Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
0
Helpful
3
Replies

IPSEC tunnel for all traffic - no internet

LoveNet430
Level 1
Level 1

‎01-11-2018 11:04 AM - edited ‎03-05-2019 09:44 AM

I'm trying to setup an IPSec tunnel between an ASA5512, and an ISR4331 to tunnel all traffic for my organization for one branch to their data center. I have the tunnel configured and up. I can reach all inside networks, but cannot access the internet. I'm also not able to tell if the internet traffic is actually going through the tunnel as my trace's are timing out at the edge router of the branch (ISR4331). I've gone over my config, but I can't quite tell what isn't working.

 

Posting config below: I don't have any other routing setup other than the tunnel and default route

 

ats-afo-r-int-TEMP#sh run
Building configuration...

Current configuration : 8942 bytes
!
! No configuration change since last restart
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname ats-afo-r-int-TEMP
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!


ip domain list aec.local
ip domain lookup source-interface Loopback0
ip domain name aec.local
ip name-server 10.10.30.10
ip name-server 10.20.30.10
ip name-server 10.10.30.11
ip name-server 10.20.30.11

ip dhcp excluded-address 10.30.69.1 10.30.69.10
!
ip dhcp pool VOICE
network 10.30.69.0 255.255.255.0
default-router 10.30.69.1
option 4 ip 10.10.30.10
option 156 ascii "ftpservers=10.10.60.101, country=1, language=1, layer2tagging=1,vlanid=600"
dns-server 10.10.30.10 10.10.30.11
lease infinite
!
!
!
!
!
!
!
!
!
!
subscriber templating
!

parameter-map type inspect global
log dropped-packets
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4331/K9 sn FDO20180ABE
license boot level securityk9
!
username local.admin privilege 15 password 7 114D4A06020002181D0A2F29793D74
!
redundancy
mode none
!
!
!
!
!
!
!
class-map type inspect match-any INSIDE_TO_OUTSIDE_CMAP
match access-group name INSIDE_TO_OUTSIDE_ACL
match protocol http
match protocol https
match protocol ftp
match protocol icmp
match protocol citrix
class-map type inspect match-any OUTSIDE_TO_SELF_CMAP
match access-group name OUTSIDE_TO_SELF_ACL
class-map type inspect match-any SELF_TO_OUTSIDE_CMAP
match access-group name SELF_TO_OUTSIDE_ACL
class-map type inspect match-any OUTSIDE_TO_INSIDE_CMAP
match access-group name OUTSIDE_TO_INSIDE_ACL
class-map type inspect match-any sunrpc-l4-cmap
match protocol sunrpc
!
policy-map type inspect OUTSIDE_TO_INSIDE_PMAP
class type inspect sunrpc-l4-cmap
pass
class type inspect OUTSIDE_TO_INSIDE_CMAP
inspect
class class-default
drop log
policy-map type inspect OUTSIDE_TO_SELF_PMAP
class type inspect OUTSIDE_TO_SELF_CMAP
pass
class class-default
drop log
policy-map type inspect INSIDE_TO_OUTSIDE_PMAP
class type inspect sunrpc-l4-cmap
pass
class type inspect INSIDE_TO_OUTSIDE_CMAP
inspect
class class-default
drop log
policy-map type inspect SELF_TO_OUTSIDE_PMAP
class type inspect SELF_TO_OUTSIDE_CMAP
pass
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security INSIDE_TO_OUTSIDE_PAIR source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_TO_OUTSIDE_PMAP
zone-pair security OUTSIDE_TO_INSIDE_PAIR source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE_TO_INSIDE_PMAP
zone-pair security OUTSIDE_TO_SELF_PAIR source OUTSIDE destination self
service-policy type inspect OUTSIDE_TO_SELF_PMAP
zone-pair security SELF_TO_OUTSIDE_PAIR source self destination OUTSIDE
service-policy type inspect SELF_TO_OUTSIDE_PMAP
!
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key @gave123! address 66.51.13.71
!
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
!
!
!
crypto map outside_66.51.13.71 1 ipsec-isakmp
set peer 66.51.13.71
set transform-set ESP-AES-256-SHA
match address 100
!
!
!
!
!
!
!
interface Loopback0
description MGMT
ip address 10.0.0.9 255.255.255.255
!
interface GigabitEthernet0/0/0
description ISP: Cogent Circuit ID: 59-KXGS-128900
ip address 38.122.0.162 255.255.255.248
ip helper-address 10.10.30.10
ip nat outside
zone-member security OUTSIDE
negotiation auto
no cdp enable
crypto map outside_66.51.13.71
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
description INSIDE
no ip address
negotiation auto
!
interface GigabitEthernet0/0/2.400
description DATA
encapsulation dot1Q 400
ip address 10.30.68.1 255.255.255.0
ip nat inside
zone-member security INSIDE
no cdp enable
ip virtual-reassembly
!
interface GigabitEthernet0/0/2.600
description VOICE
encapsulation dot1Q 600
ip address 10.30.69.1 255.255.255.0
ip nat inside
zone-member security INSIDE
no cdp enable
ip virtual-reassembly
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip nat inside source list 110 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip http server
no ip http secure-server
ip tftp source-interface Loopback0
ip tftp blocksize 1200
ip route 0.0.0.0 0.0.0.0 38.122.0.161
ip ssh time-out 60
ip ssh source-interface Loopback0
ip ssh version 2
!
!
ip access-list extended INSIDE_TO_OUTSIDE_ACL
permit ip any any
ip access-list extended OUTSIDE_TO_INSIDE_ACL
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip 172.20.0.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 172.21.0.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 172.28.207.96 0.0.0.31 10.0.0.0 0.255.255.255
permit ip 66.28.3.0 0.0.0.255 host 38.122.0.162
permit ip 66.250.250.0 0.0.1.255 host 38.122.0.162
permit ip 130.117.228.0 0.0.0.255 host 38.122.0.162
permit ip 130.117.254.0 0.0.0.255 host 38.122.0.162
permit ip any any
ip access-list extended OUTSIDE_TO_SELF_ACL
remark TO ALLOW SSH FROM HOUSTON & ARTESIA
permit tcp 38.122.0.160 0.0.0.7 any eq 22
remark ALLOW CRYPTO
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit gre any any
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
remark TO ALLOW SSH FROM HOUSTON & ARTESIA
permit tcp 4.15.230.192 0.0.0.31 any eq 22
permit ip 172.20.0.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 172.21.0.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 172.28.207.96 0.0.0.31 10.0.0.0 0.255.255.255
permit tcp 66.51.13.64 0.0.0.15 any eq 22
ip access-list extended SELF_TO_OUTSIDE_ACL
remark TO ALLOW SSH FROM HOUSTON & ARTESIA
permit tcp any eq 22 38.122.0.160 0.0.0.7
remark ALLOW CRYPTO
permit udp any eq isakmp any
permit udp any eq non500-isakmp any
permit esp any any
permit gre any any
remark ALLOW AGAVE SUBNETS
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
remark TO ALLOW SSH FROM HOUSTON & ARTESIA
permit tcp any eq 22 4.15.230.192 0.0.0.31
permit ip 10.0.0.0 0.255.255.255 172.20.0.0 0.0.0.255
permit ip 10.0.0.0 0.255.255.255 172.21.0.0 0.0.0.255
permit ip 10.0.0.0 0.255.255.255 172.28.207.96 0.0.0.31
permit tcp any eq 22 66.51.13.64 0.0.0.15
!
access-list 100 remark Begin: IPSEC Tunnel to Plano
access-list 100 permit ip 10.30.68.0 0.0.0.255 any
access-list 100 permit ip 10.30.69.0 0.0.0.255 any
access-list 100 permit ip host 10.0.0.9 any
access-list 100 remark End: IPSEC Tunnel to Plano
access-list 110 remark Begin: NAT Statement
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 remark End: NAT Statement
!
!
!
control-plane
!
banner exec ^CCCC
**************************************************
Location: AGAVE ENERGY COMPANY
Location: 288 W Kincaid Ranch Rd
Location: Artesia, NM 88210
Type: Router
Manufacturer: Cisco
Model: ISR4331/K9
Serial No: FLM2022W1ES
**************************************************
^C
banner login ^CC
!!!!!!! W A R N I N G !!!!!!!


This is a private computer system to be accessed and used for
company business purposes. All access to it must be specifically
authorized. Unauthorized access or use of this system is prohibited
and may expose you to liability under criminal and/or civil law.

Unless provided for by a separate written agreement signed by the
company, all information placed on this computer system is the
property of the company. The company reserves the right to monitor,
access, intercept, record, read, copy, capture and disclose all
information received, sent through or stored in this computer
system, without notice, for any purpose and at anytime.


By accessing, using and continuing to use this system, you agree to
these terms of use, as the company may modify from time to time; you
agree to waive any right or expectation of privacy regarding this
system or your use of it; and you further warrant that you have
proper authorization to use this system.


IF YOU DO NOT AGREE, LOG OFF NOW.
^C
!
line con 0
exec-timeout 0 0
logging synchronous
login local
stopbits 1
line aux 0
exec-timeout 5 0
logging synchronous
stopbits 1
line vty 0 4
exec-timeout 15 0
logging synchronous
login local
transport input ssh
line vty 5 15
exec-timeout 15 0
logging synchronous
login local
transport input ssh
!
ntp source Loopback0
ntp server 10.10.30.10
ntp server 10.10.30.11
!
end

 

Labels:
0 Helpful
3 Replies 3

Julio E. Moisa
VIP Alumni
VIP Alumni

‎01-11-2018 03:12 PM

Hi

You don't know if the Internet traffic is going through the tunnel but is it expected or do you have local internet access?

 

Have you allowed internet access into a NAT for the Branch's subnets?




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

LoveNet430
Level 1
Level 1
In response to Julio E. Moisa

‎01-11-2018 04:11 PM

Hi,

 

There is internet service, but it is only being used to carry the tunnel. Internet traffic is configured/expected to traverse to tunnel into our datacenter, but I cannot tell if it is doing so.

0 Helpful

Julio E. Moisa
VIP Alumni
VIP Alumni
In response to LoveNet430

‎01-11-2018 04:21 PM - edited ‎01-11-2018 04:35 PM

Ok thank you for the clarification, the traffic knows how to go back to the branch, have you added the Branch's prefixes into the NAT to get Internet access through the HQ?




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card