Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
0
Helpful
7
Replies

Dual WAN with VPN

montecristo2012
Level 1
Level 1

‎02-13-2013 01:51 AM

Hi All,

I have a general question,

I have an ASA 5505 with two internet lines available. I basically want to have regular internet traffic going through the primary line and then have the VPN tunnel going out to a remote site on the second internet line.

I've had a try already and it seems to work with both lines plugged in but while the tunnel phase report ok we cannot ping anything in the remote sites LAN range.

Any ideas? Thanks

Labels:
0 Helpful
7 Replies 7

Andrew Phirsov
Level 7
Level 7

‎02-13-2013 02:50 AM

Would be great if you provided some config of devices on CO and RO.

0 Helpful

montecristo2012
Level 1
Level 1
In response to Andrew Phirsov

‎02-13-2013 03:41 AM

Hi, config from my side is as follows, I've replaced all the IPs with false ones

xxxx# more system:running-config

Cryptochecksum: xxxxxx

: Saved

: Written by xxxxxx

!

ASA Version 8.2(1)

!

hostname xxxx

domain-name xxxxx

enable password xxxxx encrypted

passwd 2.xxxxx encrypted

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 76.152.1.52 255.255.255.248

!

interface Vlan3

no forward interface Vlan2

nameif outside2

ip address 80.152.1.52 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

domain-name xxxx.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp any any

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list oustide2_access_in extended permit icmp any any

access-list VPNUsersSplitTunnel standard permit 192.168.0.0 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list secondvpn extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_access_in extended permit ip any host x.x.x.x log

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm debugging

mtu inside 1500

mtu outside 1500

mtu failover 1500

ip local pool VPNUsersPool x.x.x.x-x.x.x.x mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-621.bin

asdm location x.x.x.x 255.255.255.255 inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside2) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.0.0 255.255.255.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group outside2_access_in in interface outside2

route outside 0.0.0.0 0.0.0.0 76.152.1.53 1 track 1

route failover 0.0.0.0 0.0.0.0 80.152.1.53 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server IASRadius protocol radius

aaa-server IASRadius (inside) host 192.168.0.2

timeout 5

key RADIUSKEY

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authorization command LOCAL

aaa authorization exec LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 1

type echo protocol ipIcmpEcho 8.8.8.8 interface outside

num-packets 3

frequency 10

sla monitor schedule 1 life forever start-time now

crypto ipsec transform-set vpnset1 esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set vpnset2 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map vpnmap 1 match address outside_1_cryptomap_1

crypto map vpnmap 1 set peer x.x.x.x

crypto map vpnmap 1 set transform-set vpnset1

crypto map vpnmap 1 set security-association lifetime seconds 28800

crypto map vpnmap 1 set security-association lifetime kilobytes 4608000

crypto map vpnmap 15 match address VPN2

crypto map vpnmap 15 set peer z.z.z.z

crypto map vpnmap 15 set transform-set vpnset2

crypto map vpnmap 15 set security-association lifetime seconds 28800

crypto map vpnmap 15 set security-association lifetime kilobytes 4608000

crypto map vpnmap 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map vpnmap interface outside2

crypto isakmp identity address

crypto isakmp enable outside2

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

crypto isakmp policy 4

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 5

authentication pre-share

encryption aes

hash sha

group 2

lifetime 28800

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 3600

crypto isakmp policy 35

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 1 reachability

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 failover

ssh timeout 60

console timeout 0

management-access inside

dhcpd wins 192.168.0.2

!

dhcpd address 192.168.0.100-192.168.0.254 inside

dhcpd dns x.x.x.x 8.8.8.8 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy VPNUsers internal

group-policy VPNUsers attributes

wins-server value 192.168.0.2

dns-server value 192.168.0.2

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPNUsersSplitTunnel

default-domain value companyname.local

username xxx password xxx encrypted privilege 15

username xxx password xxx encrypted privilege 15

tunnel-group VPNUsersTunnelGroup type remote-access

tunnel-group VPNUsersTunnelGroup general-attributes

address-pool VPNUsersPool

authentication-server-group IASRadius

default-group-policy VPNUsers

tunnel-group VPNUsersTunnelGroup ipsec-attributes

pre-shared-key xxxx

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key xxxx

tunnel-group z.z.z.z type ipsec-l2l

tunnel-group z.z.z.z ipsec-attributes

pre-shared-key zzzzzzz

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

  inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxxxx

: end

Thanks!

0 Helpful

montecristo2012
Level 1
Level 1

‎02-27-2013 09:58 AM

anyone?

0 Helpful

jawad-mukhtar
Level 4
Level 4
In response to montecristo2012

‎02-27-2013 03:38 PM

Create Two Crypto Map with Different Name and enable one on First Itnerface and second on Second Interface.

Jawad
0 Helpful

montecristo2012
Level 1
Level 1
In response to jawad-mukhtar

‎03-04-2013 02:51 AM

Thanks for the reply, just for my own edification what will this do?

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to montecristo2012

‎03-04-2013 03:15 AM

If I understand you correctly, you're trying to  make:

traffic from 192.168.0.0/24 to 192.168.1.0 /24 go through the ipsec-tunnel, using interface outside2.

You've got all the crypto-maps and nat exemtion rules configured correctly, but as to routing i only see this in the config:

route outside 0.0.0.0 0.0.0.0 76.152.1.53 1 track 1

route failover 0.0.0.0 0.0.0.0 80.152.1.53 254 don't know what's failover interface

So there's no route towards 192.168.1.0/24 through outside2 interface and at the same time the crypto map is appliet to this interface.

Probably, to solve your problem, you should add to your config

route outside2 192.168.1.0 255.255.255.0  ip_of_provider_on_outside2 link.

And check that everything correct with routing on the other side of the vpn-tunnel.

0 Helpful

jawad-mukhtar
Level 4
Level 4
In response to Andrew Phirsov

‎03-04-2013 11:23 AM

Hi You have to use Default Route for Internt and use static Routes for S2S VPN .

Like

For Internet

ip route 0.0.0.0 0.0.0.0 1.1.1.1

For VPN

You have to Go destination Address 192.168.2.1

ip route 192.168.2.0 255.255.255.0 2.2.2.2

Jawad
0 Helpful
Customers Also Viewed These Support Documents