cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

238
Views
0
Helpful
9
Replies
Highlighted
Beginner

Accessing second VLAN over VPN

Hi,

 

I'm having trouble accessing a newley created VAN on one of our remote office routers. We connect via VPN from a ASA5500 firewall at our head office to a Cisco 800 series router at the remote office. I can ping VLAN 1 (10.10.20.1) but cannot ping the new VLAN 10 (10.10.30.1).

Any ideas?

Thanks in advance

Here is part of the config at the remote office:

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key MyPassword address x.x.x.x
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto map vpn 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set strong
 match address VPN-ACL
!
!
interface FastEthernet0
 switchport mode trunk
 no ip address
!
interface GigabitEthernet1
 ip address x.x.x.x 255.255.255.224
 ip virtual-reassembly in
 duplex auto
 speed 10
 crypto map vpn
!
interface Vlan1
 description Wired_LAN
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map nonat
!
interface Vlan10
 description Wireless_LAN
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map nonat
!
ip nat inside source list 106 interface GigabitEthernet1 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip access-list extended VPN-ACL
 permit ip 10.10.20.0 0.0.0.255 10.1.1.0 0.0.255.255
 permit ip 10.10.30.0 0.0.0.255 10.1.1.0 0.0.255.255
!
access-list 106 deny   ip 10.10.20.0 0.0.0.255 10.1.1.0 0.0.255.255
access-list 106 deny   ip 10.10.30.0 0.0.0.255 10.1.1.0 0.0.255.255
access-list 106 permit ip 10.10.20.0 0.0.0.255 10.1.1.0 0.0.255.255
access-list 106 permit ip 10.10.30.0 0.0.0.255 10.1.1.0 0.0.255.255
access-list 106 permit ip 10.10.20.0 0.0.0.255 any
access-list 106 permit ip 10.10.30.0 0.0.0.255 any
mac-address-table aging-time 15

 

Everyone's tags (3)
9 REPLIES 9
Participant

Hi,Do you see the VPN tunnel

Hi,

Do you see the VPN tunnel ipsec SA up for both subnets? If yes, do you see encrypt / decrypts on both sides?

Show cry ips sa peer <peer ip>

HTH

Abaji.

 

Beginner

Thanks Abaji for your reply,

Thanks Abaji for your reply,

 

Can you help a little more "Do you see the VPN tunnel ipsec SA up for both subnets", how can I confirm this?

I have ran Show cry ips sa peer <peer ip>, but I'm not sure what I'm looking for,

 

thanks

 

Participant

Could you paste the outputs

Could you paste the outputs here?

HTH

Abaji

Beginner

Output from remote office:

Output from remote office:

 

interface: GigabitEthernet1
    Crypto map tag: vpn, local addr x.x.x.x

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.1.0/255.255.0.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3495589, #pkts encrypt: 3495589, #pkts digest: 3495589
    #pkts decaps: 3498594, #pkts decrypt: 3498594, #pkts verify: 3498594
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x3545C58B(893765003)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x771DC5E8(1998439912)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2081, flow_id: Onboard VPN:81, sibling_flags 80000040, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4308998/490)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3545C58B(893765003)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2082, flow_id: Onboard VPN:82, sibling_flags 80000040, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4309122/490)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.1.0/255.255.0.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.0.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 13164934, #pkts encrypt: 13164934, #pkts digest: 13164934
    #pkts decaps: 11987692, #pkts decrypt: 11987692, #pkts verify: 11987692
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x6FD3B17A(1876144506)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x368ED242(915329602)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2079, flow_id: Onboard VPN:79, sibling_flags 80004040, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (3787228/484)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x6FD3B17A(1876144506)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2080, flow_id: Onboard VPN:80, sibling_flags 80004040, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4080462/484)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.0.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

 

Head office ASA firewall:

peer address: x.x.x.x
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: BT_PublicIP_82

      local ident (addr/mask/prot/port): (net_inside_all/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
      current_peer: x.x.x.x

      #pkts encaps: 8829466, #pkts encrypt: 8829466, #pkts digest: 8829466
      #pkts decaps: 9625467, #pkts decrypt: 9625467, #pkts verify: 9625467
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 8829466, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: BT_PublicIP_82, remote crypto endpt.: x.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 2FC222B0

    inbound esp sas:
      spi: 0x40C9A5EF (1086957039)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 229376, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4365350/2705)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x2FC222B0 (801252016)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 229376, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4326709/2703)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: BT_PublicIP_82

      local ident (addr/mask/prot/port): (Avaya_Voice_System/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
      current_peer: x.x.x.x

      #pkts encaps: 2207913, #pkts encrypt: 2207913, #pkts digest: 2207913
      #pkts decaps: 2204171, #pkts decrypt: 2204171, #pkts verify: 2204171
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2207913, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: BT_PublicIP_82, remote crypto endpt.: x.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: E9CEED06

    inbound esp sas:
      spi: 0x5CF79A15 (1559730709)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 229376, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4372392/2684)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xE9CEED06 (3922652422)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 229376, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4372340/2684)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

 

Thx!

Participant

Is this router connecting to

Is this router connecting to ASA as dynamic peer?

 

If this is static peer make sure the correct tunnel-group and crypto map peer is defined on the ASA as I see the connection is using default dynamic MAP of ASA.

 

Looks like SA for this subnet is not up. Please check the crypto map ACL matches on both sides.

Can you provide latest configurations of both sides?

HTH

Abaji.

 

 

Beginner

Hi, thanks for your helpI

Hi, thanks for your help

Both sides use a static peer

"Looks like SA for this subnet is not up" how did you wok that out

I cannot post my entire ASA firewall config for security reasons, sry

On the other site (HQ) is a ASA firewall. I have the ACL:

name 10.10.0.0 Remote_office
access-list inside_outbound_nat0_acl extended permit ip net_inside_all 255.255.0.0 Remote_office 255.255.0.0 
access-list outside_2_cryptomap extended permit ip net_inside_all 255.255.0.0 Remote_office 255.255.0.0

 

Thanks loads

Participant

On router outputs you can see

On router outputs you can see no spi values under esp sa for non working subnet (means no SA formed)

 

On ASA you can see "Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP" which means static crypto map is not used.

Make sure crypt map ACLs are exact match (mirror) & peer IPs are configured correctly.

 

10.10.X.X is not eq to 10.10.20.X and 10.10.30.X

HTH

Abaji.

 

Beginner

Hi Abaji, I have looked over

Hi Abaji,

 

I have looked over this for many days and I really don't know what your asking me to change. Am sorry for my ignorance of VPN but I'm stuck on this one

 

Thanks again :)

Participant

Hi Mike, Try going through

Hi Mike,

 

Try going through this doc to understand how the l2l VPN works and configured on ASA and Router :http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/configuration-professional/112153-ccp-vpn-asa-router-config-00.html#CLI

If that does not help, you might want to open a TAC case.

HTH

Abaji.

 

 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here