01-24-2009 04:22 AM
Hi there,
Our ASA was configured by a consultant some time ago to enable SSLVPN connectivity to RSA backend. I am now trying to get a Site-to-Site VPN working but seem to be getting into loads of dificulties. I am getting a load of debugging messages relating to the l2l VPN which i beleive is setup correctly. The following is what i beleive is of interest
"Jan 24 2009 12:13:01: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = x.x.x.x"
The user shows the IP Address of the remote Cisco Router that we are trying to get the VPN setup to.
I must admit that i have not done much with the SSLVPN side of things so this part of the config is out of my depth which is why i am posting here.
If anyone can help it would be really appreciated.
Below is the relevent details (i can post more if there isn't enough). My question is, how do i get the l2l using the tunnel-group and not the default group policy ?
thanks in advance for any help.
dynamic-access-policy-record
DfltAccessPolicy
webvpn
url-list none
svc ask none default svc
aaa-server VPNAUTH protocol radius
aaa-server VPNAUTH host *.*.*.*
retry-interval 5
timeout 3
key ****
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
group-policy DfltGrpPolicy attributes
dns-server value !.!.!.!
vpn-idle-timeout none
vpn-tunnel-protocol webvpn
ip-comp enable
ipsec-udp enable
default-domain value mydomain.com
address-pools value vpnpool
webvpn
http-proxy enable
svc keep-installer none
svc keepalive 60
svc rekey method ssl
svc ask none default svc
activex-relay disable
file-entry disable
file-browsing disable
url-entry disable
tunnel-group DefaultRAGroup webvpn-attributes
radius-reject-message
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpnpool
authentication-server-group VPNAUTH
tunnel-group DefaultWEBVPNGroup webvpn-attributes
radius-reject-message
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
Solved! Go to Solution.
01-26-2009 05:04 AM
Wayne
Do "sh run all tunnel-group" you should see the group-policy associated with it.
eg:
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 10 retry 2
Let me know if this helps.
Cheers,
Gilbert
01-24-2009 06:58 AM
Hello,
I can help you with this one.
Are you trying to build a static lan to lan tunnel of dynamic lan to lan tunnel.
If you are trying to build a static lan to lan tunnel then if issue the following command given below, you will see the group policy that is being used.
sh run all tunnel-group x.x.x.x
If you want to use a different group-policy for that tunnel group, then you can create a different group-policy and use that for the lan to lan tunnel.
Thanks
Gilbert
01-25-2009 03:37 AM
Hi Gilbert,
Thanks very much for you prompt reply.
Can you please explain how my static lan to lan is picking up the group policy as i am struggling to see in the code where it is picking up the default one ?
I would much appreciate your help on this as i am struggling to see where this is happening and i have been unable to find many good resources for version 8.
Thanks in advance
Wayne
01-26-2009 05:04 AM
Wayne
Do "sh run all tunnel-group" you should see the group-policy associated with it.
eg:
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 10 retry 2
Let me know if this helps.
Cheers,
Gilbert
01-26-2009 01:19 PM
Hi Gilbert,
Thanks again for the prompt post. I will have a go at this on Wednesday. To be honest i didn't realise that tunnel-groups used group policies, i have never had any dealings with Group Policies as all my experience has been from version 6 and migrated to version 7 on our Pix Firewalls (not really done anything with the ASA).
Dont suppose you can provide a link to a resource that explains its usage a little do you ? I have read the Command Reference but it doesn't really say why/context of use. The code on the ASA doesn't actually specify a group policy for the tunnel which is why i am guessing its using the default, which is configured to use AAA for authentication which i dont want to be doing.
Thanks again and if you know of a link to something that would be fantastic.
01-27-2009 05:50 AM
If you are using ASDM and when you configure the site to site tunnel, its should under the advanced section -- tunnel group where the group policy can be chosen.
With regard to the group-policy, you can look at the link given below. (I am sure you might have already gone through this, if not...its here)
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpngrp.html
Group-policies are used for tweaking the tunnel access settings.
For eg: vpn-filter --access for specific IP's/ports
tunneling protocols specification.
Normally, its left at default even if you configure a new one for a Lan to Lan tunnel.
01-28-2009 03:30 AM
Hi Gilbert,
Thanks once again for your help on this. I now understand whats going on with the groups. I have reconfigured it and seem to be getting a new issue which i have googled and cannot seem to work out whats going on. If you could please point me in the right direction i would much appreciate it. Here is the debug I am now receiving;
Jan 28 2009 11:20:09: %ASA-6-113009: AAA retrieved default group policy (sitea_29_1) for user = 1.1.1.1
Jan 28 2009 11:20:09: %ASA-3-713206: Group = 1.1.1.1, IP = 1.1.1.1, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy
Jan 28 2009 11:20:09: %ASA-7-715065: Group = 1.1.1.1, IP = 1.1.1.1, IKE MM Responder FSM error history (struct &0xb0388270)
I am trying to get this working without Split Tunneling as i want all traffic to traverse the tunnel. To expand my knowledge, i am trying to get this done through the CLI.
I have tried two different access-lists as i read that to disable split tunnelling you need to use standard access lists but in the crypto map it wont let me, i also read that in the extended, set the IP as the source if disabling split tunneling which is what i have tried. I have also tried using the standard access-list in the group policy as there is an option there for split tunneling.
The attached configpost.txt is the relevant sections of the config
Also, the attached shrunalltunnelgroups.txt is the tunnel group settings
Kindest Regards
Wayne
01-28-2009 05:52 AM
Wayne,
Ok - I read your note and here are somethings to clarify with the terminology.
What you are trying to do is Lan to Lan tunnel configuration.
With regard to split-tunneling, its a terminology used for Remote Access VPN clients. Like IPSec VPN clients or Cisco Anyconnect VPN Clients.
Having said that, what is your end goal.
Please clarify.
Send me the output of "sh run all group-policy" as well.
Thanks
Gilbert
Rate this post, if it helped.
01-28-2009 06:09 AM
Hi Gilbert,
Thanks for the reply. I have worked it out and got the tunnel up and running (although its dropping the odd ping request).
I had to set the protocols to only IPSec in the group-policy i created to get it working.
Now i just need to take a look at whats causing the request time outs :)
Regards
Wayne
01-28-2009 06:16 AM
Hmm, seems like my split-tunnelling isn't working.
I have a remote site and i want to force all traffic from the local subnet 172.29.1.0/24 through the VPN out of the main site.
This works fine through the VPN Concentrator but i cannot seem to get this working through the ASA.
Any suggestions ? I have noticed a setting in the Policy about split tunnelling but does this only work with remote access policies and not site-to-site ?
Anyhow, going to have a play around until you get chance to reply
Thank you for your help so far
Wayne
01-28-2009 06:08 AM
Sorted that error out, now i am getting an error that there is no crypto map entry (guessing this is now an issue trying to disable the split tunnelling). If you can think of anything that can help with the configuration provided then that would be fantastic.
I will continue to debug this in the mean time and post if i spot it.
Wayne
01-28-2009 06:38 AM
Hmm, i am having issues with forcing all the ipsec traffic down the tunnel and onto our internal network.
What i think is happening here is as follows;
1. Traffic is flowing down the tunnel fine (all traffic that is)
2. As it hits the ASA, the routing table of the ASA tells it to route traffic out to the Internet (which you would expect)
The problem i have which seems to work ok on the VPN Concentrator is that i want all traffic once it comes out of the VPN to then route through a seperate internet link (so it gets our filtering applied) and not to go directly out of the ASA.
Is there a way to resolve this issue ?
Regards
Wayne
01-28-2009 07:01 AM
Ooo, there is a tunneled parameter on the end of the route command.
Thanks very much this is all working now.
Wayne
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: