cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4463
Views
0
Helpful
6
Replies

Site to Site VPN with layer 3 switch behind router

Jpadams23
Level 1
Level 1

Here is my network configuration.

ASA5520--------Internet(S2S VPN)-------Cisco 1821----------------------Cisco 3560 (Layer3)

10.100.10.x/24                                    10.131.4.1/29                 10.131.4.2/29

                                                                                               192.168.1.x/24

                                                                                               192.168.2.x/24

The tunnel establishes between the ASA and the Cisco 1821. I am able to ping the ASA network from the 1821. I am also able to ping the ASA network from the 3560 switch on the 10.131.4.x vlan. However I am unable to ping the ASA network from any of the other vlans on the 3560. I have tried adding the subnets to the interesting traffic in the tunnel and that did not work. I have also tried adding a static route  on the ASA pointing to 10.131.4.2 for those networks and I was unable to ping those networks still.

I'm guessing this is a simple fix, but I am unable to see it for some reason.

Thanks in advance for your help!

6 Replies 6

jj27
Spotlight
Spotlight

If you are doing NAT on the router and/or ASA make sure that all of your interesting traffic is NAT exempt.


Sent from Cisco Technical Support Android App

Jpadams23
Level 1
Level 1

The router and Asa both do nat to protect the networks behind them. I have placed the networks on the 3560 in the acl on the router and on the Asa along with putting the static route in.

Any thoughts? I can attach configs if that would help.

Sent from Cisco Technical Support iPhone App

jj27
Spotlight
Spotlight

Yes please post configs.

Please remove any public IP or passwords.


Sent from Cisco Technical Support Android App

Below is the parts of the configure that adhere to this particular site. We have over 30 vpn tunnels on the ASA and with all the network objects it is rather long.

ASA

route Lan 192.168.4.0 255.255.255.0 10.131.4.2

!

object network OF_LIGO_192
subnet 192.168.2.0 255.255.255.0

object network OF_LIGO_191
subnet 192.168.1.0 255.255.255.0

object network OF_LIGO_131
subnet 10.131.4.0 255.255.255.248

object-group network DM_INLINE_NETWORK_7

        network-object object OF_LIGO_131
        network-object object OF_LIGO_192

        network-object object OF_LIGO_191

      access-list Internet_cryptomap line 1 extended permit ip object DC_LAN object-group DM_INLINE_NETWORK_7
      group-policy GroupPolicy_**** internal
      group-policy GroupPolicy_**** attributes
        vpn-tunnel-protocol ikev1
      exit
      tunnel-group ***** type ipsec-l2l
      tunnel-group ***** general-attributes
        default-group-policy GroupPolicy_******
      tunnel-group ****** ipsec-attributes
        ikev1 pre-shared-key **********
        isakmp keepalive threshold 10 retry 2
      crypto map Internet_map 33 match address Internet_cryptomap
      crypto map Internet_map 33 set  peer  *******
      crypto map Internet_map 33 set  ikev1 transform-set  ESP-AES-256-SHA
      nat (Lan,Internet) 34 source static DC_LAN DC_LAN destination static DM_INLINE_NETWORK_7 DM_INLINE_NETWORK_7 no-proxy-arp route-lookup

Router

interface fa 0/0

ip address 10.131.4.1 255.255.255.248

!

crypto map VPN 1 ipsec-isakmp
description Tunnel to****************

set peer x.x.x.x
set transform-set VPN
match address 100

!

ip nat inside source route-map NAT interface FastEthernet0/0 overload

!

route-map NAT permit 1
match ip address 101

!

access-list 100 permit 10.131.4.0 0.0.0.7 10.100.10.0 0.0.0.255

access-list 100 permit 192.168.1.0 0.0.0.255 10.100.10.0 0.0.0.255

access-list 100 permit 192.168.1.0 0.0.0.255 10.100.10.0 0.0.0.255

!

access-list 101 deny 10.131.4.0 0.0.0.7 10.100.10.0 0.0.0.255

access-list 101 deny 192.168.1.0 0.0.0.255 10.100.10.0 0.0.0.255

access-list 101 deny 192.168.2.0 0.0.0.255 10.100.10.0 0.0.0.255

access-list 101 permit 10.131.4.0 0.0.0.7 any

3560

vlan 1

192.168.1.1 255.255.255.0

!

vlan 2

192.168.2.1 255.255.255.0

!

vlan 131

10.131.4.2 255.255.255.248

!

ip route 0.0.0.0 0.0.0.0 10.131.4.1

jj27
Spotlight
Spotlight

Assumptions made are that DC_LAN is 10.100.10.0/24 and the router has a route for both 192.168.1.0/24 and 192.168.2.0/24 pointing to 10.131.4.2.

Also, i see access-list 100 has duplicate 192.168.1.0/24 instead of one for that and 192.168.2.0/24.

Please show me output from following command on ASA: packet-tracer input Lan TCP 10.100.10.1 80 192.168.1.1 80




Sent from Cisco Technical Support Android App

The reason for the double entry is I typed the access list out instead of copying it. My apologies.

Here is the packet tracer results and the routes on the asa and the router.

DATAC-FW01# packet-tracer input Lan tcp 10.100.10.1 80 192.168.1.4 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   Lan

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 9992541, packet dispatched to next module

Result:
input-interface: Lan
input-status: up
input-line-status: up
output-interface: Lan
output-status: up
output-line-status: up
Action: allow

DATAC-FW01# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 64.132.195.33 to network 0.0.0.0

C    64.132.195.32 255.255.255.248 is directly connected, Internet
S    192.168.1.0 255.255.255.0 [1/0] via 10.131.4.2, Lan

Also the router has the routes to the networks.

LIGO-MDF-RTR01#sh run | i ip route

ip route 0.0.0.0 0.0.0.0 ********

ip route 192.168.1.0 255.255.255.0 10.131.4.2

ip route 192.168.2.0 255.255.255.0 10.131.4.2

Switch pings

LIGO-MDF-SW01#ping 10.100.10.10 source vlan 131

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.10.10, timeout is 2 seconds:
Packet sent with a source address of 10.131.4.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 25/30/34 ms
LIGO-MDF-SW01#ping 10.100.10.10 source vlan 192

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.10.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.254
.....
Success rate is 0 percent (0/5)
LIGO-MDF-SW01#

Traceroute from the switch using 192.168.1.254 as the source

Tracing the route to (10.100.10.10)

  1 10.131.4.1 0 msec 0 msec 0 msec
  2  *  *  *

The traffic is being dumped to the router but for some reason it is not forwarding it.

Thoughts?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: