04-01-2010 02:23 PM
I currently have site-to-site VPN tunnels from two remote sites with 1720s connecting to an ASA5510 at my TOWN_HALL site. (see attached diagram)
This is working fine but I want to add connectivity between the 1720-A LAN (172.20.3.0/24) and the 1720-B LAN (172.22.3.0/24). What's the best way to do this? Can the 1720s be configured with direct L2L VPN tunnels or will that affect the current tunnels to the ASA5510? If so, I'm guessing each 1720 will have to go through the ASA first.
Thanks.
Configs below:
ASA5510
ASA Version 7.2(2)
!
names
name 172.18.3.19 Postal description Mail Server
name 172.18.3.33 helpdesk description Helpdesk Server
dns-guard
!
interface Ethernet0/0
description Comcast Link
nameif ComCast_Out
security-level 0
ip address 29.92.14.73 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.2 255.255.255.252
!
interface Ethernet0/2
security-level 0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.10.1 255.255.255.0
management-only
!
boot system disk0:/asa722-k8.bin
boot system disk0:/asa706-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list inbound extended permit ip any host 29.92.14.74
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit tcp any host 29.92.14.73 eq 3000
access-list inbound extended permit tcp any host 29.92.14.73 eq smtp log
access-list inbound extended permit tcp any host 29.92.14.73 eq www
access-list inbound extended permit tcp any host 29.92.14.73 eq 3389
access-list inbound extended permit tcp any host 29.92.14.73 eq pptp
access-list inbound extended permit tcp any host 116.204.226.42 eq 3000
access-list inbound extended permit tcp any host 116.204.226.42 eq smtp
access-list inbound extended permit tcp any host 116.204.226.42 eq www
access-list inbound extended permit tcp any host 116.204.226.42 eq 3389
access-list inbound extended permit tcp any host 116.204.226.42 eq pptp
access-list inbound remark FTP Server
access-list inbound extended permit tcp any host 29.92.14.73 eq ftp
access-list acl_out extended permit tcp host 29.92.14.73 any eq smtp
access-list acl_out extended permit tcp host 192.168.1.4 any eq smtp
access-list acl_out extended deny tcp any any eq smtp
access-list acl_out extended permit ip any any
access-list 121 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nonat extended permit ip 172.18.3.0 255.255.255.0 172.22.3.0 255.255.255.0
access-list nonat extended permit ip 172.18.3.0 255.255.255.0 172.20.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.22.3.0 255.255.255.0
access-list nonat extended permit ip 172.30.1.0 255.255.255.0 172.31.255.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.252 172.31.255.0 255.255.255.0
access-list nonat extended permit ip 172.17.1.0 255.255.255.0 172.31.255.0 255.255.255.0
access-list nonat extended permit ip 172.18.0.0 255.255.0.0 172.31.255.0 255.255.255.0
access-list nonat extended permit ip 172.31.3.0 255.255.255.0 172.31.255.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 172.31.255.0 255.255.255.0
access-list backup_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_out remark Barracuda
access-list outside_access_out extended permit tcp host 172.18.3.8 any eq smtp inactive
access-list outside_access_out remark SMTP Block
access-list outside_access_out extended deny tcp any any eq smtp inactive
access-list inside_access_in remark Schools SMTP
access-list inside_access_in extended permit tcp host Postal eq smtp any eq smtp
access-list inside_access_in extended permit tcp host 172.18.3.8 any eq smtp
access-list inside_access_in extended permit tcp host 172.18.3.30 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list ComCast_Out_20_cryptomap extended permit ip 172.18.3.0 255.255.255.0 172.22.3.0 255.255.255.0
access-list ComCast_Out_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.22.3.0 255.255.255.0
access-list ComCast_Out_25_cryptomap extended permit ip 172.18.3.0 255.255.255.0 172.20.3.0 255.255.255.0
access-list vpn_access standard permit 192.168.10.0 255.255.255.252
access-list vpn_access standard permit 172.17.1.0 255.255.255.0
access-list vpn_access standard permit 172.18.0.0 255.255.0.0
access-list vpn_access standard permit 172.31.3.0 255.255.255.0
access-list vpn_access standard permit 172.30.1.0 255.255.255.0
access-list vpn_access standard permit 192.168.0.0 255.255.0.0
pager lines 24
logging enable
logging monitor emergencies
logging buffered warnings
logging asdm informational
mtu ComCast_Out 1500
mtu inside 1500
mtu NOT_IN_USE 1500
mtu management 1500
ip local pool vpnpool 192.168.20.2-192.168.20.254
ip local pool VPN-POOL 172.31.255.1-172.31.255.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (ComCast_Out) 1 interface
global (NOT_IN_USE) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.0.0.0 255.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,ComCast_Out) tcp interface 3000 172.18.3.22 3000 netmask 255.255.255.255
static (inside,ComCast_Out) tcp interface smtp 172.18.3.8 smtp netmask 255.255.255.255
static (inside,ComCast_Out) tcp interface www 172.18.3.30 www netmask 255.255.255.255
static (inside,ComCast_Out) tcp interface 3389 172.18.3.22 3389 netmask 255.255.255.255
static (inside,ComCast_Out) tcp interface pptp 172.18.3.22 pptp netmask 255.255.255.255
static (inside,NOT_IN_USE) tcp interface 3000 172.18.3.22 3000 netmask 255.255.255.255
static (inside,NOT_IN_USE) tcp interface smtp 172.18.3.8 smtp netmask 255.255.255.255
static (inside,NOT_IN_USE) tcp interface www 172.18.3.30 www netmask 255.255.255.255
static (inside,NOT_IN_USE) tcp interface 3389 172.18.3.23 3389 netmask 255.255.255.255
static (inside,NOT_IN_USE) tcp interface pptp 172.18.3.22 pptp netmask 255.255.255.255
static (inside,ComCast_Out) tcp interface 3101 172.18.3.8 3101 netmask 255.255.255.255
static (inside,ComCast_Out) tcp interface ftp helpdesk ftp netmask 255.255.255.255
static (inside,ComCast_Out) tcp interface ftp-data helpdesk ftp-data netmask 255.255.255.255
static (inside,ComCast_Out) 29.92.14.74 172.18.3.16 netmask 255.255.255.255
access-group inbound in interface ComCast_Out
access-group outside_access_out out interface ComCast_Out
access-group inside_access_in in interface inside
access-group inbound in interface NOT_IN_USE
access-group backup_access_out out interface NOT_IN_USE
route ComCast_Out 0.0.0.0 0.0.0.0 29.92.14.78 1 track 1
route inside 192.168.0.0 255.255.0.0 192.168.10.1 1
route inside 172.17.1.0 255.255.255.0 192.168.10.1 1
route inside 172.18.0.0 255.255.0.0 192.168.10.1 1
route inside 172.31.3.0 255.255.255.0 192.168.10.1 1
route inside 172.30.1.0 255.255.255.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpnclient internal
group-policy vpnclient attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_access
group-policy remote internal
group-policy remote attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 121
http server enable
http 172.0.0.0 255.0.0.0 inside
http 192.0.0.0 255.0.0.0 inside
http 10.10.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 168.87.71.226 interface ComCast_Out
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
crypto ipsec transform-set SHA3DES esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set 3des
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map vpnremote 20 match address ComCast_Out_20_cryptomap
crypto map vpnremote 20 set peer 202.13.116.209
crypto map vpnremote 20 set transform-set ESP-DES-MD5
crypto map vpnremote 25 match address ComCast_Out_25_cryptomap
crypto map vpnremote 25 set peer 207.147.31.97
crypto map vpnremote 25 set transform-set ESP-DES-MD5
crypto map vpnremote 30 ipsec-isakmp dynamic dynmap
crypto map vpnremote 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map vpnremote interface ComCast_Out
crypto map VN1530600A 663 match address ACL663
crypto map VN1530600A 663 set pfs
crypto map VN1530600A 663 set peer 29.92.14.73
crypto map VN1530600A 663 set transform-set SHA3DES
crypto map VN1530600A 663 set security-association lifetime seconds 1800
crypto isakmp identity address
crypto isakmp enable ComCast_Out
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
!
track 1 rtr 123 reachability
tunnel-group remote type ipsec-ra
tunnel-group remote general-attributes
address-pool vpnpool
default-group-policy remote
tunnel-group remote ipsec-attributes
pre-shared-key *
tunnel-group 29.92.14.73 type ipsec-l2l
tunnel-group 29.92.14.73 ipsec-attributes
pre-shared-key *
tunnel-group 202.13.116.209 type ipsec-l2l
tunnel-group 202.13.116.209 ipsec-attributes
pre-shared-key *
tunnel-group 207.147.31.97 type ipsec-l2l
tunnel-group 207.147.31.97 ipsec-attributes
pre-shared-key *
telnet 192.168.0.0 255.255.0.0 inside
telnet 172.0.0.0 255.0.0.0 inside
telnet timeout 120
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 10.10.10.11-10.10.10.20 management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:82155434d3cfa69cd7217f20aaacabb7
: end
1720-A
version 12.2
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname 1720-A
!
logging buffered 4096 debugging
!
memory-size iomem 20
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ip subnet-zero
!
!
no ip domain-lookup
ip name-server 172.18.3.24
ip dhcp excluded-address 172.20.3.1 172.20.3.20
!
ip dhcp pool dhcppool
network 172.20.3.0 255.255.255.0
default-router 172.20.3.1
dns-server 172.18.3.24 172.18.3.26
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key Cisco address 29.92.14.73
!
!
crypto ipsec transform-set TOWN_HALL esp-des esp-md5-hmac
crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map VPNmap 10 ipsec-isakmp
set peer 29.92.14.73
set transform-set TOWN_HALL
match address TOWN_HALL
!
!
!
!
interface Ethernet0
ip address 207.147.31.97 255.255.255.252
ip access-group PERIMETER in
ip nat outside
half-duplex
crypto map VPNmap
!
interface FastEthernet0
description LAN
ip address 172.20.3.1 255.255.255.0
ip nat inside
speed auto
!
interface Serial0
no ip address
shutdown
!
ip nat inside source list NAT_ADDRESSES interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 207.147.31.98
no ip http server
ip pim bidir-enable
!
!
ip access-list extended NAT_ADDRESSES
deny ip 172.20.3.0 0.0.0.255 172.18.3.0 0.0.0.255
permit ip 172.20.3.0 0.0.0.255 any
ip access-list extended PERIMETER
permit udp host 29.92.14.73 host 207.147.31.97 eq isakmp
permit esp host 29.92.14.73 host 207.147.31.97
permit ip 172.18.3.0 0.0.0.255 172.20.3.0 0.0.0.255
permit icmp any any unreachable
permit icmp any any echo-reply
permit tcp any host 207.147.31.97 eq telnet
permit tcp any host 192.168.20.1 eq telnet
permit tcp any eq www any
permit tcp any eq 443 any
permit udp host 173.13.116.209 host 207.147.31.97 eq isakmp
permit esp host 173.13.116.209 host 207.147.31.97
permit ip 172.22.3.0 0.0.0.255 172.20.3.0 0.0.0.255
deny ip any any
ip access-list extended TOWN_HALL
permit ip 172.20.3.0 0.0.0.255 172.18.3.0 0.0.0.255
!
alias exec sr show run
alias exec s sh ip int br
alias exec srt show ip route
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 60 0
logging synchronous
login local
transport input telnet
!
no scheduler allocate
ntp clock-period 17180009
end
Solved! Go to Solution.
04-02-2010 03:28 PM
Double-check that you have the following transforms sets in used by this tunnel:
crypto ipsec transform-set TOWN_HALL esp-des esp-md5-hmac
The tunnel seems to be failing on phase 2 negotiations due to a mismatch, but according to the configuration
it seems fine.
Are you sure that those debugs aren't just part of the negotiations and finally the tunnel established?
Check the status of the tunnel again with the commands:
sh cry isa sa
sh cry ips sa
When trying to establish the tunnel again and let's see the results.
Federico.
04-02-2010 03:29 PM
Configuration seems to be correct.
I assume phase 1 is up? QM_IDLE for the remote to remote L2L tunnel?
Can you run debug on both sides and post the output please. Thanks.
04-01-2010 03:01 PM
Hi,
You can do it either way.
1. Both 1720s can communicate to each other via the Site-to-Site tunnel each one has to the ASA (just need to add the interesting traffic correctly and some minor configuration adjustments).
2. Both 1720s can have a direct Site-to-Site tunnel between them (without going through the ASA).
I would recommend option #2, unless you have some specific requirement to control communication between the remote sites on the central site.
Federico.
04-01-2010 03:10 PM
Hi Michael,
You have 2 options:
1) Direct VPN tunnel between the 2 remote sites as you have publicly assigned ip on the outside interface, so you can do direct VPN tunnel.
OR/ alternatively
2) Configure the VPN tunnel between the 2 remote sites to go through your ASA, config as follows:
ASA:
no nat-control
same-security-traffic permit intra-interface
access-list ComCast_Out_20_cryptomap extended permit ip 172.20.3.0 255.255.255.0 172.22.3.0 255.255.255.0
access-list ComCast_Out_25_cryptomap extended permit ip 172.22.3.0 255.255.255.0 172.20.3.0 255.255.255.0
1720-A:
ip access-list extended TOWN_HALL
permit ip 172.20.3.0 0.0.0.255 172.22.3.0 0.0.0.255
ip access-list extended NAT_ADDRESSES
1 deny ip 172.20.3.0 0.0.0.255 172.22.3.0 0.0.0.255
1720-B:
ip access-list extended TOWN_HALL
permit ip 172.22.3.0 0.0.0.255 172.20.3.0 0.0.0.255
ip access-list extended NAT_ADDRESSES
1 deny ip 172.22.3.0 0.0.0.255 172.20.3.0 0.0.0.255
Remember to clear the SA and reestablish the VPN tunnel once the configuration has been done.
Hope that helps.
04-02-2010 08:26 AM
Ok. I'm am going with the direct VPN tunnel between 1720-A and 1720-B but I'm having some problems. When I try to bring up the tunnel by doing an extended ping between the two subnets 172.20.3.0/24 and 172.22.3.0/24 I get the following error:
Apr 2 15:12:59: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 202.13.116.209
1720-A changes in blue
crypto isakmp key D1sC0 address 202.13.116.209
crypto map VPNmap 20 ipsec-isakmp
set peer 202.13.116.209
set transform-set TOWN_HALL
match address RTRB
ip access-list extended NAT_ADDRESSES
deny ip 172.20.3.0 0.0.0.255 172.18.3.0 0.0.0.255
deny ip 172.20.3.0 0.0.0.255 172.22.3.0 0.0.0.255
permit ip 172.20.3.0 0.0.0.255 any
ip access-list extended PERIMETER
permit udp host 29.92.14.73 host 207.147.31.97 eq isakmp
permit esp host 29.92.14.73 host 207.147.31.97
permit ip 172.18.3.0 0.0.0.255 172.20.3.0 0.0.0.255
permit icmp any any unreachable
permit icmp any any echo-reply
permit tcp any host 207.147.31.97 eq telnet
permit tcp any host 192.168.20.1 eq telnet
permit tcp any eq www any
permit tcp any eq 443 any
permit udp host 202.13.116.209 host 207.147.31.97 eq isakmp
permit esp host 202.13.116.209 host 207.147.31.97
permit ip 172.22.3.0 0.0.0.255 172.20.3.0 0.0.0.255
permit udp host 202.13.116.209 host 207.147.31.97 eq isakmp
permit esp host 202.13.116.209 host 207.147.31.97
permit ip 172.22.3.0 0.0.0.255 172.20.3.0 0.0.0.255
deny ip any any
ip access-list extended RTRB
permit ip 172.20.3.0 0.0.0.255 172.22.3.0 0.0.0.255
1720-B changes in red
crypto isakmp key D1sC0 address 207.147.31.97
crypto map VPNmap 20 ipsec-isakmp
set peer 207.147.31.97
set transform-set TOWN_HALL
match address RTRA
ip access-list extended NAT_ADDRESSES
deny ip 172.22.3.0 0.0.0.255 172.18.3.0 0.0.0.255
deny ip 172.22.3.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 172.22.3.0 0.0.0.255 172.20.3.0 0.0.0.255
permit ip 172.22.3.0 0.0.0.255 any
ip access-list extended PERIMETER
permit udp host 29.92.14.73 host 202.13.116.209 eq isakmp
permit esp host 29.92.14.73 host 202.13.116.209
permit ip 172.18.3.0 0.0.0.255 172.22.3.0 0.0.0.255
permit icmp any any unreachable
permit icmp any any echo-reply
permit tcp any host 202.13.116.209 eq telnet
permit tcp any host 192.168.22.1 eq telnet
permit tcp any eq www any
permit tcp any eq 443 any
permit ip 192.168.1.0 0.0.0.255 172.22.3.0 0.0.0.255
permit udp host 207.147.31.97 host 202.13.116.209 eq isakmp
permit esp host 207.147.31.97 host 202.13.116.209
permit ip 172.20.3.0 0.0.0.255 172.22.3.0 0.0.0.255
deny ip any any
ip access-list extended RTRA
permit ip 172.22.3.0 0.0.0.255 172.20.3.0 0.0.0.255
Any ideas? Thanks
-mike
04-02-2010 08:34 AM
More info from debug crypto ipsec on RTRA
Apr 2 15:33:28: IPSEC(validate_proposal): peer address 202.13.116.209 not found
04-02-2010 03:15 PM
Michael,
The logs indicate that there's a mismatch in Quick Mode (this is phase 2).
So, most likely the transform set is not matching on both sides.
Check the settings of the transform set for both crypto maps.
Federico.
04-02-2010 03:28 PM
Double-check that you have the following transforms sets in used by this tunnel:
crypto ipsec transform-set TOWN_HALL esp-des esp-md5-hmac
The tunnel seems to be failing on phase 2 negotiations due to a mismatch, but according to the configuration
it seems fine.
Are you sure that those debugs aren't just part of the negotiations and finally the tunnel established?
Check the status of the tunnel again with the commands:
sh cry isa sa
sh cry ips sa
When trying to establish the tunnel again and let's see the results.
Federico.
04-02-2010 03:29 PM
Configuration seems to be correct.
I assume phase 1 is up? QM_IDLE for the remote to remote L2L tunnel?
Can you run debug on both sides and post the output please. Thanks.
04-06-2010 06:23 AM
You are correct. This config does work. I made a change to the ACL that matches my interesting traffic after my debug but before I posted the config here. Thanks for all your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: