Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3183
Views
0
Helpful
7
Replies

Can't get through 2960-s when using VPN

Go to solution
erick.hemmen
Level 1
Level 1

‎12-27-2012 11:23 AM - edited ‎03-07-2019 10:47 AM

Hi all,

This problem has been breaking my brains for some tim enow. I'm having a strange problem where I'm not able to get through a Cisco 2960-S L2 switch when connected through vpn, while LAN-WAN traffic is working fine.

The situation on site is the following:

  • Cisco Asa 5512-X connected to Cisco 2960-S connected to Dell PowerConnect 6224
  • 172.16.0.228                            172.16.0.253                     172.16.0.99

When inside the network I'm able to get to the internet without a problem. The problem is within a vpn-session. When this session is succesfully started I can ping and manage the Cisco 2960-S switch, but I can't ping or manage the Dell switch from my laptop. I can however ping the Dell from the Cisco-switch.

Any help how to get the vpn-traffic up and running would be greatly appreciated.

Please see my configs for the Cisco's and the rebranded Cisco/Dell PowerConnect:

Asa 5512-X:

ASA Version 8.6(1)2

!

hostname 5512-X

domain-name exam.ple

names

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

pppoe client vpdn group WWW

ip address pppoe setroute

!

interface GigabitEthernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 172.16.0.228 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

management-only

!

regex blockex1 "/test/"

regex blockex2 "amazon\.com"

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name exam.ple

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Internal

subnet 172.16.0.0 255.255.255.0

object network 1

host 172.16.0.240

object service 1718T

service tcp source eq 1718

object service 1718U

service udp source eq 1718

object service 1719T

service tcp source eq 1719

object service 1719U

service udp source eq 1719

object service 1720T

service tcp source eq h323

object service 1720U

service udp source eq 1720

object service 5060T

service tcp source eq sip

object service 5060U

service udp source eq sip

object service 5061T

service tcp source eq 5061

object service 5061U

service udp source eq 5061

object service 60000T

service tcp destination range 60000 60020

object service 60000U

service udp destination range 60000 60020

object service VideorangeT

service tcp destination range 60000 60020

object service VideorangeU

service udp destination range 60000 60020

object network remotevpn

subnet 192.168.199.0 255.255.255.0

object-group service Videorange udp

port-object eq 1718

port-object eq 1719

port-object eq 1720

port-object eq sip

port-object eq 5061

port-object range 60000 60020

object-group service Videor tcp

port-object eq 1718

port-object eq 1719

port-object eq h323

port-object eq sip

port-object eq 5061

port-object range 60000 60020

access-list PermitOutsideIn extended permit icmp any any echo

access-list PermitOutsideIn extended permit icmp any any echo-reply

access-list PermitOutsideIn extended permit icmp any any source-quench

access-list PermitOutsideIn extended permit icmp any any time-exceeded

access-list PermitOutsideIn extended permit udp any object Video object-group Videorange

access-list PermitOutsideIn extended permit tcp any object Video object-group Videor

access-list nonat remark ACL for Nat bypass via VPN Client

access-list nonat extended permit ip 172.16.0.0 255.255.255.0 object remotevpn

access-list splitvpn remark ACL for VPN split tunnel

access-list splitvpn standard permit 172.16.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool remotevpn 192.168.199.10-192.168.199.15

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static Video interface service VideorangeU VideorangeU

nat (inside,outside) source static Video interface service VideorangeT VideorangeT

nat (inside,outside) source static Video interface service VideorangeU VideorangeU

nat (inside,outside) source static Video interface service VideorangeT VideorangeT

nat (inside,outside) source static Video interface service 1718U 1718U

nat (inside,outside) source static Video interface service 1718T 1718T

nat (inside,outside) source static Video interface service 1719U 1719U

nat (inside,outside) source static Video interface service 1719T 1719T

nat (inside,outside) source static Video interface service 1720U 1720U

nat (inside,outside) source static Video interface service 1720T 1720T

nat (inside,outside) source static Video interface service 5060U 5060U

nat (inside,outside) source static Video interface service 5060T 5060T

nat (inside,outside) source static Video interface service 5061U 5061U

nat (inside,outside) source static Video interface service 5061T 5061T

nat (inside,outside) source static Internal Internal destination static remotevpn remotevpn no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

access-group PermitOutsideIn in interface outside

route outside 0.0.0.0 0.0.0.0 37.0.81.170 1

route inside 172.16.1.0 255.255.255.0 172.16.0.99 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable 4433

http 172.16.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt noproxyarp inside

crypto ipsec ikev1 transform-set remotevpn esp-3des esp-md5-hmac

crypto dynamic-map dyn1 1 set ikev1 transform-set remotevpn

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp nat-traversal 60

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 43200

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 172.16.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

vpdn group WWW request dialout pppoe

vpdn group WWW localname name

vpdn group WWW ppp authentication pap

vpdn username name password ***** store-local

dhcpd dns 8.8.8.8

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

group-policy remotevpn internal

group-policy remotevpn attributes

dns-server value 172.16.0.249 8.8.8.8

vpn-idle-timeout 120

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splitvpn

default-domain value exam.ple

username vpn password xxx encrypted

username adm password xxx encrypted privilege 15

tunnel-group remotevpn type remote-access

tunnel-group remotevpn general-attributes

address-pool remotevpn

default-group-policy remotevpn

tunnel-group remotevpn ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive threshold 40 retry 5

!

class-map inspection_default

match default-inspection-traffic

class-map type inspect http match-any block-url-class

match request uri regex blockex1

match request header host regex blockex2

class-map bypass_traffic

match access-list PermitOutsideIn

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map type inspect http block-url-policy

parameters

class block-url-class

  drop-connection log

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect http block-url-policy

policy-map tcp_bypass_policy

class bypass_traffic

  set connection conn-max 256 random-sequence-number disable

policy-map custom-shaper-10000kbps

class class-default

!

service-policy global_policy global

service-policy custom-shaper-10000kbps interface outside

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly 5

  subscribe-to-alert-group configuration periodic monthly 5

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

: end

Cisco 2960S:

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname C2960S

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxx

enable password xxx

!

!

!

macro global description cisco-global | cisco-global

no aaa new-model

clock timezone UTC 1

clock summer-time UTC recurring last Sun Mar 2:00 last Sun Oct 3:00

!

!

udld aggressive

!

mls qos srr-queue output cos-map queue 1 threshold 3 5

mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7

mls qos srr-queue output cos-map queue 3 threshold 3 2 4

mls qos srr-queue output cos-map queue 4 threshold 2 1

mls qos srr-queue output cos-map queue 4 threshold 3 0

mls qos

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree extend system-id

!

!

!

errdisable recovery cause link-flap

errdisable recovery interval 60

!

vlan internal allocation policy ascending

!

!

interface FastEthernet0

ip address 192.168.0.254 255.255.255.0

!

interface GigabitEthernet0/1

(...)

!

interface GigabitEthernet0/22

switchport trunk native vlan 2

switchport mode trunk

mls qos trust cos

macro description cisco-router

spanning-tree portfast trunk

spanning-tree bpduguard enable

!

interface GigabitEthernet0/23

!

interface GigabitEthernet0/24

!

interface GigabitEthernet0/25

switchport trunk native vlan 2

switchport mode trunk

mls qos trust cos

macro description cisco-switch

spanning-tree link-type point-to-point

!

interface GigabitEthernet0/26

!

interface Vlan1

no ip address

!

interface Vlan2

ip address 172.16.0.253 255.255.255.0

!

interface Vlan3

ip address 172.16.1.253 255.255.255.0

!

interface Vlan8

ip address 192.168.199.254 255.255.255.0

!

ip default-gateway 172.16.0.228

ip http server

ip http secure-server

!

line con 0

line vty 0 4

login

line vty 5 15

login

!

end

Rebranded Cisco/Dell PowerConnect:

!Current Configuration:

!System Description "PowerConnect 6224, 3.3.4.1, VxWorks 6.5"

!System Software Version 3.3.4.1

!Cut-through mode is configured as disabled

!

configure

vlan database

vlan 2-8,99,130

vlan routing 2 1

vlan routing 3 2

vlan routing 4 3

vlan routing 8 4

vlan association subnet 172.16.0.0 255.255.255.0 2

vlan association subnet 172.16.1.0 255.255.255.0 3

vlan association subnet 172.16.4.0 255.255.255.0 4

vlan association subnet 172.16.5.0 255.255.255.0 5

vlan association subnet 172.16.130.0 255.255.255.0 130

vlan association subnet 172.16.130.0 255.255.255.0 1

vlan association subnet 169.254.0.0 255.255.255.0 99

vlan association subnet 192.168.50.0 255.255.255.0 6

vlan association subnet 192.168.51.0 255.255.255.0 7

vlan association subnet 192.168.199.0 255.255.255.0 8

exit

snmp-server location "Server rack"

hostname "Core switches"

sntp unicast client enable

sntp server 172.16.0.249

clock timezone 1 minutes 0

stack

member 1 1

member 2 1

member 3 1

member 4 1

member 5 1

exit

ip address 172.16.151.99 255.255.255.0

lacp system-priority 120

ip routing

interface vlan 2

routing

ip address 172.16.0.99 255.255.255.0

exit

interface vlan 3

routing

ip address 172.16.1.99 255.255.255.0

exit

interface vlan 4

routing

ip address 172.16.4.99 255.255.255.0

exit

interface vlan 8

name "vpn"

routing

ip address 192.168.199.99 255.255.255.0

exit

username "adm" password xxx level 15 encrypted

line ssh

login authentication defaultList

exit

snmp-server enable traps captive-portal

snmp-server enable traps captive-portal client-connect

snmp-server enable traps captive-portal client-disconnect

!

interface ethernet 1/g1

switchport access vlan 2

exit

!

(...)

interface ethernet 1/g24

description 'Cisco2960'

switchport mode general

switchport general allowed vlan add 2,8

exit

!

enable password xxx

exit

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mahmoodmkl
Level 7
Level 7

‎12-27-2012 01:54 PM

Hi

if the issue is then mark this thread as resolved which will benefit others

Sent from Cisco Technical Support iPhone App

View solution in original post

0 Helpful
7 Replies 7

Go to solution
mahmoodmkl
Level 7
Level 7

‎12-27-2012 12:15 PM

Hi,

U need to remove the ip default-gateway from 2960 and use ip route command and i dont see any default routes configured on ur dell switch.

Thanks

0 Helpful

Go to solution
erick.hemmen
Level 1
Level 1
In response to mahmoodmkl

‎12-27-2012 12:26 PM

Hi Mahmoodmkl,

Thanks for your answer. I got rid of the gateway on the 2960S and added this route on the Dell: ip route 192.168.199.0 255.255.255.0 10.0.0.228 20, but I still can't ping the Dell switch when connected through vpn. The 2960S is a Lan Lite switch, the ip route command unfortunatelty isn't working on this one.

Any help is greatly appreciated.

0 Helpful

Go to solution
mahmoodmkl
Level 7
Level 7
In response to erick.hemmen

‎12-27-2012 12:38 PM

Hi,

I think u need to have route on u r ASA as well for the subnet 172.16.0.0 255.255.255.0

Thanks

0 Helpful

Go to solution
erick.hemmen
Level 1
Level 1
In response to mahmoodmkl

‎12-27-2012 01:24 PM

Thanks again for your answer mahmoodmkl. The route to the 172.16.0.0/24 network is already on the ASA. It is added automatically in the config since the GE0/1 is in this network.

After removing the gateway on the 2960S-switch I couldn't ping this one anymore from the vpn-client so I added this one again onthe 2960S.

I believe the problem is somewhere between the 2960S and the Dell switches, but I can't really find out what it is.

0 Helpful

Go to solution
mahmoodmkl
Level 7
Level 7

‎12-27-2012 01:47 PM

Hi
the royte is there for 172.16.1.0 not for 172.16.0.0



Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
erick.hemmen
Level 1
Level 1

‎12-27-2012 01:47 PM

Got it working!

The problem was in the vlan 8 that was added to the Dell switch. After removing this vlan I was able to ping the entire network.

Thanks for your help and time mahmoodmkl.

0 Helpful

Go to solution
mahmoodmkl
Level 7
Level 7

‎12-27-2012 01:54 PM

Hi

if the issue is then mark this thread as resolved which will benefit others

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card