Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3943
Views
0
Helpful
21
Replies

Adding vlans to a current site to site vpn

benningtonr
Level 1
Level 1

‎11-07-2013 08:23 AM

I have a site to site vpn set up from my office to a remote office. I am planning on putting my DR data storage at the remote office. My current private network is a 192.168.99.0/24, and my backup network is secluded via a second nic on all my servers with a 172.16.16.0/24 address.I currently have a /22 public address space with one /24 address space as my natting for inside services that require an outside address. all this is configured om a asa5550. I have at the remote site a single 192.168.3.0/24 address space via a single IP address through a asa5505. I want to extend the 172 backup network to the remote site, as of right now the 172 does not get routed anywhere, so it could be plugged into the asa5550, but i am not sure how to associate that traffic via the current site to site vpn.

Labels:
0 Helpful
21 Replies 21

benningtonr
Level 1
Level 1
In response to Jouni Forss

‎11-07-2013 12:00 PM

ciscoasa# packet-tracer input outside icmp 192.168.3.5 0 0 172.16.16.10 detail$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x24382cc8, priority=1, domain=permit, deny=false

        hits=55581142603, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.16.16.0     255.255.255.0   Back_Up

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit icmp any any echo-reply

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x245d14a8, priority=12, domain=permit, deny=false

        hits=444137, user_data=0x1db895c0, cs_id=0x0, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x24385260, priority=0, domain=inspect-ip-options, deny=true

        hits=1098568894, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x24384ed8, priority=66, domain=inspect-icmp-error, deny=false

        hits=2362501, user_data=0x24384dc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x24eee5e8, priority=12, domain=ipsec-tunnel-flow, deny=true

        hits=766526147, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1417282933, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: Back_Up

output-status: up

output-line-status: up

Action: allow

0 Helpful

benningtonr
Level 1
Level 1
In response to benningtonr

‎11-07-2013 12:01 PM

ciscoasa# packet-tracer input back icmp 172.16.16.10 0 0 192.168.3.5 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2b8fe040, priority=1, domain=permit, deny=false

        hits=19, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2d5af388, priority=0, domain=inspect-ip-options, deny=true

        hits=22, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x25e452a8, priority=66, domain=inspect-icmp-error, deny=false

        hits=10, user_data=0x25d9a348, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x49b72d88, priority=12, domain=ipsec-tunnel-flow, deny=true

        hits=668, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x2984eef8, priority=70, domain=encrypt, deny=false

        hits=1, user_data=0x0, cs_id=0x24ec9180, reverse, flags=0x0, protocol=0

        src ip=172.16.16.0, mask=255.255.255.0, port=0

        dst ip=192.168.3.0, mask=255.255.255.0, port=0, dscp=0x0

Result:

input-interface: Back_Up

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to benningtonr

‎11-07-2013 12:04 PM

Hi,

Did you issue this command twice?

packet-tracer input back icmp 172.16.16.10 0 0 192.168.3.5 detailed

If you did and the result is still drop in the VPN Phase then there is some missmatch between the L2L VPN configurations of the 2 sites.

I can't see any NAT Phase but then again this is a new interface so it actually might not need any NAT configurations as it doesnt even have Dynamic PAT configuration (that would need to be overriden with the NAT0 for the L2L VPN)

- Jouni

0 Helpful

benningtonr
Level 1
Level 1
In response to Jouni Forss

‎11-07-2013 12:07 PM

Looks like it is working, last thing to figure out is how to put the static route on the backup server, tried using route add, but for some reason it keeps failing due to bad parameter

ciscoasa# packet-tracer input back icmp 172.16.16.10 0 0 192.168.3.5 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2b8fe040, priority=1, domain=permit, deny=false

        hits=21, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2d5af388, priority=0, domain=inspect-ip-options, deny=true

        hits=25, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x25e452a8, priority=66, domain=inspect-icmp-error, deny=false

        hits=11, user_data=0x25d9a348, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x49b72d88, priority=12, domain=ipsec-tunnel-flow, deny=true

        hits=736, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x254593e0, priority=70, domain=encrypt, deny=false

        hits=2, user_data=0xcfb37c, cs_id=0x24ec9180, reverse, flags=0x0, protocol=0

        src ip=172.16.16.0, mask=255.255.255.0, port=0

        dst ip=192.168.3.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1417424233, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

Result:

input-interface: Back_Up

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to benningtonr

‎11-07-2013 12:11 PM

Hi,

Ok, so the L2L VPN should be fine itself now.

What device are the backup networks devices using as their default gateway? If they dont have any at the moment then could their default gateway simply be configured as the ASA interface IP address?

If I understand correct the only devices they formed connections with were the devices directly connected to their network and that would not be altered by adding default gateway for those devices.

- Jouni

0 Helpful

benningtonr
Level 1
Level 1
In response to Jouni Forss

‎11-07-2013 12:14 PM

these devices have dual nics, one for everyday production use and a seperate one for the backup network, i want this traffic to traverse the 172 network to .3

not the production network

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to benningtonr

‎11-07-2013 12:21 PM

Ah ok,

I thought there were servers with 2 NICs but some other devices only connected to the backup network that needed to use the L2L VPN.

Well in that case I guess it comes down to configuring the permanent static route pointing the remote network through the backup network interface.

This naturally means that all traffic to the remote network goes through that interface then. Whether this is a problem I am not sure. If there is any need to connect to the central site servers with 2 NICs through their other production network interface then that would cause problems.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents