02-13-2013 01:51 AM
Hi All,
I have a general question,
I have an ASA 5505 with two internet lines available. I basically want to have regular internet traffic going through the primary line and then have the VPN tunnel going out to a remote site on the second internet line.
I've had a try already and it seems to work with both lines plugged in but while the tunnel phase report ok we cannot ping anything in the remote sites LAN range.
Any ideas? Thanks
02-13-2013 02:50 AM
Would be great if you provided some config of devices on CO and RO.
02-13-2013 03:41 AM
Hi, config from my side is as follows, I've replaced all the IPs with false ones
xxxx# more system:running-config
Cryptochecksum: xxxxxx
: Saved
: Written by xxxxxx
!
ASA Version 8.2(1)
!
hostname xxxx
domain-name xxxxx
enable password xxxxx encrypted
passwd 2.xxxxx encrypted
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 76.152.1.52 255.255.255.248
!
interface Vlan3
no forward interface Vlan2
nameif outside2
ip address 80.152.1.52 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name xxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list oustide2_access_in extended permit icmp any any
access-list VPNUsersSplitTunnel standard permit 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list secondvpn extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_access_in extended permit ip any host x.x.x.x log
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
mtu failover 1500
ip local pool VPNUsersPool x.x.x.x-x.x.x.x mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-621.bin
asdm location x.x.x.x 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside2) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group outside2_access_in in interface outside2
route outside 0.0.0.0 0.0.0.0 76.152.1.53 1 track 1
route failover 0.0.0.0 0.0.0.0 80.152.1.53 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server IASRadius protocol radius
aaa-server IASRadius (inside) host 192.168.0.2
timeout 5
key RADIUSKEY
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set vpnset1 esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set vpnset2 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map vpnmap 1 match address outside_1_cryptomap_1
crypto map vpnmap 1 set peer x.x.x.x
crypto map vpnmap 1 set transform-set vpnset1
crypto map vpnmap 1 set security-association lifetime seconds 28800
crypto map vpnmap 1 set security-association lifetime kilobytes 4608000
crypto map vpnmap 15 match address VPN2
crypto map vpnmap 15 set peer z.z.z.z
crypto map vpnmap 15 set transform-set vpnset2
crypto map vpnmap 15 set security-association lifetime seconds 28800
crypto map vpnmap 15 set security-association lifetime kilobytes 4608000
crypto map vpnmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map vpnmap interface outside2
crypto isakmp identity address
crypto isakmp enable outside2
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 4
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 3600
crypto isakmp policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 1 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 failover
ssh timeout 60
console timeout 0
management-access inside
dhcpd wins 192.168.0.2
!
dhcpd address 192.168.0.100-192.168.0.254 inside
dhcpd dns x.x.x.x 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNUsers internal
group-policy VPNUsers attributes
wins-server value 192.168.0.2
dns-server value 192.168.0.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNUsersSplitTunnel
default-domain value companyname.local
username xxx password xxx encrypted privilege 15
username xxx password xxx encrypted privilege 15
tunnel-group VPNUsersTunnelGroup type remote-access
tunnel-group VPNUsersTunnelGroup general-attributes
address-pool VPNUsersPool
authentication-server-group IASRadius
default-group-policy VPNUsers
tunnel-group VPNUsersTunnelGroup ipsec-attributes
pre-shared-key xxxx
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key xxxx
tunnel-group z.z.z.z type ipsec-l2l
tunnel-group z.z.z.z ipsec-attributes
pre-shared-key zzzzzzz
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxx
: end
Thanks!
02-27-2013 09:58 AM
anyone?
02-27-2013 03:38 PM
Create Two Crypto Map with Different Name and enable one on First Itnerface and second on Second Interface.
03-04-2013 02:51 AM
Thanks for the reply, just for my own edification what will this do?
03-04-2013 03:15 AM
If I understand you correctly, you're trying to make:
traffic from 192.168.0.0/24 to 192.168.1.0 /24 go through the ipsec-tunnel, using interface outside2.
You've got all the crypto-maps and nat exemtion rules configured correctly, but as to routing i only see this in the config:
route outside 0.0.0.0 0.0.0.0 76.152.1.53 1 track 1
route failover 0.0.0.0 0.0.0.0 80.152.1.53 254 don't know what's failover interface
So there's no route towards 192.168.1.0/24 through outside2 interface and at the same time the crypto map is appliet to this interface.
Probably, to solve your problem, you should add to your config
route outside2 192.168.1.0 255.255.255.0 ip_of_provider_on_outside2 link.
And check that everything correct with routing on the other side of the vpn-tunnel.
03-04-2013 11:23 AM
Hi You have to use Default Route for Internt and use static Routes for S2S VPN .
Like
For Internet
ip route 0.0.0.0 0.0.0.0 1.1.1.1
For VPN
You have to Go destination Address 192.168.2.1
ip route 192.168.2.0 255.255.255.0 2.2.2.2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide