cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
982
Views
0
Helpful
1
Replies

ASA 5520 8.4.1 VPN/routing questions/troubleshooting

warriorforGod
Level 1
Level 1

I have an ASA that sits at a remote site.  Its gi0/0 interface connects to the outside world.  Its gi0/1 interface connects to a c2800 which in turn connects to our main office via a point to point link with another c2800 on the other side.  I am trying to get the ipsec vpn to work on the asa.  I want to be able to connect to the internal network, and also the internet.  I think my issue is with either the routing or NAT.  I have specified a vpn ip pool of 10.253.46.232 - 10.253.46.239.  The remote site is the only place where the 10.253.46.0 subnet will be used.  My question's are as follows.

1.  Do I set up a static route on the c2800 that is directly connected to the asa and distribute the route through ospf? 

2.  Do I create a new vlan on our core 6506 that is at the main office with the 10.253.46.0 subnet? (Would this affect traffic as it would have to go between the sites for all traffic?

3.  Is there anything glaringly wrong with my config.

Thanks in advance for the help.  Here is my ASA config.

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address x.x.249.126 255.255.255.128

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address x.x.55.126 255.255.255.0

ospf authentication null

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/0

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/3

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.255.8.3

name-server 10.255.8.4

domain-name mycompany.com

same-security-traffic permit intra-interface

access-list outside extended permit object-group DM_INLINE_PROTOCOL_1 object vpn any log debugging

access-list outside extended permit object-group TCPUDP object vpn any log debugging

access-list inside extended permit object-group DM_INLINE_PROTOCOL_2 any any

access-list inside extended permit object-group TCPUDP any any log debugging

pager lines 24

logging enable

logging timestamp

logging standby

logging console errors

logging monitor critical

logging buffered errors

logging trap errors

logging history errors

logging asdm warnings

logging facility 23

logging queue 1024

logging host inside 10.255.54.1

no logging message 305010

no logging message 305009

no logging message 710005

no logging message 710006

no logging message 400010

no logging message 400011

no logging message 400014

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302016

mtu outside 1500

mtu inside 1500

ip local pool ipsec-client-pool 10.253.46.232-10.253.46.239 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

access-group outside in interface outside

access-group inside in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server Radius protocol radius

aaa-server Radius (inside) host rsaauthmgr

! key  <removed>

radius-common-pw us2!Remind

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console LOCAL

aaa authorization command LOCAL

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp nat-traversal 30

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint localtrust

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh timeout 10

ssh version 2

console timeout 0

vpn-addr-assign local reuse-delay 5

threat-detection basic-threat

threat-detection scanning-threat shun except object-group business

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point localtrust outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-macosx-i386-2.5.2019-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

group-policy systems internal

group-policy systems attributes

dns-server value 10.255.8.3 10.255.8.4

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain value corp.business.com

tunnel-group systems type remote-access

tunnel-group systems general-attributes

address-pool ipsec-client-pool

default-group-policy systems

tunnel-group systems ipsec-attributes

ikev1 pre-shared-key xxxxxxxx

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect http

  inspect ip-options

!

service-policy global_policy global

privilege show level 5 mode exec command running-config

privilege show level 5 mode exec command startup-config

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

: end

1 Reply 1

Shaik Zubair
Level 1
Level 1

As far as routing is concerned it would be great idea to create a static route on c2800 and redistribute static using OSPF. in that way all your return traffic for your VPN pool will be eventually redirected to the ASA interface gig0/1

there is no need as such to create seperate vlan on core switch for routing traffic to VPN client pool.

Here are some changes you can possibly use in your configuration.

crypto isakmp enable outside

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2

apart from the above everything looks pretty much good.