Solved: The 802.1q is an IEEE

cristiano.radicchi · ‎10-04-2014

I have a rather complex configuration in my office network.
Rather compex, of course, from my perspective...
I have an ASA 5505 facing the internet through 2 CISCO routers under HSRP between them (10 mbps fiber optics link + copper 4 mbps SHDSL link).
On the internal side I have an HP 3800 L3 switch directly connected to the ASA and handling the internal routing between 5 VLANs (clients, servers, voip, mobile, site_2), where "Site_2" is a fiber optics L2 link to a remote premise of my company directly connected to a port of the L3 Switch.
All works fine.
The (so far) unresolved issue comes from the IPsec VPN remote access I am configuring on teh ASA, based on the CISCO VPN Client v5.x on the client side and on the Security Plus Bundle license on the ASA side.
I configured the ASA following the instructions in the firewall manuals and now I am able to successfully connect to the site from remote. I am also able to execute the ASDM from my remote client and to access the configuration options on the ASA.
The problem occurs when trying to browse the internal network and trying to access the servers on the inside LAN. No answers at all. No ping, no anything.
I suspect that the problem is on the internal routing handled by the L3 switch side-by-side to the ASA.

In fact, I configured the VPN local pool of IP addresses on a different subnet than the internal LAN (LAN: 192.168.1.0/24, VPN range: 192.168.2.20-192.168.2.44).
The ASA is linked to the L3 switch by a single ethernet cable and the switch port where it is connected is configured to handle only the "Client_VLAN" (i.e. the 192.168.1.x subnet). Therefore I suspect that the switch simply ignores any packet coming from the ASA from the source address of the VPN pool (192.168.2.x).
I configured a VPN Vlan on the switch and the proper routing rules for it, but the switch can handle mixed traffic (i.e. coming from multiple VLANs) on one of its ports only if the traffic is tagged as per 802.1q spec.
To have the ASA forwarding traffic from both subnets on a single port (the one linked to the L3 Switch) I should configure the interface as a "trunk" and the L3 Port as "tagged" (the "untagged" ones can carry only a single VLAN traffic).
I made some tests but it, apparently, did not work. I was still unable to access the L3 switch from the ASA as well as -of course- the internal LAN.
Is it possible that 802.1q tagging is not compatible between CISCO and HP ?

Now I am stuck on this issue and -sincerely- without any further idea how to resolve it.

A last chance could be to link the ASA to the L3 switch using 2 ethernet interfaces (one for the 192.168.1.x and the second for the 192.168.2.x) and configure the related ports on the switch as "untagged" (since they handle only 1 VLAN each).
I will try this next week, but any advice on this matter from the community will be greatly appreciated.
Thank you all in advance for your help...

david-swope · ‎10-06-2014

Ok, first things first, why have you created different VLANs on the ASA? These need to match as you will be assigning access vlans to the ASA ports.

Your switch has

Your ASA has

interface Vlan1
nameif inside
security-level 100
ip address 192.168.110.252 255.255.255.0

This should be "interface vlan 10" since the 192.168.110.x is your VLAN 10 on your switch. Then configure the port on the ASA to match, switchport access vlan 10

Try after that

View solution in original post

Marius Gunnerud · ‎10-12-2014

1) I created a dedicated VLAN on the L3 Switch because I expect that the Cisco VPN remote clients will access the internal LAN by using the 192.168.120.x address pool. Without such a VLAN on the L3 Switch (and the related routes properly set) those packets couldn't be routed on the internal LAN.

This is incorrect. As I mentioned earlier if the L3 switch has an interface for the 192.168.120.x network it thinks it is directly connected to the network and will check its own CAM table to see which interface the IP is located off of. The ASA can use proxy ARP to answer requests for these IPs but this type of setup can result in unstable connections and can be difficult in troubleshooting. I suggest setting the VPN IP pool to a subnet that is not in use on any of your internal networks.

The way to set this up is to have your PCs use the IPs of the L3 switch as their default gateway. Then the switch will have a default route pointing to the ASA. The ASA will have a route for each network connected to the L3 switch which again points to the directly connected IP of the L3 switch (the IP on the ASA which is on the same subnet as an IP on the L3 switch). The ASA will also have a default route pointing to your ISP.

This setup will provide inter-VLAN routing on the L3 switch while external routing is done by the ASA.

So your network should look something like this:

                                           ------ Network 1
            DMZ           /
             |                  /
ISP ----- ASA ----- L3 switch ------ Network 2
                              \
                               \
                                            ------ Network 3

2) I definitely would like that every inter-VLAN routing is done at Switch level, while the external routing (internet access) is done by the ASA

My above comment covers this.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

david-swope · ‎10-04-2014

Ok, so what VLANS sit on your L3 switch?

i.e.,

vlan 10

ip address 192.168.10.254 255.255.255.0

description MGMT

vlan 20

ip address 192.168.20.254 255.255.255.0

description UserData

vlan 30

ip address 192.168.30.254 255.255.255.0

description Voice

L3 Switch --- L2 Access Port VLAN 10 --- ASA 5505 Eth0/1

ASA Eth0/1

switchport access vlan 10

description Connection to L3 Switch

int vlan 10

ip address 192.168.10.253 255.255.255.0

nameif inside

security-level 100

Now you want your RA-VPN clients to communicate with internal resources. Have you configured your NAT exemption for this? Something like

object network Inside_Network

subnet 192.168.10.0 255.255.255.0

object network UserData

subnet 192.168.20.0 255.255.255.0

object-group network LAN_Segments

network-object object Inside_Network

network-object object UserData

object network VPN

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) static LAN_Segments LAN_Segments destination static VPN VPN no-proxy-arp route-lookup

So with that, take a look but keep it simple. Run some connectivity checks, can your VPN client ping any SVI's on the L3 switch etc?

cristiano.radicchi · ‎10-06-2014

Hi David-Swope,

a simple extraction of the L3 Switch configuration follows (hope it's enough to let you understand):

VLAN ID Name | Status Voice Jumbo
------- -------------------------------- + ---------- ----- -----
1 DEFAULT_VLAN | Port-based No No
10 CLIENT_VLAN | Port-based No No
20 CISCO_VPN_VLAN | Port-based No No
31 VOIP_VLAN | Port-based No No
90 SERVER_VLAN | Port-based No No
99 VPN_VLAN | Port-based No No

VLAN | IP Config IP Address Subnet Mask Std Local
-------------------- + ---------- --------------- --------------- ----------
DEFAULT_VLAN | Manual 192.168.191.1 255.255.255.0 No No
CLIENT_VLAN | Manual 192.168.110.240 255.255.255.0 Yes No
CISCO_VPN_VLAN | Manual 192.168.120.1 255.255.255.0 Yes Yes
VOIP_VLAN | Manual 192.168.2.250 255.255.255.0 Yes Yes
SERVER_VLAN | Manual 192.168.190.1 255.255.255.0 Yes Yes
VPN_VLAN | Manual 192.168.100.250 255.255.255.0 Yes Yes

Best Regards,

Cristiano

david-swope · ‎10-06-2014

Ok, first things first, why have you created different VLANs on the ASA? These need to match as you will be assigning access vlans to the ASA ports.

Your switch has

Your ASA has

interface Vlan1
nameif inside
security-level 100
ip address 192.168.110.252 255.255.255.0

This should be "interface vlan 10" since the 192.168.110.x is your VLAN 10 on your switch. Then configure the port on the ASA to match, switchport access vlan 10

Try after that

cristiano.radicchi · ‎10-11-2014

I'll do it as soon as again on site (next week) and let you know.
I definitely prefer not to make changes to the ASA config from remote, since it's working on a production network...
;)

Kind regards,
Cristiano

cristiano.radicchi · ‎10-06-2014

Hi,

concerning your other 2 questions, my answers follow:

1) Current ASA NAT Exemption rules are (from running config):

object network LOCAL_LAN
subnet 192.168.110.0 255.255.255.0
object network SERVER_LAN
subnet 192.168.190.0 255.255.255.0

object network NETWORK_OBJ_192.168.120.0_26
subnet 192.168.120.0 255.255.255.192

object network VPN_LAN
subnet 192.168.120.0 255.255.255.0

object-group network DM_INLINE_NETWORK_1
network-object object LOCAL_LAN
network-object object SERVER_LAN

nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.120.0_26 NETWORK_OBJ_192.168.120.0_26 no-proxy-arp route-lookup

2) I tried pinging all L3 Switch VLAN IPs after successful connection to the ASA through Cisco VPN Client v5.x.

No answer from any VLAN IPs. Of course, the ASA answers on its assigned IP.

I keep thinking that the problem is with the 802.1q tagging of the packets that are exchanged between the ASA and the HP3800.

I connect to the ASA through the VPN Client. The ASA assigns me an IP in the range 192.168.120.x then it routes my packets towards the L3 Switch by using the one and only interface available, that is connected to the Switch on a port belonging to the VLAN #10 (192.168.110.x).
Of course, the Switch discards the packets because they do not belong to the expected VLAN.
On my opinion, the only way to get that packets routed is to define the port on the L3 Switch as VLAN_10 + VLAN_20 enabled, but this can be done only if I define the port as "tagged".
This means that the ASA should send both packet families (192.168.110.x + 192.168.120.x) through the same interface by tagging each packet with the proper VLAN tag.
As far I understood I can have this behavior only by defining the interface on the ASA as a "trunk" interface.
What I don't know (I never did such a configuration so far) is if a "trunk" interface works in the same or similar way as a 'standard' or a 'switchport' interface, thus leaving all the other features configured on the ASA in a correct working state exactly as now.

Kind regards,

Cristiano

Marius Gunnerud · ‎10-04-2014

The 802.1q is an IEEE standard and supported on both Cisco and HP devices, so this should not be the issue.

It is quite possible, as David has mentioned, that the identity NAT / no NAT is configured incorrectly.

Would you be able to post your ASA configuration (sanitised)?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

cristiano.radicchi · ‎10-06-2014

Hi Marius Gunnerud,

the ASA running config follows.

I won't forget to correctly rate your helpful replies...
:)

Best regards,
Cristiano

: Saved
:
ASA Version 9.1(4)
!
terminal width 160
hostname fw01
domain-name domainname.com
enable password xxxxxxxxxxxxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd yyyyyyyyyyyyyyyyyy encrypted
names
name 192.168.110.30 FTPServer_HYDRO
name 192.168.110.6 Server_SCC
name 192.168.110.9 Server_CRM
name 192.168.110.10 Server_SIU
ip local pool VPN_Pool 192.168.120.20-192.168.120.50 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 20
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.110.252 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 93.51.248.100 255.255.255.224
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.210.1 255.255.255.0
!
banner exec Welcome to CISCO ASA 5505
banner login Please insert Username/Password
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name domainname.com
same-security-traffic permit intra-interface
object network Server_SCC
host 192.168.110.6
object network Server_SCC-01
host 192.168.110.6
object network Server_SCC-02
host 192.168.110.6
object network Server_SIU
host 192.168.110.10
object network FTPServer_HYDRO
host 192.168.110.30
object network FTPServer_HYDRO-01
host 192.168.110.30
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inbound
host aaa.bbb.ccc.ddd
object network vpn_range
range 192.168.120.20 192.168.120.50
description IP Addresses reserved for VPN Clients
object network LOCAL_LAN
subnet 192.168.110.0 255.255.255.0
object network VPN_LAN
subnet 192.168.120.0 255.255.255.0
object network NETWORK_OBJ_192.168.120.0_26
subnet 192.168.120.0 255.255.255.192
object network SERVER_LAN
subnet 192.168.190.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service http-8080 tcp
description HTTP on Port 8080
port-object eq 8080
object-group service http-8082 tcp
description HTTP on Port 8082
port-object eq 8082
object-group service ftp-2100 tcp
description FTP on Port 2100
port-object eq 2100
object-group service fwdports
service-object tcp destination eq 8080
service-object tcp destination eq 8082
service-object tcp-udp destination eq 2100
service-object tcp destination eq pptp
object-group service DM_INLINE_TCP_0 tcp
group-object ftp-2100
group-object http-8080
port-object eq www
object-group service ftp-pasv tcp
description Passive FTP Range 5000-5999, 50000-59999
port-object range 5000 5999
port-object range 50000 59999
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_2 tcp
group-object ftp-2100
group-object http-8080
port-object eq www
object-group service DM_INLINE_TCP_3 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq pptp
object-group service Internet-udp udp
description UDP Standard Internet Services
port-object eq domain
port-object eq ntp
port-object eq isakmp
port-object eq 4500
port-object range 131 139
object-group service IMAPSSL-Mail tcp
port-object eq 993
object-group service ftp-ssl tcp
description Default port for FTP over SSL
port-object eq 990
object-group service Internet-tcp tcp
description IMAPSSL-Mail
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
port-object eq telnet
port-object eq 8080
port-object eq 2100
port-object eq 8082
port-object range 50500 50599
port-object eq imap4
group-object IMAPSSL-Mail
group-object ftp-ssl
object-group service Zarafa-Mail tcp
port-object eq 237
object-group service WebPlay-SSL tcp
port-object eq 8443
object-group service remote-desktop tcp-udp
port-object eq 3389
object-group service DM_INLINE_TCP_4 tcp
group-object Internet-tcp
group-object Zarafa-Mail
group-object WebPlay-SSL
group-object ftp-pasv
group-object remote-desktop
object-group service ftp-Illumia tcp
port-object eq 990
port-object range 5000 5050
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object LOCAL_LAN
network-object object SERVER_LAN
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object udp
protocol-object tcp
access-list acl_inside_in remark -=[Access Lists For Outgoing Packets from Inside interface]=-
access-list acl_inside_in extended permit icmp 192.168.110.0 255.255.255.0 any4
access-list acl_inside_in extended permit udp 192.168.110.0 255.255.255.0 any4 object-group Internet-udp
access-list acl_inside_in extended permit tcp 192.168.110.0 255.255.255.0 any4 object-group DM_INLINE_TCP_4
access-list acl_outside_in remark Migration, ACE (line 1) expanded: permit tcp any host Inbound object-group DM_INLINE_TCP_0
access-list acl_outside_in extended permit tcp any4 object Server_SCC eq 2100
access-list acl_outside_in remark FTP Passive on Server_SCC
access-list acl_outside_in extended permit tcp any4 object Server_SCC object-group ftp-pasv
access-list acl_outside_in extended permit tcp any4 object Server_SCC eq 8080
access-list acl_outside_in remark Migration: End of expansion
access-list acl_outside_in extended permit tcp any4 object Server_SCC eq www
access-list acl_outside_in remark Migration, ACE (line 2) expanded: permit tcp any host Inbound object-group DM_INLINE_TCP_1
access-list acl_outside_in extended permit tcp any4 object FTPServer_HYDRO eq ftp
access-list acl_outside_in remark Migration: End of expansion
access-list acl_outside_in extended permit tcp any4 object FTPServer_HYDRO eq ftp-data
access-list acl_outside_in remark Migration, ACE (line 3) expanded: permit tcp any host Inbound object-group ftp-pasv
access-list acl_outside_in remark Migration: End of expansion
access-list acl_outside_in remark Migration, ACE (line 4) expanded: permit object-group DM_INLINE_SERVICE_1 any host Inbound
access-list acl_outside_in extended permit tcp any4 object Server_SIU eq pptp
access-list acl_outside_in remark Migration: End of expansion
access-list acl_outside_in extended permit gre xxx.yyy.zzz.kkk 255.255.255.224 object Server_SIU
access-list acl_outside_in extended permit tcp xxx.yyy.zzz.kkk 255.255.255.224 object Server_SIU eq pptp
access-list acl_outside_in extended permit tcp object Inbound object Server_SCC object-group DM_INLINE_TCP_2 inactive
access-list acl_outside_in extended permit tcp xxx.yyy.zzz.kkk 255.255.255.224 object FTPServer_HYDRO object-group DM_INLINE_TCP_3 inactive
access-list acl_outside_in extended permit icmp any4 any4 echo-reply
access-list acl_outside_in extended permit gre any4 192.168.110.0 255.255.255.0
access-list acl_outside_in extended permit tcp any4 192.168.110.0 255.255.255.0 range 50500 50599
access-list ftp_inspect extended permit tcp any any eq ftp
access-list ftp_inspect extended permit tcp any any eq 2100
access-list ftp-nonstandard extended permit tcp any any eq 990
access-list KKKKK_VPN_splitTunnelAcl standard permit 192.168.110.0 255.255.255.0
access-list KKKKK_VPN_splitTunnelAcl standard permit 192.168.190.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 50000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.120.0_26 NETWORK_OBJ_192.168.120.0_26 no-proxy-arp route-lookup
!
object network Server_SCC
nat (inside,outside) static interface service tcp 2100 2100
object network Server_SCC-01
nat (inside,outside) static interface service tcp 8080 8080
object network Server_SCC-02
nat (inside,outside) static interface service tcp www www
object network Server_SIU
nat (inside,outside) static interface service tcp pptp pptp
object network FTPServer_HYDRO
nat (inside,outside) static interface service tcp ftp ftp
object network FTPServer_HYDRO-01
nat (inside,outside) static interface service tcp ftp-data ftp-data
object network obj_any
nat (inside,outside) dynamic interface
access-group acl_inside_in in interface inside
access-group acl_outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 93.51.248.97 1
route inside 0.0.0.0 0.0.0.0 192.168.110.240 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.110.0 255.255.255.0 inside
http 192.168.120.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set strong-des esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca
......................................................
......................................................
......................................................
......................................................
......................................................
......................................................
quit
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.110.0 255.255.255.0 inside
ssh 192.168.120.0 255.255.255.0 inside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 15

dhcpd auto_config outside
!
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 193.204.114.232 source outside prefer
group-policy KKKKK_VPN internal
group-policy KKKKK_VPN attributes
dns-server value 8.8.8.8 208.67.222.222
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value KKKKK_VPN_splitTunnelAcl
default-domain value ondaenergia.com
username user1 password hjhgywegfllkkjushgdfj encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Pool
tunnel-group KKKKK_VPN type remote-access
tunnel-group KKKKK_VPN general-attributes
address-pool VPN_Pool
default-group-policy KKKKK_VPN
tunnel-group KKKKK_VPN ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection-default
match default-inspection-traffic
class-map ftp-nonstandard-class
match access-list ftp-nonstandard
class-map new_inspection
match access-list ftp_inspect
!
!
policy-map type inspect ftp FTP_Inspect_Map
description Custom FTP Inspect Map
parameters
match request-command appe help site
reset log
policy-map global-policy
class inspection-default
inspect dns
inspect esmtp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class new_inspection
inspect ftp strict FTP_Inspect_Map
!
service-policy global-policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:hdfkhskjdhfgkjhsgdfkhsgdfjkhg
: end

Marius Gunnerud · ‎10-06-2014

Your configuration looks fine. If you add a static route to the SERVER_LAN are you able to get connectivity then? Are you able to reach the LOCAL_LAN subnet? I am thinking that the tunneled default gateway might not be working as expected.

If you are trying to ping when testing, have you made sure you have turned off the firewall on the servers? (ie. windows firewall, or any other software firewall that may be installed)

What are the default gateways configured on the servers and local LAN PCs? Is the the ASA itself or are there routers / L3 switches inbetween? Would you be able to post a diagram of your network?

You could set up a packet capture on the inside interface and or the DMZ interface and then see if you see the VPN traffic leaving and entering the interface. Keep in mind that if you set this up on the outside interface you will not see anything as the traffic will be encrypted.

You can setup the following just change the IP addresses and capture interface as needed:

access-list capin extended permit ip host 192.168.120.20 host 192.168.110.20

access-list capin extended permit ip host 192.168.110.20 host 192.168.120.20

capture CAP interface inside access-list capin

show capture CAP

If you see traffic leaving the interface but you see no return traffic then there is a routing problem from the servers to the ASA, perhaps there is asynchronous routing happening. If you do see the traffic return, then the ASA is not encrypting the traffic for some reason.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎10-06-2014

I just saw your post on the L3 switch...and noticed this:

CISCO_VPN_VLAN | Manual 192.168.120.1 255.255.255.0 Yes Yes

Do you have an IP on the VPN subnet configured on the switch? if so then this is your problem. The switch thinks it is directly connected to the network so it will not send the packets to the ASA.

Where is inter-VLAN routing happening, or where do you want it to happen? If it is happening on the switch, then all you need is a route to the other networks via the inside VLAN1. If the ASA is expected to do the routing then, as David mentioned, you need to get your ASA VLANs in order.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

cristiano.radicchi · ‎10-11-2014

Interesting comment.

1) I created a dedicated VLAN on the L3 Switch because I expect that the Cisco VPN remote clients will access the internal LAN by using the 192.168.120.x address pool.
Without such a VLAN on the L3 Switch (and the related routes properly set) those packets couldn't be routed on the internal LAN.

Unfortunately, the L3 Switch requires that an IP address is set on it for each VLAN that you create. So I had to create and assign to the CISCO_VPN_VLAN the IP address 192.168.120.1

2) I definitely would like that every inter-VLAN routing is done at Switch level, while the external routing (internet access) is done by the ASA.

Hope the above clarifies my requirements.

Thanks,
Cristiano

Marius Gunnerud · ‎10-12-2014

1) I created a dedicated VLAN on the L3 Switch because I expect that the Cisco VPN remote clients will access the internal LAN by using the 192.168.120.x address pool. Without such a VLAN on the L3 Switch (and the related routes properly set) those packets couldn't be routed on the internal LAN.

This is incorrect. As I mentioned earlier if the L3 switch has an interface for the 192.168.120.x network it thinks it is directly connected to the network and will check its own CAM table to see which interface the IP is located off of. The ASA can use proxy ARP to answer requests for these IPs but this type of setup can result in unstable connections and can be difficult in troubleshooting. I suggest setting the VPN IP pool to a subnet that is not in use on any of your internal networks.

The way to set this up is to have your PCs use the IPs of the L3 switch as their default gateway. Then the switch will have a default route pointing to the ASA. The ASA will have a route for each network connected to the L3 switch which again points to the directly connected IP of the L3 switch (the IP on the ASA which is on the same subnet as an IP on the L3 switch). The ASA will also have a default route pointing to your ISP.

This setup will provide inter-VLAN routing on the L3 switch while external routing is done by the ASA.

So your network should look something like this:

                                           ------ Network 1
            DMZ           /
             |                  /
ISP ----- ASA ----- L3 switch ------ Network 2
                              \
                               \
                                            ------ Network 3

2) I definitely would like that every inter-VLAN routing is done at Switch level, while the external routing (internet access) is done by the ASA

My above comment covers this.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

cristiano.radicchi · ‎10-14-2014

Hello,

please find below my comments on your last post.

1) I suggest setting the VPN IP pool to a subnet that is not in use on any of your internal networks

That is exactly what I did. My internal LAN uses the 192.168.110.x, 192.168.131.x and 192.168.190.x subnets.

I added the 192.168.120.x only at ASA level in order to provide a suitable range of addresses to the incoming Cisco VPN remote accesses.

2) This is incorrect. As I mentioned earlier if the L3 switch has an interface for the 192.168.120.x network it thinks it is directly connected to the network and will check its own CAM table to see which interface the IP is located off of.

As far as I know, the L3 Switch can route packets between subnets only if each subnet has been previously associated to a dedicated VLAN. Therefore, I created the VLAN 10 for subnet 192.168.110.x, VLAN 90 for 192.168.190.x and VLAN 31 for 192.168.131.x. With this setting the intra-LAN routing works, so far, flawlessly.

Since the packets coming from the VPN Clients are in the 192.168.120.x subnet, how can they be routed by the L3 Switch if they appear on an interface (coming from the ASA) identified as "VLAN 10" on the L3 Switch ?
In fact, the Switch port to which the Ethernet cable coming from the ASA is connected, has been configured on the routing switch as pertaining to "VLAN 10".
If packets belonging to 192.168.120.x are sent through that interface, the L3 Switch discards them because it does not recognise them in the expected VLAN ID.
As far as I know, the only way to get those packets (the ones coming from VPN Clients) routed by the L3 Switch is to define a further VLAN on it (VLAN 20 in my case) and configure the switch port as "TAGGED", i.e. able to accept packets from both subnets (192.168.110.x + 192.168.120.x) at the same time.

By definition, all "UNTAGGED" ports may accept packets from only one single VLAN (i.e. subnet).

Anyway, I'll perform some testing this week to explore the possible solutions you suggested.
I'll keep you updated about the testing results.

Thank you very much for your support.

Marius Gunnerud · ‎10-16-2014

Since the packets coming from the VPN Clients are in the 192.168.120.x subnet, how can they be routed by the L3 Switch if they appear on an interface (coming from the ASA) identified as "VLAN 10" on the L3 Switch ?

As I mentioned earlier, if the switch has an IP configured on it within the same subnet as the VPN users then it thinks it is directly connected and will not forward the packets to the ASA (by default). So you would either need to configure the ASA with subinterfaces that connect to the L3 switch and place each subinterface in their respective VLANs. then the ASA will be doing the routing for the VPN traffic. Or, you would need to configure a L3 link between the ASA and the L3 switch and add routes to each subnet on the ASA pointing to the L3 IP which is configured for this link. That way VPN traffic enters the ASA, the ASA routes it to the L3 switch and the L3 switch routes it again to its appropriate destination...

Does it maintain this address when it accesses the intenal LAN or does the ASA NAT it by using its own address in the main VLAN (e.g. 192.168.110.252) ???

This is the IP that will be the source address when accessing the LAN. Of course this is assuming you have configured NAT exemption. If you do not have NAT exemption configured (or identity NAT as it is called now) VPN traffic will be NATed to the first matched NAT rule...this will normally be the dynamic NAT. When this happens VPN traffic will fail.

In the former case I need to define a specific VLAN in the L3 Switch otherwise no any packets will be forwarded to the LAN.

you do not have to define a VPN VLAN on the L3 switch to route VPN traffic, and in my opinion you should not set up your network like this.

In the latter case, the specific VLAN is not needed at all and the routing is made by using the rules set for the main VLAN (VLAN 10).

Not exactly sure what you are trying to get at here.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

cristiano.radicchi · ‎10-14-2014

Just one more question that could be useful to clarify my understanding of the matter:
A VPN Client connects (using IPsec) from remote to the ASA and is assigned an IP address in the 192.168.120.20 ... 50 range.
Does it maintain this address when it accesses the intenal LAN or does the ASA NAT it by using its own address in the main VLAN (e.g. 192.168.110.252) ???

In the former case I need to define a specific VLAN in the L3 Switch otherwise no any packets will be forwarded to the LAN.

In the latter case, the specific VLAN is not needed at all and the routing is made by using the rules set for the main VLAN (VLAN 10).

Please advice...

ASA 5505 Remote Access IPsec sessions are not routed on the internal LAN