Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two tunnels in one Crypto-Map

I've got an ASA 5505 on my hands, with the enterprise license.  In the  example above, VPN "22" tunnel is up & passes traffic just fine.   VPN "11" won't come up.  I think I'm missing something.  is it related  to the two lines at the bottom?

crypto map MyVPN 11 match address toVPN-A

crypto map MyVPN 11 set pfs

crypto map MyVPN 11 set peer VPN-A_Peer

crypto map MyVPN 11 set transform-set ESP-3DES-MD5

-----------------------------------------------

crypto map MyVPN 22 match address toVPN-B

crypto map MyVPN 22 set pfs

crypto map MyVPN 22 set peer VPN-B_Peer

crypto map MyVPN 22 set transform-set ESP-DES-MD5

crypto map MyVPN interface outside

crypto isakmp policy 22

crypto isakmp nat-traversal 22

Thanks,

  Alex

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Re: Two tunnels in one Crypto-Map

If the tunnel goes down the route will still be in place. You would need to create a track object that tests reachability over the VPN and associate it with the route that sends traffic over the vpn.  Then if the remote destination is not reachable the route will be removed and the route with higher netric will take over

--

Please remember to rate and select a correct answer
22 REPLIES
Silver

Two tunnels in one Crypto-Map

Please send the complete configuration. We need to know the version that your using, are you using pre-share, do you have debugs, what is the interesting traffic, are you suppose to use ESP-DES-MD5 or ESP-3DES-MD5.

Value our effort and rate the assistance!
Silver

Two tunnels in one Crypto-Map

Did you configure tunnel-group, can you reach the remote peer? So much to ask with out the configuration

Value our effort and rate the assistance!
Silver

Two tunnels in one Crypto-Map

Please use this guide for configuration example:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.pdf

Value our effort and rate the assistance!
New Member

Two tunnels in one Crypto-Map

OK, below is a sanitized config.  Publicly routable IPs have been changed.  In the example the TSI tunnel works fine but the Forestville tunnel won't come up.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.11.05 14:00:23 =~=~=~=~=~=~=~=~=~=~=~=

DASS-VPN#

DASS-VPN# show runt

: Saved

:

ASA Version 8.2(1)

!

hostname DASS-VPN

domain-name dass

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxx encrypted

names

name 192.168.6.115 Forestville_FTP1

name 192.168.6.116 Forestville_FTP2

name 192.168.4.160 Forestville-FTP

name 15.16.17.18 Forestville_PEER

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.28.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.189.157 255.255.254.0

!

interface Vlan3

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 192.168.1.2 255.255.255.0

!

interface Vlan4

nameif LEO-GEO

security-level 80

ip address 192.168.29.1 255.255.255.0

!

interface Vlan5

nameif EXT-FTP

security-level 70

ip address 192.168.27.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 4

!

interface Ethernet0/5

switchport access vlan 3

speed 100

duplex full

!

interface Ethernet0/6

switchport access vlan 5

!

interface Ethernet0/7

!

banner login ....................

banner login ................

banner login ...............

!

banner motd ...............

banner motd ...............

banner motd ...............

ftp mode passive

dns server-group DefaultDNS

domain-name dass

access-list toTSI extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0

access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0

access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0

access-list exclude_from_nat extended permit ip host 192.168.28.72 host Forestville_FTP1

access-list exclude_from_nat extended permit ip host 192.168.28.72 host Forestville_FTP2

access-list toForestville extended permit ip host 182.168.28.74 host Forestville-FTP

access-list toForestville extended permit ip host 192.168.28.72 host Forestville_FTP1

access-list toForestville extended permit ip host 192.168.28.72 host Forestville_FTP2

access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-data

access-list tsi_policy extended permit udp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-status

access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.0 eq 3389

access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 host 192.168.28.71 eq 1433

access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo-reply

access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo

access-list Forestville_vpn_filter extended permit tcp host Forestville-FTP host 192.168.28.74 eq ftp

access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP2 host 192.168.28.72 eq ftp

access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP2 eq ftp host 192.168.28.72

access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP1 host 192.168.28.72 eq ftp

access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP1 eq ftp host 192.168.28.72

access-list outside_access_in remark Allow HTTPS access to Packet Data Server (SRV3)

access-list outside_access_in extended permit tcp any host 172.16.189.157 eq https log

access-list DMZ_access_in remark Allows traffic inbound from frame-relay

access-list DMZ_access_in extended permit tcp host Forestville-FTP host 192.168.28.74 eq ftp

access-list DMZ_access_in extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended permit ip any any

access-list inside_access_in remark Allows traffic into ASA from Inside

access-list inside_access_in extended permit tcp host 192.168.28.74 host Forestville-FTP eq ftp

access-list inside_access_in extended permit tcp host 192.168.28.74 192.168.29.0 255.255.255.0 eq ftp

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list FTP-test remark For testing FTP packets

access-list FTP-test extended permit tcp host 192.168.28.72 host Forestville-FTP

access-list NEO-GEO-in remark allows traffic out of NEO-GEO net

access-list NEO-GEO-in extended permit udp any host 172.16.244.173 eq domain

access-list NEO-GEO-in extended permit udp any host 172.16.50.17 eq domain

access-list NEO-GEO-in extended permit udp any host 172.16.10.134 eq domain

access-list NEO-GEO-in extended permit tcp host 192.168.29.13 host 192.168.28.74 eq ftp

access-list NEO-GEO-in extended permit tcp host 192.168.29.11 host 192.168.28.74 eq ftp

access-list NEO-GEO-in extended permit tcp host 192.168.29.23 host 192.168.28.74 eq ftp

access-list NEO-GEO-in extended permit tcp host 192.168.29.21 host 192.168.28.74 eq ftp

access-list NEO-GEO-in extended deny ip any 192.168.28.0 255.255.255.0

access-list NEO-GEO-in extended permit ip any any

access-list EXT-FTP-in remark allows traffic out of EXT-FTP network

access-list EXT-FTP-in extended permit ip any any

access-list SAR-no-nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0

access-list LUT-no-nat extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging trap informational

logging history notifications

logging asdm informational

logging facility 16

logging device-id hostname

logging host outside 172.16.195.171

logging host outside 172.16.167.138

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

mtu LEO-GEO 1500

mtu EXT-FTP 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any unreachable outside

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list exclude_from_nat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (LEO-GEO) 0 access-list LUT-no-nat

nat (LEO-GEO) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface https 192.168.28.72 https netmask 255.255.255.255  dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

access-group NEO-GEO-in in interface LEO-GEO

access-group EXT-FTP-in in interface EXT-FTP

route outside 0.0.0.0 0.0.0.0 172.16.188.1 1

route DMZ Forestville-FTP 255.255.255.255 192.168.1.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable 65000

http 192.168.28.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map DassVPN 500 match address toForestville

crypto map DassVPN 500 set pfs

crypto map DassVPN 500 set peer Forestville_PEER

crypto map DassVPN 500 set transform-set ESP-3DES-MD5

crypto map DassVPN 1000 match address toTSI

crypto map DassVPN 1000 set pfs

crypto map DassVPN 1000 set peer 12.13.14.15 <>

crypto map DassVPN 1000 set transform-set ESP-DES-MD5

crypto map DassVPN interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1000

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 1000

telnet timeout 60

ssh 192.168.28.0 255.255.255.0 inside

ssh Comcast-IP 255.255.255.255 outside

ssh 172.16.166.209 255.255.255.255 outside

ssh 172.16.167.110 255.255.255.255 outside

ssh timeout 60

console timeout 60

dhcpd ping_timeout 750

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.28.50 source inside prefer

tftp-server inside 192.168.28.72 DASS-ASA-Config_yyyy-mm-dd.txt

webvpn

group-policy ForestvillePolicy internal

group-policy ForestvillePolicy attributes

vpn-filter value Forestville_vpn_filter

vpn-tunnel-protocol IPSec

group-policy TSIPolicy internal

group-policy TSIPolicy attributes

vpn-filter value tsi_policy

vpn-tunnel-protocol IPSec

username admin password .ti4neGRW24q84lH encrypted privilege 15

tunnel-group 12.13.14.15 type ipsec-l2l

tunnel-group 12.13.14.15 general-attributes

default-group-policy TSIPolicy

tunnel-group 12.13.14.15 ipsec-attributes

pre-shared-key ********

tunnel-group Forestville_PEER type ipsec-l2l

tunnel-group Forestville_PEER general-attributes

default-group-policy ForestvillePolicy

tunnel-group Forestville_PEER ipsec-attributes

pre-shared-key ********

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect http

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b8ac13d60ba239ace8a3653930959ed8

: end

DASS-VPN#  

VIP Green

Two tunnels in one Crypto-Map

Could you post the output of show crypto isakmp.

Do you have administrative rights at the remote end of VPN 11? if not did they give you the phase 1 and 2 configurations?  If so could you post the required configurations for the remote end.

--

Please remember to rate and select a correct answer
Silver

Two tunnels in one Crypto-Map

Do you still need assistance?

Please rate the assistance.

Value our effort and rate the assistance!
New Member

Two tunnels in one Crypto-Map

I'll post "show crypto isakmp" on Thurs.  I don't have any access to the remote-end unfortunatly.

New Member

Two tunnels in one Crypto-Map

Output of show crypto isakmp sa:

DASS-VPN# show crypto isakmp sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 12.13.14.15

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

DASS-VPN#

=====output from debug crypto isakmp 200============

The only output I saw on IKE, was keepalives back and forth, involving the TSI VPN remote peer,  12.13.14.15.  I didn't see any entries for the Forestville VPN peer, 15.16.17.18 at all.

=================================

VIP Green

Two tunnels in one Crypto-Map

Could you contact the remote site and ask them to send you the phase1 and phase2 settings (if you don't already have them).

Also if you could post a full sanitized configuration please.

--

Please remember to rate and select a correct answer
New Member

Two tunnels in one Crypto-Map

Here's something meaningfull...

The config line:

crypto map DassVPN 500 match address toForestville

refers to an ACL, "toForestville", which allow traffic from the inside network to pass into the IPSEC tunnel.  Now the next complication..  Apparently static routes 'trump' this ACL, because I have a static route that's directing the traffic over a frame-relay connection that's connected on interface "DMZ" right now, and I know it's working.  SO.... It looks like the static-route is grabbing the traffic.  So, one thing at a time -- let's see if we can get the tunnel to come up. --shall I just temporarily delete the static-route in order for traffic to be 'sucked into' the tunnel by virtue of the "toForestville"  ACL?

Too bad I can't refer to the IPSEC tunnel as a sub-interface & include it in different-cost routing statements, like I can on Juniper SRX....

VIP Green

Two tunnels in one Crypto-Map

The static route will most definately affect the flow of traffic.  The crypto ACL defines what traffic to encrypt that leaves an interface. So if there is a static route pointing in a different direction, that traffic will never enter and leave the interface with the crypto configuration.  your only option in this situation is to either add a more specific route pointing out the crypto interface, or if there is no other more specific route that you can add you will need to remove that static route.

--

Please remember to rate and select a correct answer
New Member

Two tunnels in one Crypto-Map

How to I enter  a route that points down an IPSEC tunnel?  Do I use the IP of the remote-peer as the 'destination gateway'?  Here's the syntax of the routes I use below.  This might be OK...  I can have one lower-cost route that points down the IPSEC tunnel, and a higher-cost route that points down the frame-relay.  When the tunnel goes away, the route will drop, and the higher-cost route wins.  ....Right?

route         

VIP Green

Two tunnels in one Crypto-Map

Higher cost route never wins..it is always the lower cost route which takes preference.

Your syntax looks good and DST interface being the interface that the remote network is reachable through.  The destination gateway would be the next hop allong the path not the remote end.  so if your ISPs IP address is 192.168.1.1 then and that is the next hop in the path to the remote network then that is your destination GW.

route outside 255.255.255.0 192.168.1.1 1

route DMZ 255.255.255.0 192.168.2.1 5

In the above config scenario the configuration with a cost of 1 will always win over the cost of 5.  So traffic will never be sent out the DMZ interface in this scenario.

--

Please remember to rate and select a correct answer
New Member

Re: Two tunnels in one Crypto-Map

Using info from my config I pasted in,  I propose the following statements:

route   DMZ    Forestville-FTP    255.255.255.255   192.168.1.1    5     (route that points down frame-relay)

route outside   Forestville-FTP   255.255.255.255    15.16.17.18  1    (route that points down ipsec tunnel)

I read an article that showed someone routing traffic thru an IPSEC tunnel by using the remote-peer as the destination gateway.  And the remote-peer IP was not part of any layer-3 network that was connected to the firewall.  From a routing-statement standpoint, the next hop gateway was not on a connected-network.

VIP Green

Two tunnels in one Crypto-Map

Using the gateway across the VPN can be done in certain scenarios, mainly you will see this when using MPLS VPNs and I in GET VPN setups.  However, in this case the VPN is already setup and there is a route to the remote site IP that will be used as the gateway for locally originated traffic.  That gateway will never be used for establishing the VPN, if it is then the tunnel will be built and then dropped, built and then dropped and continue like that.

--

Please remember to rate and select a correct answer
New Member

Two tunnels in one Crypto-Map

So, if I understand correctly, (and using my config I pasted in)....  the tunnel is terminated on the Outside interface, so I should route the traffic destined for the tunnel, to that interface's gateway.   This will get the traffic to the Outside interface but THEN it will be encrypted and sent thru the tunnel, because of the ACL, "toForestville"  so I should use:

route   DMZ    Forestville-FTP    255.255.255.255   192.168.1.1    5     (route that points down frame-relay)

route   outside   Forestville-FTP   255.255.255.255    172.26.188.1   1    (route that points the traffic to the Outside Interface, where it will be encrypted by virtue of the ACL, "toForestville", and because the tunnel is terminated on 'Outside')

VIP Green

Re: Two tunnels in one Crypto-Map

Just be aware that the route pointing out the DMZ interface will never be used in this case unless the outside route is removed or its metric is increased.  If you are planning on using the DMZ route as a backup, then this would be ok.

please rate any helpful posts

--

Please remember to rate and select a correct answer
New Member

Re: Two tunnels in one Crypto-Map

Now the big question...  if I route traffic into the IPSEC tunnel by sending it to the 172.16.188.1 gateway (on the Outside Interface),  will this static route be deleted from the routing table when the tunnel goes down?

I need the ASA to detect a  failure of the IPSEC tunnel, then use the higher-cost route over the frame-relay.  In other words, I need it to act like a router --- when a path goes away, delete the route for it, until that path returns....

VIP Green

Re: Two tunnels in one Crypto-Map

If the tunnel goes down the route will still be in place. You would need to create a track object that tests reachability over the VPN and associate it with the route that sends traffic over the vpn.  Then if the remote destination is not reachable the route will be removed and the route with higher netric will take over

--

Please remember to rate and select a correct answer
New Member

Re: Two tunnels in one Crypto-Map

I've downloaded & read the Cisco article regarding setting up 'dual ISP redundancy', which deals with setting up a track object.   I can do that, but that will result in asymetric routing on the remote end.  (My side have moved from IPSEC to frame-relay, and the remote side is routing return traffic toward the tunnel (which is down))

Or, I guess I could set up a track-object which is something that is only available at the other end of the tunnel, (and set it that way on both sides), so that when the tunnel goes down, the routes on BOTH sides change properly, and then packets travel over frame-relay until the tunnel comes back up.

I bet 'dual-ISP redundnacy'  isn't written to deal with asymentry, since  that wouldn't be an issue, if you had two ISPs attached to the ASA.  Sending traffic into two different  ISPs is different than sending traffic to a remote site, where the packets have to come back on the same path.

Too bad this doesn't behave like a Juniper SRX firewall running JunOS.   The tunnel is assigned an interface name, and you can use that interface name explicitly when building a routing statement.  When the tunnel goes away, the routes pointing down the tunnel also go away.

VIP Green

Re: Two tunnels in one Crypto-Map

Well, that goes without saying that if you set up tracking at one end then you have to ensure that the remote end also knows what to do when the IPsec tunnel goes down.

You can configure the ASA to ignor the asymetric routing by using TCP bypass.  This alows the ASA to ignor the TCP state.  Keep in mind that you still need to allow the traffic in the ACL on the frame-relay interface.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html

--

Please remember to rate and select a correct answer
New Member

Re: Two tunnels in one Crypto-Map

It looks like if I'm sticking with a Cisco product for this, I need to use the tracked-object method to turn on/off the static routes into the IPSEC tunnel.   I guess we're done here,  thanks for all the help!    I'll be back when I need more help!

983
Views
0
Helpful
22
Replies
CreatePlease login to create content