l2l VPN ASA 7.2(4) - Client issues

Unanswered Question
Aug 29th, 2010
User Badges:

Help!


As of earlier today, I have a l2l vpn configured between the main office and a small remote office. The tunnel is active, and I can successfully ping devices on either side of the tunnel. I am also able to to do DNS name queries against the name servers in the main office from the remote office. I am not able to browse web servers, nor am I able to access microsoft server resources. I'm sure this is a newbie issue as this is the first time I'm working with these devices.


I'm planning to do some sniffs on either end tomorrow, but I was hoping for some input and/or guidance on what I may have overlooked.


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sun, 08/29/2010 - 17:29
User Badges:
  • Green, 3000 points or more

Hi,


A normal L2L setup defines IP between both sides (meaning all TCP/UDP traffic is permitted to flow through tunnel).

If you have not created any VPN filters the tunnel should not be denying any traffic between both locations.


Are you sure the resources that you want to access are part of the interesting traffic for the tunnel? i.e can you PING them?


Federico.

dmschuler Sun, 08/29/2010 - 17:42
User Badges:

Yes, I can ping resources on both sides. The filter for the interesting traffic is quite simple - a single vlan on either side. From the remote side I can use nslookup on a windows workstation and get answers from the windows dns server on the other side.


When I try to open a web browser against a server on the main office side from the remote side, I get a response that the server is taking too long.


When I try to access shared files from the remote side against the windows server on the main office, I get an error.


Here are the access list portions of the config from each ASA:



On ASA1:
access-list VPN-TO-ASA2 extended permit ip x.x.120.0 255.255.248.0 x.x.71.0 255.255.255.0
access-list NONAT extended permit ip x.x.120.0 255.255.248.0 x.x.71.0 255.255.255.0


nat (inside) 0 access-list NONAT
      
On ASA2:
access-list VPN-TO-ASA1 extended permit ip x.x.71.0 255.255.255.0 x.x.120.0 255.255.248.0
access-list NONAT extended permit ip x.x.71.0 255.255.255.0 x.x.120.0 255.255.248.0


nat (inside) 0 access-list NONAT

Federico Coto F... Sun, 08/29/2010 - 17:53
User Badges:
  • Green, 3000 points or more

One thing would be to get away from 7.2(4) if you could upgrade to 8.x to discard any OS problems.


Other things to try:

crypto ipsec fragmentation before-encryption

sysopt connection tcpmss 1380


One other thing is that possibly the problem is not the tunnel but the actual response time from the servers.

You can check the response time for a PING packet (should be good since it's a very little packet), but can try sending a big file and check the reponse time as well.


If the problem persists, then as you mentioned, the captures on the inside interfaces should let us know more about what's happening.


Federico.

dmschuler Sun, 08/29/2010 - 18:13
User Badges:

Thank you. I'll add the two commands to see if that helps. ping repsonse times are between 20 - 26ms, which considering the one end is over a cable modem isn't too bad. I don't think I'm timing out.


I'll also look into the code upgrade.


I'll post an update tomorrow once the office is open.


Doug

dmschuler Wed, 09/01/2010 - 17:56
User Badges:

After comparing the configs on both sides, and adding a missing route on either side, I am now able to access resources, but only in one direction.


From the main office, I can do things like remote desktop, display a web page against a printer server, etc.


BUT - from the remote office I cannot do those things. If I try to initiate a session to a remote desktop in the main office, I get an error that the connection can't be established.


Here are the configs from the two ASAs. I've removed the specific IP Addressing information. I think I am very close, but can't make that final connection!


ASA Version 7.2(4)
!
hostname ASA-1
domain-name 1.local
enable password
passwd
names
!
interface Vlan1
nameif inside
security-level 100
ip address a.b.c.100 255.255.248.0
!
interface Vlan2
nameif outside
security-level 0
ip address d.e.f.179 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone 2 EST
dns server-group DefaultDNS
domain-name 1.local


access-list VPN-TO-ASA-2 extended permit ip a.b.c.0 255.255.248.0 x.y.z.0 255.255.255.0
access-list NONAT extended permit ip a.b.c.0 255.255.248.0 x.y.z.0 255.255.255.0


access-list OUTSIDE_IN extended permit ip x.y.z.0 255.255.255.0 a.b.c.0 255.255.248.0 log
access-list OUTSIDE_IN extended permit ip u.v.w.240 255.255.255.252 a.b.c.0 255.255.248.0
access-list OUTSIDE_IN extended permit ip any any


access-list inside_access_in extended permit ip a.b.c.0 255.255.248.0 x.y.z.0 255.255.255.0 log
access-list inside_access_in extended permit ip u.v.w.240 255.255.255.252 a.b.c.0 255.255.248.0 log
access-list inside_access_in extended permit ip any any


pager lines 24
logging enable
logging asdm informational


mtu inside 1500
mtu outside 1500


icmp unreachable rate-limit 1 burst-size 1


asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400


global (outside) 1 interface


nat (inside) 0 access-list NONAT


access-group inside_access_in in interface inside
access-group OUTSIDE_IN in interface outside


route outside 0.0.0.0 0.0.0.0 d.e.f.177 1
route outside x.y.z.0 255.255.255.0 d.e.f.179 1


timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute


aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL


http server enable
http a.b.c.0 255.255.248.0 inside


snmp-server location "Main Office"
snmp-server enable traps snmp authentication linkup linkdown coldstart


crypto ipsec transform-set espSHA3DESproto esp-3des esp-sha-hmac


crypto map IPSEC 10 match address VPN-TO-ASA-2
crypto map IPSEC 10 set peer u.v.w.242
crypto map IPSEC 10 set transform-set espSHA3DESproto
crypto map IPSEC interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


telnet timeout 5


ssh a.b.c.0 255.255.248.0 inside
ssh u.v.w.242 255.255.255.255 outside
ssh timeout 60
ssh version 2


console timeout 30


username admin password


tunnel-group u.v.w.242 type ipsec-l2l
tunnel-group u.v.w.242 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
: end



ASA2


ASA Version 7.2(4)
!
hostname ASA-2
domain-name 1.local
enable password
passwd
names
!
interface Vlan1
description 2 Outside
nameif outside
security-level 0
ip address u.v.w.242 255.255.255.252
!
interface Vlan2
description 2 Inside
nameif inside
security-level 100
ip address x.y.z.1 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone 2 EST
dns server-group DefaultDNS
domain-name 1.local


object-group network DM_INLINE_NETWORK_1
network-object host d.e.f.179
network-object a.b.c.0 255.255.248.0


access-list VPN-TO-ASA1 extended permit ip x.y.z.0 255.255.255.0 a.b.c.0 255.255.248.0


access-list NONAT extended permit ip x.y.z.0 255.255.255.0 a.b.c.0 255.255.248.0


access-list OUTSIDE_IN extended permit ip a.b.c.0 255.255.248.0 x.y.z.0 255.255.255.0 log
access-list OUTSIDE_IN extended permit ip host d.e.f.179 x.y.z.0 255.255.255.0 log
access-list OUTSIDE_IN extended permit ip any any log


access-list inside_access_in extended permit ip x.y.z.0 255.255.255.0 a.b.c.0 255.255.248.0
access-list inside_access_in extended permit ip host d.e.f.179 x.y.z.0 255.255.255.0 inactive
access-list inside_access_in extended permit ip any any


pager lines 24


logging enable
logging asdm debugging


mtu outside 1500
mtu inside 1500


icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface


nat (inside) 0 access-list NONAT
nat (inside) 1 x.y.z.0 255.255.255.0


access-group OUTSIDE_IN in interface outside
access-group inside_access_in in interface inside


route outside 0.0.0.0 0.0.0.0 u.v.w.241 1
route outside a.b.c.0 255.255.248.0 u.v.w.242 1


timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http x.y.z.0 255.255.255.0 inside
snmp-server location "Remote Office"
snmp-server enable traps snmp authentication linkup linkdown coldstart


crypto ipsec transform-set espSHA3DESproto esp-3des esp-sha-hmac
crypto map IPSEC 10 match address VPN-TO-ASA1
crypto map IPSEC 10 set peer d.e.f.179
crypto map IPSEC 10 set transform-set espSHA3DESproto
crypto map IPSEC interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


telnet x.y.z.0 255.255.255.0 inside
telnet timeout 5


ssh 0.0.0.0 0.0.0.0 outside
ssh x.y.z.0 255.255.255.0 inside
ssh timeout 5


console timeout 15


dhcpd dns a.b.c.23 a.b.c.24
dhcpd lease 691200
dhcpd domain 1.local
!
dhcpd address x.y.z.10-x.y.z.100 inside
dhcpd dns a.b.c.23 a.b.c.24 interface inside
dhcpd enable inside
!


username admin password


tunnel-group d.e.f.179 type ipsec-l2l
tunnel-group d.e.f.179 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f17b89c1bc3468b07c1e8fc629b78f34
: end

Actions

This Discussion

Related Content