cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5411
Views
0
Helpful
42
Replies

ASA5505 vpn tunnel

razorbakill
Level 1
Level 1

I have 2 asa5505's. I have created a site to site vpn tunnel using two local networks. (ex. 192.168.1.0 & 192.1689.2.0).

I then tried to make another set of local ip's (ex. 192.168.3.0 & 192.168.4.0) use the same tunnel group, same external endpoints. One set of ip's is for data and the other for ip phones. Vlan 1 is not being used, vlan 2 is inside interface, vlan 3 is outside interface, and vlan 4 is the 2nd interface named phones. The first data networks are working fine, but the phones ip data is not flowing. I can not ping the other side. I set vlan 4 to not foward to interface vlan 2 and set the security to 100 on both ends. These are two independent local networks that don't need to talk to each other. Is there a reason anyone can think of why this wouldn't work?

3 Accepted Solutions

Accepted Solutions

Depending on how the phone subnet is connected on the ASA.

If your phone subnet is connected on a separate interface on the ASA (for example: an interface that you have named "phones"), then you would need to create a new access-list and assign it to the "phones" interface.


Example:

access-list phones-nonat permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

nat (phones) 0 access-list phones-nonat

On the other hand, if the phone subnet is connected to the ASA via the inside interface, ie: phone subnet is routed via the inside interface of the ASA, then you only need to add the line to the existing ACL on the inside interface.

Example:

Currently the inside NAT statement says "nat (inside) 0 access-list 101", and all you need to add is another line to ACL 101 as follows:

access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

Here is a sample configuration with 2 internal interfaces (inside and dmz) for site-to-site vpn tunnel for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806a5cea.shtml

From the sample configuration, it is using the same ACL NoNAT for both inside and dmz interfaces. I would recommend that you create a different ACL for the NAT statement for each interface instead of using the same ACL on both interfaces.

Hope that helps.

View solution in original post

Yes, "show crypto ipsec sa" will show you the statistics for each ACL line that you have configured for your crypto ACL. It will show how many packets have been encrypted and decrypted per ACL subnet pair.

View solution in original post

Change the following on the remote side

global (inside) 1 interface to global (outside) 1 interface. This will Pat the inside

hosts to the outside for internet access.

View solution in original post

42 Replies 42

Jennifer Halim
Cisco Employee
Cisco Employee

Do you mean you created another crypto map sequence for the second sets?

If you do, that is not correct as you are terminating on the same peer. You just have to add to the existing crypto ACL on both sides for the original vpn tunnel.

So if your first tunnel crypto ACL says:

access-list crypto-acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Just add another line that says:

access-list crypto-acl permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

and of course the mirror image crypto ACL on the peer ASA.

You would also need to add NAT exemption on that interface where the phone subnet is.

Thanks for the reply,

Actually I created the first site to site with the vpn wizard and its works fine. I then created the second site to site with the wizard also and when it came to adding the gateway to gateway a box popuped up saying that the tunnel group already excisted and do you want to use it. I said yes. I then went on with the wizard and it completed. Below is the commands it added to the firewall:

!ASA
!Single Routed
!29-Apr-10_18.40.33
!Preview CLI Commands 

crypto isakmp enable phones
access-list phones_1_cryptomap line 1 extended permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound line 2 extended permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map phones_map 1 match address phones_1_cryptomap
crypto map phones_map 1 set  pfs group1
crypto map phones_map 1 set  peer  External IP
crypto map phones_map 1 set  transform-set  ESP-3DES-SHA
crypto map phones_map interface  phones

Does this seem correct?

No, that is not correct. If you use the wizard, it will create a brand new tunnel with the same peer end point. You can't configure 2 crypto map name and apply the same on the outside interface.

You would need to edit the existing crypto map, and add crypto ACL for the new subnets.

If you check the output of "show run crypto map", it would already have the existing tunnel configuration, and since the peer address is the same, just add another line to the existing crypto ACL, and remember to configure the mirror image ACL on the peer device.

Very good, I understand now, thanks. One other question about nat.

I currently have 2 nat statements on one of the firewalls for nat as follows:

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

The other firewall has one as follows:

nat (inside) 0 access-list inside_nat0_outbound

Now, would I add a statement to the current access-list inside_nat0_outbound, then write a nat exception as follows:

nat (phones) 0 access-list inside_nat

Or should I write a new access-list such as access-list phones_nat0_outbound extended permit ip (ip info), then apply to a new nat statement such as:

nat (phones) 0 access-list phones_nat0_outbound, i'm a little confused on the number that follows the nat statement


or each nat statement needs to be in number order such as

nat (inside) 0

nat (inside) 1

nat (phones) 2

I thank you for you help and patience, I'm pretty good with routers and switches, but an admitted novice with firewalls

Depending on how the phone subnet is connected on the ASA.

If your phone subnet is connected on a separate interface on the ASA (for example: an interface that you have named "phones"), then you would need to create a new access-list and assign it to the "phones" interface.


Example:

access-list phones-nonat permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

nat (phones) 0 access-list phones-nonat

On the other hand, if the phone subnet is connected to the ASA via the inside interface, ie: phone subnet is routed via the inside interface of the ASA, then you only need to add the line to the existing ACL on the inside interface.

Example:

Currently the inside NAT statement says "nat (inside) 0 access-list 101", and all you need to add is another line to ACL 101 as follows:

access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

Here is a sample configuration with 2 internal interfaces (inside and dmz) for site-to-site vpn tunnel for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806a5cea.shtml

From the sample configuration, it is using the same ACL NoNAT for both inside and dmz interfaces. I would recommend that you create a different ACL for the NAT statement for each interface instead of using the same ACL on both interfaces.

Hope that helps.

Yes that definitely helps, Thank You.

You know I searched up and down the show commands but could not find one that would show me the local networks that are associated, or go accross a specific vpn tunnel. Wheather it's 1 network or 3 local networks. Do you know any commands that show them?

Are you trying to find out what local subnets have been configured on the ASA?

You can run "show run interface", and the output would show you what subnet/interface have been configured currently on the ASA.

You can also run "show route" to check if any specific local subnet has been routed through one of the interfaces.

No, those I know. Say you have a single site to site ( or gateway to gateway) vpn tunnel through the internet. But you setup multiple local networks on each side to cross the single tunnel as we discussed in this thread. Is there a show command that would say that here is this one vpn tunnel and these are the permitted local (or private) networks that are configured to cross that one vpn tunnel? Maybe even the statistics, such as how much traffic is being sent and received through the vpn tunnel from each local network configured to use the vpn tunnel?

Yes, "show crypto ipsec sa" will show you the statistics for each ACL line that you have configured for your crypto ACL. It will show how many packets have been encrypted and decrypted per ACL subnet pair.

Hi again,

well finanlly went on site added those two lines of code, 1 to the excisting crypto map acl, and created a new nat0 phones acl. I was now able to pass traffic from the inside and phones interface down the one tunnel. The inside interface always worked, being able to rdp to other pc's, camera's running acrooss vpn, etc, tcp sessions. But, the phones network I can ping anything on the other side of vpn tunnel and thought all was good. The only thing is that it seems I can't open anything on the other side throught the phones interface, just ping. I can telnet to the level 3 switch on the other side through inside interface but NOT through the phones interface. It seems like I can''t do tcp sessions. I was under the impression these vpn tunnels should pass the traffic as trusted traffic as if it was inside and part of the whole network. Any idea's? I can post the config's from both asa5505's if needed.

Thanks again, you've been most helpfull.

Please post the config from both ASAs, and also advise the source and destination ip address of the traffic which is not working.

Thanks for the rating.

Thanks Halijenn,

here are the configs edited to protect the inocent,lol. Also, I can't get out to the internet on the remote config. I mean I can or I wouldn't have a vpn tunnel. But, you can't browse the internet from a pc from the remote location on either network, only really need it on inside interface.  Any ideas on that too. At first I noticed no nat statement on the inside interface (nat 1 0.0.0.0 0.0.0.0) but I added this and still no browse.

The inside interface on both configs is passing traffic fine. (10.1.1.0 to 10.4.1.0)

The phones interface has connectivity, I can ping accross the vpn tunnel, but no other communication (tcp). The networks there are 10.1.5.0 to 10.4.5.0.

Thanks

Change the following on the remote side

global (inside) 1 interface to global (outside) 1 interface. This will Pat the inside

hosts to the outside for internet access.

Jeez, I don't know how I missed that. I need some time off,lol. Thanks em6557

Still not sure why I can't communicate on phones vlan1 interface, network 10.4.5.0 to 10.1.5.0, or vice versa through the vpn tunnel, only can ping through the vpn tunnel for those networks.

Inside interface and networks, 10.1.1.0 to 10.4.1.0, work fine.

Is it possibly the limitation of the basic license of the asa5505? Or are the configs correct and it should work???

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: