Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
0
Helpful
4
Replies

Need help on setting up site-to-site VPN with vlans

spfister336
Level 2
Level 2

‎06-24-2014 01:47 PM

I need some help setting up my first site-to-site VPN on a Cisco ASA 5525x. I've never had any trouble setting up remote access VPNs for users, but on this, I'm really stuck.

The actual tunnel itself is set up, but I'm having trouble passing traffic through it. The Rx bytes go up with pings from the remote end, but the Tx bytes never move (and the pings all fail).

Are there any sample configurations that involve a separate vlan for the remote users?

For example, the remote users are 172.17.0.0/20, and this subnet is set up at the central site as vlan 94.
The ASA5525x is set up with ip address 10.99.16.10, vlan 99, connected by a trunk port to a 6509 central switch.

I've got configurations on both the ASA5525x and the 6509 side, but I'm not sure of what I have so far.... any help with be greatly appreciated!

Labels:
0 Helpful
4 Replies 4

adamtodd16
Level 3
Level 3

‎06-24-2014 02:45 PM

Don't trunk to the 6509 - setup a single VLAN on an access port for the two to communicate. 

On the 6509 setup an ip route to send all traffic to the ASA. 

example: ip route 0.0.0.0 0.0.0.0 <IP-ASA>

On the ASA setup an ip route to send all internal VLAN traffic to the 6509.

route inside <VLAN-X-SUBNET><VLAN-X-MASK> <ACCESS-VLAN-IP-6509>

route inside 10.10.10.0 255.255.255 10.10.20.1

0 Helpful

nkarthikeyan
Level 7
Level 7

‎06-24-2014 07:46 PM

Hi,

You need to give us more details to investigate better in this problem.

1) how you have configured the site to site VPN?

2) what is your encryption domain?

3) do you have any NAT configured for this?

4) how the internal LAN connected to FW and if so do you have the respective static routes configured in FW to route it back to core environment?

Please provide us the VPN part of configurations and routing information in your post for both end's.

 

Regards

Karthik

0 Helpful

spfister336
Level 2
Level 2
In response to nkarthikeyan

‎06-25-2014 06:44 AM

Below is the config excerpts for the ASA and for the 6509. I believe the remote side must have some sort of NAT, but that side is not under control, so I'm not sure how it's set up exactly. They NAT translate the remote side PCs to the 172.17.0.0/20 range.

6509 except

interface Vlan994
 description APN users
 ip address 172.17.0.1 255.255.240.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache

interface GigabitEthernet2/38
 description 99-c55-vpn01
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 99
 switchport mode trunk
 no logging event link-status

router eigrp 1
 network 10.0.0.0
 redistribute connected
 redistribute static

ASA config

: Saved
: Written by !_DP$D_1nfr@ at 06:13:51.290 UTC Wed Jun 25 2014
!
ASA Version 9.1(2)
!
hostname 99-c55-vpn01
enable password ***** encrypted
names
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.99.16.251 255.255.248.0 standby 10.99.16.252
!
interface GigabitEthernet0/0.994
 vlan 994
 nameif inside_apn
 security-level 100
 ip address 172.17.0.2 255.255.240.0
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 nameif outside
 security-level 0
 ip address 208.108.168.8 255.255.248.0 standby 208.108.168.9
!
interface GigabitEthernet0/3
 description LAN Failover Interface
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.7.1 255.255.255.0
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
object network NETWORK_OBJ_10.99.16.0_21
 subnet 10.99.16.0 255.255.248.0
object network NETWORK_OBJ_172.17.0.0
 host 172.17.0.0
object network ATT_APN
 host 166.216.138.28
object network NETWORK_OBJ_172.17.0.0_20
 subnet 172.17.0.0 255.255.240.0
access-list outside_cryptomap extended permit ip any 172.17.0.0 255.255.240.0
access-list att_apn extended permit ip any 172.17.0.0 255.255.240.0
access-list att_apn extended permit ip 172.17.0.0 255.255.240.0 any
access-list inside_cryptomap_1 extended permit ip 172.17.0.0 255.255.240.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu inside_apn 1500
failover
failover lan unit primary
failover lan interface DPS_VPN_Failover GigabitEthernet0/3
failover interface ip DPS_VPN_Failover 192.168.10.1 255.255.255.0 standby 192.168.10.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_10.99.16.0_21 NETWORK_OBJ_10.99.16.0_21 destination static NETWORK_OBJ_172.17.0.0 NETWORK_OBJ_172.17.0.0 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.99.16.0_21 NETWORK_OBJ_10.99.16.0_21 destination static NETWORK_OBJ_172.17.0.0_20 NETWORK_OBJ_172.17.0.0_20 no-proxy-arp route-lookup
!
router eigrp 1
 no auto-summary
 network 10.99.16.0 255.255.255.0
 network 172.17.0.0 255.255.240.0
!
route outside 0.0.0.0 0.0.0.0 208.108.168.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Tacacs protocol tacacs+
aaa-server Tacacs (inside) host 10.99.19.59
 key DPSDk3y!!!
user-identity default-domain LOCAL
aaa authentication enable console Tacacs LOCAL
aaa authentication http console Tacacs LOCAL
aaa authentication serial console Tacacs LOCAL
aaa authentication ssh console Tacacs LOCAL
aaa authentication telnet console Tacacs LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.99.16.251 255.255.255.255 inside
http 10.99.16.0 255.255.248.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal 3DES-SHA
 protocol esp encryption 3des
 protocol esp integrity sha-512 sha-384 sha-256 sha-1
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 166.216.138.28
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal 3DES-SHA DES 3DES AES AES192 AES256
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside
crypto map inside_map 1 match address inside_cryptomap_1
crypto map inside_map 1 set peer 166.216.138.28
crypto map inside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside_map 1 set ikev2 ipsec-proposal 3DES-SHA DES 3DES AES AES192 AES256
crypto map inside_map 1 set nat-t-disable
crypto map inside_map interface inside
crypto ca trustpool policy
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable inside_apn
crypto ikev1 enable outside
crypto ikev1 enable inside_apn
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 2
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 3
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 4
 authentication pre-share
 encryption aes-192
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 6
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 10.99.16.0 255.255.248.0 inside
telnet timeout 5
ssh 10.99.16.251 255.255.255.255 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.99.19.59 /99-c55-vpn01-confg
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
 anyconnect-essentials
group-policy GroupPolicy_166.216.138.28 internal
group-policy GroupPolicy_166.216.138.28 attributes
 vpn-tunnel-protocol ikev1 ikev2
tunnel-group 166.216.138.28 type ipsec-l2l
tunnel-group 166.216.138.28 general-attributes
 default-group-policy GroupPolicy_166.216.138.28
tunnel-group 166.216.138.28 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:abbb7fddb921d6bc371a63b9df1de51f
: end

 

0 Helpful

shine pothen
Level 3
Level 3

‎06-25-2014 01:51 AM

Please paste us your configuration. we can check and help you out.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents