06-24-2014 01:47 PM
I need some help setting up my first site-to-site VPN on a Cisco ASA 5525x. I've never had any trouble setting up remote access VPNs for users, but on this, I'm really stuck.
The actual tunnel itself is set up, but I'm having trouble passing traffic through it. The Rx bytes go up with pings from the remote end, but the Tx bytes never move (and the pings all fail).
Are there any sample configurations that involve a separate vlan for the remote users?
For example, the remote users are 172.17.0.0/20, and this subnet is set up at the central site as vlan 94.
The ASA5525x is set up with ip address 10.99.16.10, vlan 99, connected by a trunk port to a 6509 central switch.
I've got configurations on both the ASA5525x and the 6509 side, but I'm not sure of what I have so far.... any help with be greatly appreciated!
06-24-2014 02:45 PM
Don't trunk to the 6509 - setup a single VLAN on an access port for the two to communicate.
On the 6509 setup an ip route to send all traffic to the ASA.
example: ip route 0.0.0.0 0.0.0.0 <IP-ASA>
On the ASA setup an ip route to send all internal VLAN traffic to the 6509.
route inside <VLAN-X-SUBNET><VLAN-X-MASK> <ACCESS-VLAN-IP-6509>
route inside 10.10.10.0 255.255.255 10.10.20.1
06-24-2014 07:46 PM
Hi,
You need to give us more details to investigate better in this problem.
1) how you have configured the site to site VPN?
2) what is your encryption domain?
3) do you have any NAT configured for this?
4) how the internal LAN connected to FW and if so do you have the respective static routes configured in FW to route it back to core environment?
Please provide us the VPN part of configurations and routing information in your post for both end's.
Regards
Karthik
06-25-2014 06:44 AM
Below is the config excerpts for the ASA and for the 6509. I believe the remote side must have some sort of NAT, but that side is not under control, so I'm not sure how it's set up exactly. They NAT translate the remote side PCs to the 172.17.0.0/20 range.
6509 except
interface Vlan994
description APN users
ip address 172.17.0.1 255.255.240.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
interface GigabitEthernet2/38
description 99-c55-vpn01
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
no logging event link-status
router eigrp 1
network 10.0.0.0
redistribute connected
redistribute static
ASA config
: Saved
: Written by !_DP$D_1nfr@ at 06:13:51.290 UTC Wed Jun 25 2014
!
ASA Version 9.1(2)
!
hostname 99-c55-vpn01
enable password ***** encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.99.16.251 255.255.248.0 standby 10.99.16.252
!
interface GigabitEthernet0/0.994
vlan 994
nameif inside_apn
security-level 100
ip address 172.17.0.2 255.255.240.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 208.108.168.8 255.255.248.0 standby 208.108.168.9
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.7.1 255.255.255.0
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
object network NETWORK_OBJ_10.99.16.0_21
subnet 10.99.16.0 255.255.248.0
object network NETWORK_OBJ_172.17.0.0
host 172.17.0.0
object network ATT_APN
host 166.216.138.28
object network NETWORK_OBJ_172.17.0.0_20
subnet 172.17.0.0 255.255.240.0
access-list outside_cryptomap extended permit ip any 172.17.0.0 255.255.240.0
access-list att_apn extended permit ip any 172.17.0.0 255.255.240.0
access-list att_apn extended permit ip 172.17.0.0 255.255.240.0 any
access-list inside_cryptomap_1 extended permit ip 172.17.0.0 255.255.240.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu inside_apn 1500
failover
failover lan unit primary
failover lan interface DPS_VPN_Failover GigabitEthernet0/3
failover interface ip DPS_VPN_Failover 192.168.10.1 255.255.255.0 standby 192.168.10.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_10.99.16.0_21 NETWORK_OBJ_10.99.16.0_21 destination static NETWORK_OBJ_172.17.0.0 NETWORK_OBJ_172.17.0.0 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.99.16.0_21 NETWORK_OBJ_10.99.16.0_21 destination static NETWORK_OBJ_172.17.0.0_20 NETWORK_OBJ_172.17.0.0_20 no-proxy-arp route-lookup
!
router eigrp 1
no auto-summary
network 10.99.16.0 255.255.255.0
network 172.17.0.0 255.255.240.0
!
route outside 0.0.0.0 0.0.0.0 208.108.168.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Tacacs protocol tacacs+
aaa-server Tacacs (inside) host 10.99.19.59
key DPSDk3y!!!
user-identity default-domain LOCAL
aaa authentication enable console Tacacs LOCAL
aaa authentication http console Tacacs LOCAL
aaa authentication serial console Tacacs LOCAL
aaa authentication ssh console Tacacs LOCAL
aaa authentication telnet console Tacacs LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.99.16.251 255.255.255.255 inside
http 10.99.16.0 255.255.248.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal 3DES-SHA
protocol esp encryption 3des
protocol esp integrity sha-512 sha-384 sha-256 sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 166.216.138.28
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal 3DES-SHA DES 3DES AES AES192 AES256
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside
crypto map inside_map 1 match address inside_cryptomap_1
crypto map inside_map 1 set peer 166.216.138.28
crypto map inside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside_map 1 set ikev2 ipsec-proposal 3DES-SHA DES 3DES AES AES192 AES256
crypto map inside_map 1 set nat-t-disable
crypto map inside_map interface inside
crypto ca trustpool policy
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable inside_apn
crypto ikev1 enable outside
crypto ikev1 enable inside_apn
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 3
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto ikev1 policy 4
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 86400
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto ikev1 policy 6
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.99.16.0 255.255.248.0 inside
telnet timeout 5
ssh 10.99.16.251 255.255.255.255 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.99.19.59 /99-c55-vpn01-confg
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
anyconnect-essentials
group-policy GroupPolicy_166.216.138.28 internal
group-policy GroupPolicy_166.216.138.28 attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 166.216.138.28 type ipsec-l2l
tunnel-group 166.216.138.28 general-attributes
default-group-policy GroupPolicy_166.216.138.28
tunnel-group 166.216.138.28 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:abbb7fddb921d6bc371a63b9df1de51f
: end
06-25-2014 01:51 AM
Please paste us your configuration. we can check and help you out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide