Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
5
Helpful
4
Replies

Create static site 2 site AND dynamic remote dial in VPNs - Help

seanwaite
Level 1
Level 1

‎10-24-2010 04:54 PM

I have a 5505 site to site VPN with a 5510 whose connection works just fine. I have tried to add a remote dial in VPN via L2TP, and just fail every bloody time. The SSL VPN works fine FYI, but I also need actual network to network access.

[ACLs]

access-list 101 extended permit ip interface inside any 
access-list REMOTE_SITE extended permit ip 192.168.100.0 255.255.255.0 10.10.6.0 255.255.255.0 
access-list REMOTE_ACCESS extended permit ip 192.168.100.0 255.255.255.0 10.10.15.0 255.255.255.0 

access-list ACL_IN extended permit tcp any host 65.248.218.xxx eq www 
access-list ACL_IN extended permit tcp any host 65.248.218.xxx eq https 
access-list ACL_IN extended permit icmp any host 65.248.218.xxx 
access-list ACL_IN extended permit icmp any host 65.248.218.xxx echo-reply

[NAT/Net]

ip local pool L2TP L2TP-10.10.15.254 mask 255.255.255.0
global (outside) 1 65.248.218.xxx netmask 255.255.255.248
nat (inside) 0 access-list REMOTE_SITE
nat (inside) 1 192.168.100.0 255.255.255.0
static (inside,outside) 65.248.218.xxx 192.168.100.2 netmask 255.255.255.255 
access-group ACL_IN in interface outside



route outside 0.0.0.0 0.0.0.0 65.248.218.xxx 1

[Crypto - Dynamic]
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_DES_MD5 TRANS_ESP_DES_SHA TRANS_ESP_AES192_SHA TRANS_ESP_AES128_SHA

[Crypto - Site to site] 
crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
crypto map OUTSIDE_MAP 20 set pfs group1
crypto map OUTSIDE_MAP 20 set peer 2xx.xx.xxx.xxx 
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 20 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_MAP interface outside

I am convinced that my problem lies with creating a NO NAT rule for BOTH the site to site and remote dial in. If I create the access-list for both remote networks under the same name, as I understand then the dial in access will attempt to use the static VPN crypto map. Above I have two seperate ACLs for the site to site and remote access:

access-list REMOTE_SITE extended permit ip 192.168.100.0 255.255.255.0 10.10.6.0 255.255.255.0 
access-list REMOTE_ACCESS extended permit ip 192.168.100.0 255.255.255.0 10.10.15.0 255.255.255.0 

However, if I did the following:
access-list REMOTE_SITE extended permit ip 192.168.100.0 255.255.255.0 10.10.6.0 255.255.255.0 
access-list REMOTE_SITE extended permit ip 192.168.100.0 255.255.255.0 10.10.15.0 255.255.255.0 

Then I am under the idea that there is no seperation of which crypto map to use....correct? If I do seperate ACLs names for each VPN, then how do I prevent NAT?

At one point I backed up the config, and deleted all the VPN and went through the ASDM wizard hoping that would solve my problem....it did not. If I set this up for just the remote dial in access, then I have no problem. What I just can not seem to figure out is how I can have site to site static AND dynamic remote access.

Labels:
0 Helpful
4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-25-2010 11:19 AM

Sean,

Did you get an answer on this so far?

I could look into this one, but I'd need some more info. (I'm sorry if any of this was answered)

- ASA versions

- topology diagram

-  Information regarding RA client (is it L2tp over Ipsec or plain IPsec?)

- What is the problem really, is it connecting to VPN or pushing traffic through.

- Logs on informational level if problem is with passing traffic

- Logs on debug level if problem is with establishing connection to headend.

Typically you have one ACL to identify traffic which is supposed to go via tunnel.

- REMOTE_SITE in your case.

You should also have a separate ACL specyfing which traffic should not be natted.

Using same ACL for both is OK if you have one tunnel.

However if more than one tunnel is established, you need usually a separate ACL for nat exemtion and idetifying what traffic is interested for encryption.

In your case I'd do:

access-l MY_NAT0 perm ip 192.168.100.0 255.255.255.0 10.10.6.0 255.255.255.0

access-l MY_NAT0 perm ip 192.168.100.0 255.255.255.0 MY_VPN_POOL MY_VPN_SUBNET

nat (inside) 0 access-list MY_NAT0

You just need to swap MY_VPN_POOL and MY_VPN_SUBNET

And stick to REMOTE_SITE being the ACL for encryption.

If I'm saying something obvious let me know, I'm still a bit puzzled by description ;-)

Marcin

0 Helpful

seanwaite
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-25-2010 09:50 PM

Thanks for replying Marcin.


I have two ASAs: 5505 and 5510. The 5505 is at a branch office, the 5510 is at a data center. The 5510 currently has one static site 2 site VPN with the 5505 that is IPsec. The 5510 also has dial in remote access via L2TP that works. It is the 5505 that I am having problems with.


I attached the running configs for the ASA5505 (running-config-5505-NotWorking.txt), ASA5510 (unning-config-5510-Working.txt) as well as a document I just made up that is kind of color differentiated comparing the two configs.


The one problem I see is when I load up the ASAs with the ASDM. If I look at the "Configuration > Site-to-Site VPN > Advanced > Crypto Maps" for the ASA5510 it ONLY has the address of local network to remote network for the IPSEC connection. However the ASA5505 lists BOTH the IPSEC networks as well as the remote access L2TP pool. Actually the best way to explain this is in the attached screen shot. The bottom is for the ASA5505 that has included the L2TP pool along with the static IPSEC.


As for the problem specifically with the 5505. I can connect via Windows XP L2TP just fine, but can not access the network. I should also add that I have no issues with the static IPSEC connection between the two ASAs. Unfortunetely for me I have no option at the moment of setting up a syslog server for the 5505.

74087-running-config-5510-Working.txt.zip
0 Helpful

seanwaite
Level 1
Level 1
In response to seanwaite

‎10-26-2010 01:29 AM

The problem is resolved.

On the 5505 I had this line:

crypto map OUTSIDE_MAP 1 match address REMOTE_SITE

When I should have done this:

crypto map OUTSIDE_MAP 1 match address Outside_cryptomap

The ACLs for REMOTE_SITE included both the L2TP and IPSec. So when I connected via L2TP, it was trying to use the site to site crypto policy that for starters was not transport. Essentially I had L2TP and IPSEC trying and colliding on the same tunnel. Once I altered the crypto map for the site to site both dial in L2TP and the IPSEC work.

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to seanwaite

‎10-26-2010 01:32 AM

Sean,

Glad to hear it :-)

Sorry not to be of much help, time difference it seems

I'll rate your last post high, looks like it might help people.

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents