intra-interface".
Note the distinction between 'intra' and 'inter':
Intra is traffic between two hosts on the same network (if the ASA is
performing a redirect).
Inter is traffic between two interfaces of the same security level.

It's that implicit drop behavior of the ASA/PIX to not allow a packet
that entered an interface to leave on the same.

Since your VPN is terminated on the outside, for you to be able to
"hairpin" the remote site's traffic you have to tell the firewall to
allow that.

Be sure to have your interesting traffic ACL on the firewall to
incorporate the remote network attempting to reach "everything":

ACL S2S-VPN permit ip 0.0.0.0 0.0.0.0 192.168.25.0/24

If you're looking to do a dynamic VPN as well there are config examples
on Cisco's site to do this.

Here's one for v7.x of PIX OS:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura
tion_example09186a00804675ac.shtml

HTH,
Brandon
-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of
Christopher J. Wargaski
Sent: Wednesday, February 18, 2009 5:32 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] LinkSys RV042 to ASA 5505 IPsec tunnel

Hello--

   I have a Linksys RV042 running the latest firmware and an ASA 5505
running 8.0(4). I have successfully established an IPsec LAN to LAN
tunnel by specifying actual local and remote networks.

   Now, I would like to configure the tunnel so that all traffic from
the LinkSys "inside" network (192.168.25.0/24) is sent across the VPN
no matter what the destination address is. The idea here is to force
the branch office to send all traffic through the main office and
force that traffic out one content filter. (BTW, the ASA "inside"
network is 192.168.17.0/24).

   To achieve this, I configured the Linksys as such:

Local Group:
 Gateway type--IP only
 IP address 75.2.2.2
 Group type--Subnet IP
 IP--192.168.25.0
 Mask--255.255.255.0

Remote Group:
 Gateway type--IP only
 IP address 75.2.2.3
 Group type--Subnet IP
 IP--0.0.0.0
 Mask--0.0.0.0

   Of course, this does not work.

   I enabled crypto debugs (ISAKMP and IPsec) on the ASA and saw
nothing. OK, so if the ASA is not seeing any crypto traffic, is it
seeing ANY traffic on the outside interface? I set up a capture on the
outside interface from any to any. I saw no crypto traffic, only the
ICMP echo requests that I was sending from inside the Linksys.

   Any thoughts on this? If I could configure the Linksys to be a
hardware client, that would be just fine too.

cjw
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

This message is intended only for the person(s) to which it is addressed 
and may contain privileged, confidential and/or insider information..
If you have received this communication in error, please notify us 
immediately by replying to the message and deleting it from your computer. 
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other 
than the named recipient(s) is strictly prohibited.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards