10-29-2013 09:38 AM - edited 03-11-2019 07:57 PM
I got two asa 5505 - with security plus
ASA8.43 - ASDM 6.47
I have three vlans that need to communicate over the vlan.
SiteA Site B
1. Inside vlan11 192.168.11.1 to 192.168.10.1 - this pings just fine from one end of the tunnel to the other.
2 DMZ vlan12 10.10.10.1 to 10.10.10.6 This will not ping the other side of the dmz
3. Management vlan 13 192.168.0.1 to 192.168.0.2 this will ping the inside vlan , but will not ping DMZ or Management from one side of the tunnel.
All three vlans have dynamic nat to the outside for internet access
I use a wirless lan controller from site A and want to control WAP on site B
The DMZ from site B - has to communicate with a DHCP server on Site A - I think I got the ACL correct on this on router A, so after the nat issue is fixed it should work.
router A is working correctly - packet trascer shows the packet going through the vpn lookup
Router B will not translate dmz or management traffic to the vpn lookup - I DONT KNOW WHY!!!!
Here is the config for Router B
: Saved : ASA Version 8.4(3) ! hostname lyons5505 names name 192.168.10.0 Inside name 192.168.0.0 Management name 192.168.10.2 CPLserver ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport trunk allowed vlan 11-13 switchport mode trunk ! interface Ethernet0/2 switchport access vlan 11 ! interface Ethernet0/3 switchport access vlan 11 ! interface Ethernet0/4 switchport access vlan 13 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 shutdown nameif default security-level 10 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! interface Vlan11 description Inside nameif inside security-level 90 ip address 192.168.11.1 255.255.255.0 ! interface Vlan12 nameif dmz security-level 50 ip address 10.10.10.6 255.255.255.0 ! interface Vlan13 description Management nameif Management security-level 100 ip address 192.168.0.2 255.255.255.0 ! ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network Inside subnet 192.168.11.0 255.255.255.0 object network Management subnet 192.168.0.0 255.255.255.0 object network In_to_out_NAT subnet 0.0.0.0 0.0.0.0 object network inside_to_out host 192.168.11.13 object network local-lan subnet 192.168.11.0 255.255.255.0 object network CPL subnet 192.168.10.0 255.255.255.0 object network obj-192.168.11.0 subnet 192.168.11.0 255.255.255.0 object network obj-192.168.0.0 subnet 192.168.0.0 255.255.255.0 object network management subnet 192.168.0.0 255.255.255.0 object network obj-10.10.10.0 subnet 10.10.10.0 255.255.255.0 object network DMZ subnet 10.10.10.0 255.255.255.0 object network Atlantis host 192.168.10.13 object network Columbus host 192.168.11.2 object network CPLDHCP host 192.168.10.2 object network in_to_out_NAT subnet 0.0.0.0 0.0.0.0 object-group network obj-10.0.1.0 object-group network obj-10.0.2.0 object-group network CPL_VPN network-object Inside 255.255.255.0 object-group network DMZ_VPN network-object 10.10.10.0 255.255.255.0 object-group network Management_VPN network-object Management 255.255.255.0 object-group network INSIDE_VPN network-object 192.168.11.0 255.255.255.0 object-group network DM_INLINE_NETWORK_1 group-object DMZ_VPN group-object INSIDE_VPN group-object Management_VPN object-group network DM_INLINE_NETWORK_2 group-object CPL_VPN group-object DMZ_VPN group-object Management_VPN object-group network DM_INLINE_NETWORK_3 group-object DMZ_VPN group-object INSIDE_VPN group-object Management_VPN object-group network DM_INLINE_NETWORK_4 group-object DMZ_VPN group-object INSIDE_VPN group-object Management_VPN object-group network DM_INLINE_NETWORK_5 group-object CPL_VPN group-object DMZ_VPN group-object Management_VPN object-group network Outside description Needed for DMZ outside access - Dont know why network-object object in_to_out_NAT access-list INSIDE-NAT0 remark NO NAT between Local Networks access-list DMZ-NAT0 remark NO NAT between Local Networks access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 access-list global_mpc extended permit ip object-group INSIDE_VPN object-group CPL_VPN inactive access-list global_mpc_1 extended permit ip object-group INSIDE_VPN object-group CPL_VPN inactive access-list global_mpc_2 extended permit ip object-group INSIDE_VPN object-group CPL_VPN inactive access-list outside_mpc extended permit ip any object CPL inactive access-list dmz_access_in extended permit ip object DMZ object Columbus access-list dmz_access_in extended deny ip object DMZ object Inside pager lines 24 logging enable logging timestamp logging asdm-buffer-size 512 logging buffered debugging logging asdm debugging mtu default 1500 mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu Management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any dmz icmp permit any Management no asdm history enable arp timeout 14400 nat (any,outside) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 ! object network obj-192.168.11.0 nat (inside,outside) dynamic interface object network obj-192.168.0.0 nat (Management,outside) dynamic interface object network obj-10.10.10.0 nat (dmz,outside) dynamic interface access-group dmz_access_in in interface dmz timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http Management 255.255.255.240 Management http Management 255.255.255.0 Management http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set L2L esp-aes-256 esp-sha-hmac crypto ipsec ikev2 ipsec-proposal test protocol esp encryption 3des protocol esp integrity md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto map lyons.dnsget.org 1 set ikev1 transform-set ESP-3DES-SHA crypto map outside_map0 1 match address outside_cryptomap crypto map outside_map0 1 set peer xxx.xxx.xxx.xxx crypto map outside_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map0 interface outside crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet 192.168.0.200 255.255.255.255 Management telnet 192.168.0.201 255.255.255.255 Management telnet Management 255.255.255.0 Management telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd auto_config outside interface Management ! dhcprelay server CPLserver inside dhcprelay enable Management dhcprelay timeout 60 threat-detection basic-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 webvpn group-policy DfltGrpPolicy attributes dns-server value 192.168.10.9 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes wins-server none dns-server value 192.168.10.9 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless default-domain none username padmin password 33TXuC/dbIFJdJDc encrypted privilege 15 username cisco password 3USUcOPFUiMCO4Jk encrypted username cisco attributes service-type nas-prompt tunnel-group DefaultL2LGroup ipsec-attributes ikev1 pre-shared-key ***** tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l tunnel-group xxx.xxx.xxx.xxx ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic class-map outside-class match access-list outside_mpc ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error policy-map outside-policyQOS class outside-class police input 512000 1500 police output 512000 1500 set connection conn-max 200 embryonic-conn-max 200 per-client-max 40 per-client-embryonic-max 40 ! service-policy global_policy global service-policy outside-policyQOS interface outside prompt hostname context no call-home reporting anonymous Cryptochecksum:06061a4998455a9bb099a2704bac6efc : end no asdm history enable
Solved! Go to Solution.
10-29-2013 09:53 AM
Hi,
Well that is one clear problem atleast.
You should use different networks/subnets on each side since these networks dont have a L2 connectivity to enable sharing the subnet/address space.
You could naturally avoid changing IP addressess/subnets by NATing the overlapping networks
- Jouni
10-29-2013 09:45 AM
Hi,
There is quite a bit of different things mentioned in your post.
First thing we should clear up is that are you actually using overlapping networks on the 2 sites? The start of the post seems to indicate that both DMZ and MANAGEMENT networks are the same on both sites?
- Jouni
10-29-2013 09:48 AM
Yes , Correct both the DMZ and Management networks are the same IP scheme.
10-29-2013 09:53 AM
Hi,
Well that is one clear problem atleast.
You should use different networks/subnets on each side since these networks dont have a L2 connectivity to enable sharing the subnet/address space.
You could naturally avoid changing IP addressess/subnets by NATing the overlapping networks
- Jouni
10-29-2013 11:21 AM
Thankyou sir. I changed the DMZ network at site b and changed both routers configs and the wireless access point is communicating the the wireless lan controller. My issue is resolved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide