Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Adding vlans to a current site to site vpn

I have a site to site vpn set up from my office to a remote office. I am planning on putting my DR data storage at the remote office. My current private network is a 192.168.99.0/24, and my backup network is secluded via a second nic on all my servers with a 172.16.16.0/24 address.I currently have a /22 public address space with one /24 address space as my natting for inside services that require an outside address. all this is configured om a asa5550. I have at the remote site a single 192.168.3.0/24 address space via a single IP address through a asa5505. I want to extend the 172 backup network to the remote site, as of right now the 172 does not get routed anywhere, so it could be plugged into the asa5550, but i am not sure how to associate that traffic via the current site to site vpn.

Everyone's tags (5)
21 REPLIES
Super Bronze

Adding vlans to a current site to site vpn

Hi,

If you are planning on extending the actual subnet 172.16.16.0/24 to the remote site then L2L VPN is not really the solution for that. It doesnt enable you to have a L2 connectivity between the sites.

Or did I understand your post wrong?

- Jouni

New Member

Re: Adding vlans to a current site to site vpn

That was the original thought, but i could not see how it was possible. What would be the best solution for this DR backup at our remote site. We have done the initail backup locally, now i need to move it to the remote site and then we will do differential backups to the remote site.

New Member

Re: Adding vlans to a current site to site vpn

Ideally I would like to send the 172 traffic directly to the 192.168.3 remote site and keep it off my 192.168.99 production network. But i am not sure how to get it to the asa5550 here and then on the vpn connection to the DR with a 192.168.3 address.

Super Bronze

Re: Adding vlans to a current site to site vpn

Hi,

The ASA would not be able to make that L2 connection. With Cisco routers it would be possible to my understanding.

So your aim at the moment is to just connect the network 172.16.16.0/24 at its local site and configure it on the L2L VPN connection that exists so you can send traffic from the 172.16.16.0/24 network to the remote site?

Well you would naturally have to connect that network to the local ASA (directly or through some other routers depending on your actual setup) and make sure that hosts on that network have a route to the remote network through the local ASA.

When that network is actually connected to the ASA then the needed configurations would be easy if we could see the current configurations.

- Jouni

New Member

Re: Adding vlans to a current site to site vpn

ok, here locally, on an unused interface on the asa5550, i would connect the 172 network switch, and give that asa interface a 172.16.16.1/24 address, then i would need to put in a route for the 172 network to go to the 192.168.3 network, which is the remote site, via a site to site vpn connection. Adding the 172 traffic to the current site to site vpn is where i am fuzzy.

New Member

Re: Adding vlans to a current site to site vpn

ciscoasa# sho runn | in 98.174.222.x

crypto map outside_map 2 set peer 98.174.222.x

tunnel-group 98.174.222.x type ipsec-l2l

tunnel-group 98.174.222.x ipsec-attributes

ciscoasa# sho isakmp sa

   Active SA: 3

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 3

1   IKE Peer: 192.40.125.x

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: 98.174.222.x

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

3   IKE Peer: 12.160.89.x

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

ciscoasa# sho ipsec sa peer 98.174.222.x

peer address: 98.174.222.x

    Crypto map tag: outside_map, seq num: 2, local addr: 64.5.141.x

      access-list outside_2_cryptomap extended permit ip 192.168.96.0 255.255.252.0 192.168.3.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.96.0/255.255.252.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

      current_peer: 98.174.222.179

      #pkts encaps: 4465068, #pkts encrypt: 4465069, #pkts digest: 4465069

      #pkts decaps: 3477605, #pkts decrypt: 3477605, #pkts verify: 3477605

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 4465068, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 1, #pre-frag failures: 0, #fragments created: 2

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 6

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.5.141.x, remote crypto endpt.: 98.174.222.x

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: C904BAEE

      current inbound spi : E67EAEA9

    inbound esp sas:

      spi: 0xE67EAEA9 (3867061929)

         transform: esp-aes-256 esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 8417280, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3909689/24421)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0xC904BAEE (3372530414)

         transform: esp-aes-256 esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 8417280, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3912782/24421)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Super Bronze

Adding vlans to a current site to site vpn

Hi,

Couple of things related to the routing/forwarding of traffic that would need to be cleared is

  • What is the default gateway of the 172.16.16.0/24 network at the moment or does it have one?
  • Is there any router connected to that network?

The main thing after connecting the network to the ASA5550 is that when the hosts on the 172.16.16.0/24 network try to connect to the network 192.168.3.0/24 then the traffic should be forwarded to the ASA. This should be accomplished with

  • Having the default gateway of the network 172.16.16.0/24 on the ASA
  • Having a route on the hosts for network 192.168.3.0/24 through next hop IP 172.16.16.1
  • Or if there is a router connected to the 172.16.16.0/24 network then you could configure a static route on it for the remote network 192.168.3.0/24

The L2L VPN configuration on the ASA5550 and on the remote end could be easily added if we could see the current configurations and the configuration for the new interface on the ASA5550.

- Jouni

New Member

Re: Adding vlans to a current site to site vpn

It is currently stand alone, i was going to give an open interface on the asa5550 a 172.16.16.1/24 address and connect the backup switch directly to the asa, so the answer to the second question is no, there is currently no router on the 172 network. The configureation for the asa5550 is very large, there is no way i could sanitize it in a timly fashion.

Super Bronze

Adding vlans to a current site to site vpn

Hi,

So if you dont have any router on the 172.16.16.0/24 network then either the hosts on that network will have to have their default gateway pointing to the new ASA interface IP address or you need actual routes on the hosts themselves so traffic towards 192.168.3.0/24 gets forwarded to ASA.

Since your configuration is large I guess I can give example configurations you might need.

So first look for your L2L VPN configuration connecting to the 192.168.3.0/24 network. Use the following command and find the connection

show run crypto map

You should see a configuration line with "crypto map match address "

After this you need to add the source network to that ACL

access-list permit ip 172.16.16.0 255.255.255.0 192.168.3.0 255.255.255.0

Then you will probably need a NAT0 configuration for the new ASA interface you have created

access-list BACKUP-NAT0 remark NAT0 for backup network L2L VPN

access-list BACKUP-NAT0 permit ip 172.16.16.0 255.255.255.0 192.168.3.0 255.255.255.0

nat () 0 access-list BACKUP-NAT0

This should pretty much be what is needed on an existing L2L VPN connection on the ASA5505 side. Naturally you can configure an interface ACL to restricts traffic as needed.

Remember that the same configurations (as mirror image) are needed at the remote site also.

I am actually not sure what software your ASAs are running. If they are 8.3 or above then the NAT configuration for NAT0 is naturally different.

- Jouni

New Member

Re: Adding vlans to a current site to site vpn

here is the crypto map for this vpn:

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer 98.174.222.x

crypto map outside_map 2 set transform-set ESP-AES-256-MD5

crypto map outside_map 2 set security-association lifetime seconds 28800

crypto map outside_map 2 set security-association lifetime kilobytes 4608000

access-list inside_nat0_outbound extended permit ip 192.168.96.0 255.255.252.0 192.168.3.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.96.0 255.255.252.0 192.168.3.0 255.255.255.0

crypto map outside_map 2 match address outside_2_cryptomap

Other nat statements

access-list inside_outbound_nat0_acl extended permit ip any 192.168.98.0 255.255.255.0

access-list web_dmz_outbound_nat0_acl extended permit ip any any

access-list inside_nat0_outbound extended permit ip any 192.168.98.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.96.0 255.255.252.0 64.5.128.0 255.255.252.0

access-list inside_nat0_outbound extended permit ip 192.168.96.0 255.255.252.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.96.0 255.255.252.0 192.168.12.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.96.0 255.255.252.0 192.168.14.0 255.255.255.0

access-list web_dmz_nat0_outbound extended permit ip 192.168.96.0 255.255.252.0 host 192.168.98.201

access-list web_dmz_nat0_outbound extended permit ip 64.5.128.0 255.255.252.0 host 192.168.98.201

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

nat (web_dmz) 0 access-list web_dmz_nat0_outbound

Version

asa825-19-k8

Super Bronze

Adding vlans to a current site to site vpn

Hi,

Well you would use the existing ACL in the "crypto map" configurations

access-list outside_2_cryptomap extended permit ip 172.16.16.0 255.255.255.0 192.168.3.0 255.255.255.0

But since the network 172.16.16.0/24 is according to your information connected to a new ASA interface completely then the NAT0 configuration I mentioned before needs to be applied to that new interface. It wont use any of the existing NAT0 ACL you see above as they are meant for other interfaces of the ASA.

- Jouni

New Member

Re: Adding vlans to a current site to site vpn

I am missing something, i am not sending 17202 traffic over

here are the crypto maps

sho access-list outside_2_cryptomap

access-list outside_2_cryptomap; 2 elements; name hash: 0x8d0d4873

access-list outside_2_cryptomap line 1 extended permit ip object-group DM_INLINE_NETWORK_6 192.168.3.0 255.255.255.0 0x3cba3dfd

  access-list outside_2_cryptomap line 1 extended permit ip 172.16.16.0 255.255.255.0 192.168.3.0 255.255.255.0 (hitcnt=0) 0x91a7783f

  access-list outside_2_cryptomap line 1 extended permit ip 192.168.96.0 255.255.252.0 192.168.3.0 255.255.255.0 (hitcnt=8) 0x3d7fdedb

ciscoasa#

I have not figured out the part about adding the backup interface.

New Member

Re: Adding vlans to a current site to site vpn

adding the mapping to the interface, i have plugged the 172 network into the asa5550 here at the main office, mirrored the settings on the remote office asa5505. but still no tunnel that includes the 172.16 network

Super Bronze

Adding vlans to a current site to site vpn

Hi,

You could use the "packet-tracer" on the ASA5550 to see if the traffic matches the created L2L VPN rule

packet-tracer input tcp 172.16.16.100 12345 192.168.3.100 80

The above IP addresses and ports are just example. You will have to use the new interfaces "nameif" in the command.

Issue the above command twice and post the last output here.

- Jouni

New Member

Re: Adding vlans to a current site to site vpn

ciscoasa# packet-tracer input outside icmp 192.168.3.5 0 0 172.16.16.10 detail$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x24382cc8, priority=1, domain=permit, deny=false

        hits=55581142603, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.16.16.0     255.255.255.0   Back_Up

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit icmp any any echo-reply

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x245d14a8, priority=12, domain=permit, deny=false

        hits=444137, user_data=0x1db895c0, cs_id=0x0, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x24385260, priority=0, domain=inspect-ip-options, deny=true

        hits=1098568894, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x24384ed8, priority=66, domain=inspect-icmp-error, deny=false

        hits=2362501, user_data=0x24384dc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x24eee5e8, priority=12, domain=ipsec-tunnel-flow, deny=true

        hits=766526147, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1417282933, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: Back_Up

output-status: up

output-line-status: up

Action: allow

New Member

Re: Adding vlans to a current site to site vpn

ciscoasa# packet-tracer input back icmp 172.16.16.10 0 0 192.168.3.5 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2b8fe040, priority=1, domain=permit, deny=false

        hits=19, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2d5af388, priority=0, domain=inspect-ip-options, deny=true

        hits=22, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x25e452a8, priority=66, domain=inspect-icmp-error, deny=false

        hits=10, user_data=0x25d9a348, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x49b72d88, priority=12, domain=ipsec-tunnel-flow, deny=true

        hits=668, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x2984eef8, priority=70, domain=encrypt, deny=false

        hits=1, user_data=0x0, cs_id=0x24ec9180, reverse, flags=0x0, protocol=0

        src ip=172.16.16.0, mask=255.255.255.0, port=0

        dst ip=192.168.3.0, mask=255.255.255.0, port=0, dscp=0x0

Result:

input-interface: Back_Up

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Super Bronze

Adding vlans to a current site to site vpn

Hi,

Did you issue this command twice?

packet-tracer input back icmp 172.16.16.10 0 0 192.168.3.5 detailed

If you did and the result is still drop in the VPN Phase then there is some missmatch between the L2L VPN configurations of the 2 sites.

I can't see any NAT Phase but then again this is a new interface so it actually might not need any NAT configurations as it doesnt even have Dynamic PAT configuration (that would need to be overriden with the NAT0 for the L2L VPN)

- Jouni

New Member

Re: Adding vlans to a current site to site vpn

Looks like it is working, last thing to figure out is how to put the static route on the backup server, tried using route add, but for some reason it keeps failing due to bad parameter

ciscoasa# packet-tracer input back icmp 172.16.16.10 0 0 192.168.3.5 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2b8fe040, priority=1, domain=permit, deny=false

        hits=21, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2d5af388, priority=0, domain=inspect-ip-options, deny=true

        hits=25, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x25e452a8, priority=66, domain=inspect-icmp-error, deny=false

        hits=11, user_data=0x25d9a348, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x49b72d88, priority=12, domain=ipsec-tunnel-flow, deny=true

        hits=736, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x254593e0, priority=70, domain=encrypt, deny=false

        hits=2, user_data=0xcfb37c, cs_id=0x24ec9180, reverse, flags=0x0, protocol=0

        src ip=172.16.16.0, mask=255.255.255.0, port=0

        dst ip=192.168.3.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1417424233, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

Result:

input-interface: Back_Up

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Super Bronze

Adding vlans to a current site to site vpn

Hi,

Ok, so the L2L VPN should be fine itself now.

What device are the backup networks devices using as their default gateway? If they dont have any at the moment then could their default gateway simply be configured as the ASA interface IP address?

If I understand correct the only devices they formed connections with were the devices directly connected to their network and that would not be altered by adding default gateway for those devices.

- Jouni

New Member

Re: Adding vlans to a current site to site vpn

these devices have dual nics, one for everyday production use and a seperate one for the backup network, i want this traffic to traverse the 172 network to .3

not the production network

Super Bronze

Adding vlans to a current site to site vpn

Ah ok,

I thought there were servers with 2 NICs but some other devices only connected to the backup network that needed to use the L2L VPN.

Well in that case I guess it comes down to configuring the permanent static route pointing the remote network through the backup network interface.

This naturally means that all traffic to the remote network goes through that interface then. Whether this is a problem I am not sure. If there is any need to connect to the central site servers with 2 NICs through their other production network interface then that would cause problems.

- Jouni

591
Views
0
Helpful
21
Replies
CreatePlease login to create content