Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
397
Views
0
Helpful
1
Replies

Site-2-Site VPN odd config

rashev_kamen
Level 1
Level 1

‎05-08-2009 01:21 PM

Today I had to troubleshoot a VPN configuration and I've never seen VPN configured this way. I'll need someones help.

With this config i see vpn tunnel established between the outside IP addresses of both firewalls.

But i am not sure the interestin traffic is going trought the tunnel or after is staticly nat-ed is routed through default gateway to internet.

This is the config:

interface Ethernet0

description Internet Faceing Address

nameif outside

security-level 0

ip address aaa.bbb.173.242 255.255.255.0

ospf cost 10

!

interface Ethernet1

description LAN Faceing Address

nameif inside

security-level 100

ip address 172.25.110.42 255.255.254.0 standby 172.25.110.40

ospf cost 10

!

same-security-traffic permit inter-interface

object-group network ABC

description Systems With Access to VPN

network-object host 172.25.100.93

network-object host 172.25.101.93

access-list outside_access_out remark To ABC

access-list outside_access_out extended permit ip aaa.bbb.173.160 255.255.255.240 host 216.229.154.50 log

access-list outside_access_out extended permit ip aaa.bbb.173.160 255.255.255.240 host 216.229.154.12 log

access-list outside_access_in extended permit ip host 216.229.154.50 aaa.bbb.173.160 255.255.255.240 log

access-list outside_access_in extended permit ip host 216.229.154.12 aaa.bbb.173.160 255.255.255.240 log

access-list inside_access_out extended permit ip object-group ABC host 216.229.154.12 log

access-list inside_access_out extended permit ip object-group ABC host 216.229.154.50 log

access-list outside_cryptomap_iron extended permit ip aaa.bbb.173.160 255.255.255.240 host 216.229.154.50

access-list outside_cryptomap_iron extended permit ip aaa.bbb.173.160 255.255.255.240 host 216.229.154.12

static (inside,outside) aaa.bbb.173.166 172.25.100.93 netmask 255.255.255.255

static (inside,outside) aaa.bbb.173.167 172.25.101.93 netmask 255.255.255.255

static (outside,inside) 172.25.100.93 aaa.bbb.173.166 netmask 255.255.255.255

static (outside,inside) 172.25.101.93 aaa.bbb.173.167 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 aaa.bbb.173.254 1

route inside 172.25.100.0 255.255.254.0 172.25.111.254 1

crypto map IronRules 10 match address outside_cryptomap_iron

crypto map IronRules 10 set peer 216.229.152.17

crypto map IronRules 10 set transform-set Iron

crypto map IronRules 10 set security-association lifetime seconds 28800

crypto map IronRules 10 set security-association lifetime kilobytes 4608000

Labels:
0 Helpful
1 Reply 1

mvsheik123
Level 7
Level 7

‎05-13-2009 11:33 AM

guess is nat'ed as there is no

nat (inside)0 statement to avoid nat'ing on the source ips.

hth

MS

0 Helpful
Customers Also Viewed These Support Documents