Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
693
Views
0
Helpful
9
Replies

Accessing second VLAN over VPN

Mike Hulme
Level 1
Level 1

‎05-31-2015 09:26 AM

Hi,

 

I'm having trouble accessing a newley created VAN on one of our remote office routers. We connect via VPN from a ASA5500 firewall at our head office to a Cisco 800 series router at the remote office. I can ping VLAN 1 (10.10.20.1) but cannot ping the new VLAN 10 (10.10.30.1).

Any ideas?

Thanks in advance

Here is part of the config at the remote office:

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key MyPassword address x.x.x.x
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto map vpn 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set strong
 match address VPN-ACL
!
!
interface FastEthernet0
 switchport mode trunk
 no ip address
!
interface GigabitEthernet1
 ip address x.x.x.x 255.255.255.224
 ip virtual-reassembly in
 duplex auto
 speed 10
 crypto map vpn
!
interface Vlan1
 description Wired_LAN
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map nonat
!
interface Vlan10
 description Wireless_LAN
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map nonat
!
ip nat inside source list 106 interface GigabitEthernet1 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip access-list extended VPN-ACL
 permit ip 10.10.20.0 0.0.0.255 10.1.1.0 0.0.255.255
 permit ip 10.10.30.0 0.0.0.255 10.1.1.0 0.0.255.255
!
access-list 106 deny   ip 10.10.20.0 0.0.0.255 10.1.1.0 0.0.255.255
access-list 106 deny   ip 10.10.30.0 0.0.0.255 10.1.1.0 0.0.255.255
access-list 106 permit ip 10.10.20.0 0.0.0.255 10.1.1.0 0.0.255.255
access-list 106 permit ip 10.10.30.0 0.0.0.255 10.1.1.0 0.0.255.255
access-list 106 permit ip 10.10.20.0 0.0.0.255 any
access-list 106 permit ip 10.10.30.0 0.0.0.255 any
mac-address-table aging-time 15

 

Labels:
0 Helpful
9 Replies 9

Abaji Rawool
Level 3
Level 3

‎06-01-2015 04:24 AM

Hi,

Do you see the VPN tunnel ipsec SA up for both subnets? If yes, do you see encrypt / decrypts on both sides?

Show cry ips sa peer <peer ip>

HTH

Abaji.

 

0 Helpful

Mike Hulme
Level 1
Level 1
In response to Abaji Rawool

‎06-01-2015 04:43 AM

Thanks Abaji for your reply,

 

Can you help a little more "Do you see the VPN tunnel ipsec SA up for both subnets", how can I confirm this?

I have ran Show cry ips sa peer <peer ip>, but I'm not sure what I'm looking for,

 

thanks

 

0 Helpful

Abaji Rawool
Level 3
Level 3
In response to Mike Hulme

‎06-01-2015 04:47 AM

Could you paste the outputs here?

HTH

Abaji

0 Helpful

Mike Hulme
Level 1
Level 1
In response to Abaji Rawool

‎06-01-2015 05:48 AM

Output from remote office:

 

interface: GigabitEthernet1
    Crypto map tag: vpn, local addr x.x.x.x

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.1.0/255.255.0.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3495589, #pkts encrypt: 3495589, #pkts digest: 3495589
    #pkts decaps: 3498594, #pkts decrypt: 3498594, #pkts verify: 3498594
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x3545C58B(893765003)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x771DC5E8(1998439912)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2081, flow_id: Onboard VPN:81, sibling_flags 80000040, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4308998/490)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3545C58B(893765003)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2082, flow_id: Onboard VPN:82, sibling_flags 80000040, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4309122/490)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.1.0/255.255.0.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.0.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 13164934, #pkts encrypt: 13164934, #pkts digest: 13164934
    #pkts decaps: 11987692, #pkts decrypt: 11987692, #pkts verify: 11987692
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x6FD3B17A(1876144506)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x368ED242(915329602)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2079, flow_id: Onboard VPN:79, sibling_flags 80004040, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (3787228/484)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x6FD3B17A(1876144506)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2080, flow_id: Onboard VPN:80, sibling_flags 80004040, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4080462/484)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.0.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

 

Head office ASA firewall:

peer address: x.x.x.x
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: BT_PublicIP_82

      local ident (addr/mask/prot/port): (net_inside_all/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
      current_peer: x.x.x.x

      #pkts encaps: 8829466, #pkts encrypt: 8829466, #pkts digest: 8829466
      #pkts decaps: 9625467, #pkts decrypt: 9625467, #pkts verify: 9625467
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 8829466, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: BT_PublicIP_82, remote crypto endpt.: x.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 2FC222B0

    inbound esp sas:
      spi: 0x40C9A5EF (1086957039)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 229376, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4365350/2705)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x2FC222B0 (801252016)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 229376, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4326709/2703)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: BT_PublicIP_82

      local ident (addr/mask/prot/port): (Avaya_Voice_System/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
      current_peer: x.x.x.x

      #pkts encaps: 2207913, #pkts encrypt: 2207913, #pkts digest: 2207913
      #pkts decaps: 2204171, #pkts decrypt: 2204171, #pkts verify: 2204171
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2207913, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: BT_PublicIP_82, remote crypto endpt.: x.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: E9CEED06

    inbound esp sas:
      spi: 0x5CF79A15 (1559730709)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 229376, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4372392/2684)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xE9CEED06 (3922652422)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 229376, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4372340/2684)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

 

Thx!

0 Helpful

Abaji Rawool
Level 3
Level 3
In response to Mike Hulme

‎06-03-2015 12:27 AM

Is this router connecting to ASA as dynamic peer?

 

If this is static peer make sure the correct tunnel-group and crypto map peer is defined on the ASA as I see the connection is using default dynamic MAP of ASA.

 

Looks like SA for this subnet is not up. Please check the crypto map ACL matches on both sides.

Can you provide latest configurations of both sides?

HTH

Abaji.

 

 

0 Helpful

Mike Hulme
Level 1
Level 1
In response to Abaji Rawool

‎06-09-2015 10:29 AM

Hi, thanks for your help

Both sides use a static peer

"Looks like SA for this subnet is not up" how did you wok that out

I cannot post my entire ASA firewall config for security reasons, sry

On the other site (HQ) is a ASA firewall. I have the ACL:

name 10.10.0.0 Remote_office
access-list inside_outbound_nat0_acl extended permit ip net_inside_all 255.255.0.0 Remote_office 255.255.0.0 
access-list outside_2_cryptomap extended permit ip net_inside_all 255.255.0.0 Remote_office 255.255.0.0

 

Thanks loads

0 Helpful

Abaji Rawool
Level 3
Level 3
In response to Mike Hulme

‎06-10-2015 06:07 AM

On router outputs you can see no spi values under esp sa for non working subnet (means no SA formed)

 

On ASA you can see "Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP" which means static crypto map is not used.

Make sure crypt map ACLs are exact match (mirror) & peer IPs are configured correctly.

 

10.10.X.X is not eq to 10.10.20.X and 10.10.30.X

HTH

Abaji.

 

0 Helpful

Mike Hulme
Level 1
Level 1
In response to Abaji Rawool

‎06-22-2015 07:25 AM

Hi Abaji,

 

I have looked over this for many days and I really don't know what your asking me to change. Am sorry for my ignorance of VPN but I'm stuck on this one

 

Thanks again :)

0 Helpful

Abaji Rawool
Level 3
Level 3
In response to Mike Hulme

‎06-29-2015 12:43 AM

Hi Mike,

 

Try going through this doc to understand how the l2l VPN works and configured on ASA and Router :http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/configuration-professional/112153-ccp-vpn-asa-router-config-00.html#CLI

If that does not help, you might want to open a TAC case.

HTH

Abaji.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents