09-20-2010 07:30 AM
Dear All,
I am having multiple sites with with dynamic IP address.
At HO I am having a cisco router with dynamic IP address, in which internet port forwarding configured and VPN terminated on ASA.
I am having 40 Branches will all dynamic ip. all L2L tunnels are up and running.
my issue is that, from branch to HO communication is perfect but from HO I am not able to access ant of the branch resourcess.
could somebody help me to resolve this issue..... Config is attached.
Solved! Go to Solution.
09-22-2010 12:36 AM
AHA!
I understand the setup a little bit better.
It seems that your routers are doing destination NAT , so all tunnels appear to be coming from "172.16.40.0/23" subnet.
And indeed your assumption is correct problem appears to be related to lack of correct routes pointing to the outside. (at least it seems so for now).
However reverse route injection should take care of it.
Speaking of which I noticed your tunnels land on
crypto dynamic-map alfa and not the system default.
Please add "crypto dynamic-map alfa 1 set reverse" and restart one of the tunnels (do not reload the spoke, just clear isakmp or ipsec session for it).
We'll see from there.
Marcin
09-20-2010 08:01 AM
Please check logs on ASA during running the test for IP address you're testing with.
Make sure you're logging at least on informational level.
I'm curious, why aren't you using ezvpn in NEM mode instead of l2l?
Marcin
09-21-2010 12:43 AM
Hi Marcin,
Thanks for your support. This was done by some other company and now i am taking care of the network.
I am having doubt on cisco ASA (HO), there is no access-list configured on asa but in branch ACL is configured
Please clarify my doubt
when I am trying to access branch from HO, how asa will forward the traffic to that pirticular branch . But when i access HO from branch it will take VPN ACL and will go out (I am able to access all HO resources from BR).
One more information --- I have two Internet routers in HO, 20 baranches are connected to one and 20 to other. in ASA there is no default gateway configured
Please suggest me a solution.
09-21-2010 01:38 AM
Let me address those one by one.
1. Regarding crypto ACL - since we don't know which peer is going to tunnel which subnets (proxy IDs) we rely on the client to request correct proxy IDs. This the other side will request something and we will accept it as proxy IDs for that peer. That's OK with dynamic IP for L2L peers.
2. See answers above, correct proxy IDs are installed on the ASA (or should be).
3. That's indeed interesting.
Can you add "crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse" to your configuration.
If there are two possible routers to go out via ... are they in HSRP or something? Is ASA visible via different IP addresses on the outside depending which dynamic peer connects?
Can you please attach a topology diagram?
Marcin
09-21-2010 03:14 AM
Thanks for your valuable time
As you adviced i have added "crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse" but the result was same (cant access branch from HO) and i am not using any HSRP configurations on internet routers
I am not aware about proxy settings (correct proxy IDs are installed on the ASA). is it required ?
As per the diagram all locations are using ADSL and port forwarding is configured on both internet for VPN ports . Kindly go throught the attached diagram and suggest me .
09-21-2010 07:36 AM
The ASA installs proxy IDs based on what dynamic peers asks.
Did you try to teardown the tunnel after you added reverse route injection?
Can you please attach "show vpn-session" and "sho route" .
I would also check logs if it's the ASA dropping those packets.
--------
conf t
logg buffered info
logg buffer-size 1000000
--------
initiate the test and check for me:
-------
sh logg | i SOURCE_IP
sh logg | i DESTINATION_IP
-------
Marcin
09-21-2010 11:59 PM
09-22-2010 12:36 AM
AHA!
I understand the setup a little bit better.
It seems that your routers are doing destination NAT , so all tunnels appear to be coming from "172.16.40.0/23" subnet.
And indeed your assumption is correct problem appears to be related to lack of correct routes pointing to the outside. (at least it seems so for now).
However reverse route injection should take care of it.
Speaking of which I noticed your tunnels land on
crypto dynamic-map alfa and not the system default.
Please add "crypto dynamic-map alfa 1 set reverse" and restart one of the tunnels (do not reload the spoke, just clear isakmp or ipsec session for it).
We'll see from there.
Marcin
09-22-2010 01:12 AM
Hi Marcin,
That worked.............. I just added crypto dynamic-map alfa 1 set reverse and restarted the tunnel
Thanks a loooooooot for ur support and the time you spend for this issue.
09-22-2010 01:17 AM
Glad to be of help ;-)
Until next time.
Marcin
09-22-2010 01:49 AM
one quick question
In HO I am having 2 subents 192.168.0.x and 192.168.5.x. from 192.168.0.x branch is accessable but from 5.x branch is not accessable .
any solution for this .
do i need to configure vpn acl or not ?
09-22-2010 02:57 AM
Normally you should not ...
Is this happening all across the spokes or only on some?
Can you show me "show crypto ipsec sa | i caps|ident|spi|peer" output.
09-22-2010 04:25 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide