cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2328
Views
5
Helpful
7
Replies

DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router

ariyanozz
Level 1
Level 1

Hi Guys,

I'm in a mess, I have  Cisco 877-K9 router which sits behind an ASA 5510 FW.

The Design :

Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )

||

ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)

||

Switch

||

LAN

Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.

I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not  able to ping any LAN IP at Spoke site nor am I able to ping my LAN from  any Spoke site.

I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.

Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....

Thanks,

Aj.

7 Replies 7

sabrodiesel2000
Level 1
Level 1

AJ, i didnt check your txts here

1) what RProtocol r u using?
2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF

3) are your tunnels config correctly? try show crypto ipsec sa

4) on your hub'spoke do a debug ip icmp

I see the questions from Abdus are more than real in this kind of scenarios, I was able to open the txt files and they seem to be fine.... The show IP route and the crypto SA will tell you what the problem is. If the tunnel interface is up, is not a problem with the ASA as everything will be shown encrypted and the Firewall will let that traffic pass.

Mike

Mike

ariyanozz
Level 1
Level 1

Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.

All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.

1) what RProtocol r u using?

a) It's OSPF
2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF

a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined

    (on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)

    (I changed to "redistribute static subnests" and I was able to get Hub routes advertised")

3) are your tunnels config correctly? try show crypto ipsec sa

a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data

4) on your hub'spoke do a debug ip icmp

a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.

I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.

Additional to the info above, Please also note :

I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.

So I guess I'm stuck on the point that My Cisco HUB is unable to talk to  my LAN, If I can get the HUB to talk to the internal LAN, I would be  able to ping clients on LAN from any Spoke or clients behind Spokes.

From HUB router I'm able to ping clients behind Spokes.

Does that give any Ideas ?

Thanks in Advance.

Aj.

Another thing to add is, I'm able to ping Spoke's Tunnel IPs from my Local LAN behind the ASA.

Aj.

ariyanozz
Level 1
Level 1

Well I got this working.

This is for someone else who is trying to do what I was.

I'm able to ping accross all spokes and vise versa.

The IPSEC L2L vpn that I already had configured on the ASA was troubling. I removed them and everything was ok.

But there is a new problem now, If I try to access any remote client,

say on, (\\192.168.14.101) I get an error :

"The Network Path Was Not Found" I'm unable to access any recources.

If I use "\\192.168.14.101\c$" then i get the credential box, and no matter what I enter, I can't get it.

Any Ideas ?

Aj.

ariyanozz
Level 1
Level 1

Hey,

Well I never got a positive reply from the initial post here.

This is supposed to be Cisco site, and all the helpding hands should've been here. Well I did get help somewhere else and got my setup working.

But I do have an issue that I can use help on.

I've got my DSL sites running on Cisco 877-K9 routers on Static IPs up and running.

And I have about 50+ sites on 3G connections, I've been trying to configure a spoke on a Cisco 1711 router.

I'm attaching here the configuration of the router I've been playing around with.

The strange thing is, If I restart the router or the 3G modem, the connection comes up fine, but the VPN tunnel does not.

After a while I get this error:

%CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.1 has no SA and is not an initialization offer

But If I go into the tunnel0 interface, shut it down manually & then no shut it, everything starts working just fine.

Strange ? any ideas ? BTW I'm using a Cisco 1711 router with (c1700-k9o3sy7-mz.123-7.XR6.bin)

Thanks in Advance.

Aj.

ariyanozz
Level 1
Level 1

A lot of seniors on around forums here and elsewhere think that as so  called noobs need spoon feeding, but if they just point in the right  direction it makes a lot of difference. And not everyone is a noob if  asking a question.

Anyway, coming back to the point.

My 3G connection is on Dynamic IP. And Static LAN, I'm unable to get Static on my 3G.

I had couple of Cisco 877-K9 Security routers lying around, which has a DSL built-in modem with 4 FE ports.

I just had a wild idea and,

1. Shut down the ATM & Dialer interfaces

2. Created VLAN1 on F0 (This becomes my WAN port)

3. Created VLAN2 on F1-F3 (This becomes my LAN port)

Configured everything and boom everything works as I wanted it to.

Tests Done :

Test 1:

Rebooted the 3G modem and from the initial reboot, tunnel up, routes publish & start of ping, total time (2-5 minutes)

Test 2:

Rebooted the Router and from initial reboot,tunnel up, routes publish  & start of ping, total time (the time it takes the router to be  active)

So all together, I'm all done with total configuration, I'm happy with  the Cisco 877-K9 cause If I get a DSL line, I can shift from 3G to DSL  in a snap.

Attached is the configuration of Cisco 877-K9 latest working config.

Thanks to the helping hands of Scowles at:

http://www.petri.co.il/forums/showthread.php?p=249667

Aj.

Review Cisco Networking for a $25 gift card