11-23-2013 04:03 PM - edited 02-21-2020 07:20 PM
Hello ,
i have configured an IPSec VPN on two ISP with IP SLA configured, there is a redundancy on the VPN in a way that if the primary address fails it get connected to the backup through VPN.
THE ISSUES
--Primary address get connected and i can access resources
--backup address get connected but cannot access resources e.g servers
i want a way to get connected to the backup and access resources on my servers. please help look into the config below
configuration below:
interface GigabitEthernet0/0
description LAN
nameif inside
security-level 100
ip address 192.168.202.100 255.255.255.0
!
interface GigabitEthernet0/1
description CONNECTION_TO_DOPC
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
!
interface GigabitEthernet0/2
description CONNECTION_TO_COBRANET
nameif backup
security-level 0
ip address 3.3.3.3 255.255.255.240
!
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa831-k8.bin
boot system disk0:/asa707-k8.bin
ftp mode passive
clock timezone WAT 1
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-200
subnet 192.168.200.0 255.255.255.0
description LAN_200
object network obj-202
subnet 192.168.202.0 255.255.255.0
description LAN_202
object network NETWORK_OBJ_192.168.30.0_25
subnet 192.168.30.0 255.255.255.128
object network RDP_12
host 192.168.202.12
description WebServer
object service RDP
service tcp source eq 3389 destination eq 3389
object network obj012
host 192.168.202.12
object network Backup-PAT
subnet 192.168.202.0 255.255.255.0
description UBA LAN NETWORK
object-group network DM_INLINE_NETWORK_1
network-object 192.168.200.0 255.255.255.0
network-object 192.168.202.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object object obj-200
network-object object obj-202
access-list INSIDE_OUT extended permit ip 192.168.200.0 255.255.255.0 any
access-list INSIDE_OUT extended permit ip 192.168.202.0 255.255.255.0 any
access-list OUTSIDE_IN extended permit icmp any any inactive
access-list OUTSIDE_IN extended permit tcp any object obj012 eq 3389 inactive
access-list gbnltunnel_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0
access-list gbnltunnel_splitTunnelAcl standard permit 192.168.202.0 255.255.255.0
access-list BACKUP_IN extended permit icmp any any inactive
access-list encrypt_acl extended permit ip 196.216.144.0 255.255.255.192 192.168.202.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
mtu backup2 1500
ip local pool GBNLVPNPOOL 192.168.30.0-192.168.30.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any backup
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.30.0_25 NETWORK_OBJ_192.168.30.0_25
nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static NETWORK_OBJ_192.168.30.0_25 NETWORK_OBJ_192.168.30.0_25 no-proxy-arp route-lookup
!
object network obj-200
nat (inside,outside) dynamic interface
object network obj-202
nat (any,outside) dynamic interface
object network obj012
nat (inside,outside) static interface service tcp 3389 3389
object network Backup-PAT
nat (inside,backup) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group INSIDE_OUT in interface inside
access-group OUTSIDE_IN in interface outside
access-group BACKUP_IN in interface backup
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 track 100
route backup 0.0.0.0 0.0.0.0 3.3.3.3 254
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list value GBNL-SERVERS
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable 441
http 192.168.200.0 255.255.255.0 inside
http 192.168.202.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http 192.168.30.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 backup
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 10
type echo protocol ipIcmpEcho 31.13.72.1 interface outside
num-packets 5
timeout 3000
frequency 5
sla monitor schedule 10 life forever start-time now
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 196.216.144.1
crypto map IPSec_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map ipsec_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map ipsec_map interface outside
crypto map gbnltunnel 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map gbnltunnel interface backup
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=GBNLVPN.greatbrandsng.com,O=GBNL,C=ng
crl configure
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 enable backup
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
!
track 10 rtr 100 reachability
!
track 100 rtr 10 reachability
telnet 192.168.200.0 255.255.255.0 inside
telnet 192.168.202.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.202.0 255.255.255.0 inside
ssh 192.168.200.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 backup
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
enable backup
enable backup2
group-policy gbnltunnel internal
group-policy gbnltunnel attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
default-domain value greatbrandsng.com
group-policy "Group 2" internal
service-type remote-access
tunnel-group gbnltunnel type remote-access
tunnel-group gbnltunnel general-attributes
address-pool GBNLVPNPOOL
default-group-policy gbnltunnel
tunnel-group gbnltunnel ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group GBNLSSL type remote-access
tunnel-group GBNL_WEBVPN type remote-access
tunnel-group GBNL_WEBVPN general-attributes
default-group-policy gbnltunnel
tunnel-group 196.216.144.1 type ipsec-l2l
tunnel-group 196.216.144.1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:6004bf457c9c0bc1babbdbf1cd8aeba5
: end
Solved! Go to Solution.
11-25-2013 01:51 AM
When you say that "outside interface is down using failover techniques" you mean that failover occured due to the ASA is no longer able to reach 31.13.72.1? Not that the actual interface is down?
If this is the case then the NATing is your problem. Since you are using the same VPN pool for both VPN connections the ASA can not distinguish between the two traffic flows if the outside interface is still up. The SLA tracking only removes a route from the routing table but does not affect what happens in the NAT process.
try changing the NAT statement to the following and test (remember to remove the other NAT exempt statements for this traffic when testing):
nat (inside,any) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.30.0_25 NETWORK_OBJ_192.168.30.0_25
If this does not work, I would suggest to either shutdown the outside interface when a failover happens, or create a second connection profile that contains a seperate IP pool for the VPN connection and instruct users to connect using this profile when a failover has occured. Remember to create Nat exempt statements for this traffic also.
--
Please rate all helpful posts
11-24-2013 09:52 AM
At first glance it looks like you NAT exempt statements are incorrect. From what I gather you want to send the failover traffic through the backup interface? In this case you would need to change one of the NAT exempt statements
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.30.0_25 NETWORK_OBJ_192.168.30.0_25
nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static NETWORK_OBJ_192.168.30.0_25 NETWORK_OBJ_192.168.30.0_25 no-proxy-arp route-lookup
change to:
nat (inside,backup) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static NETWORK_OBJ_192.168.30.0_25 NETWORK_OBJ_192.168.30.0_25 no-proxy-arp route-lookup
--
Please rate all helpful posts
11-24-2013 09:40 PM
Hello
thanks for the reply but its still not working;
ISSUE
VPN users connect to the outside interface succesful and can access inside hosts but when the outside interface is down using the failover techniques, user get connected through the backup interface but cannot access inside resources.
that is the problem
please, what could be the problem?
11-25-2013 12:36 AM
Do the users connect using a DNS name (ex. mycompany.com) or do they use the interface IP?
If they use a DNS name then when the failover occurs you need to make sure that the DNS entry points to the correct IP.
--
Please rate all helpful posts
11-25-2013 12:57 AM
Hello
Users use interface IP to connect.
11-25-2013 01:51 AM
When you say that "outside interface is down using failover techniques" you mean that failover occured due to the ASA is no longer able to reach 31.13.72.1? Not that the actual interface is down?
If this is the case then the NATing is your problem. Since you are using the same VPN pool for both VPN connections the ASA can not distinguish between the two traffic flows if the outside interface is still up. The SLA tracking only removes a route from the routing table but does not affect what happens in the NAT process.
try changing the NAT statement to the following and test (remember to remove the other NAT exempt statements for this traffic when testing):
nat (inside,any) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.30.0_25 NETWORK_OBJ_192.168.30.0_25
If this does not work, I would suggest to either shutdown the outside interface when a failover happens, or create a second connection profile that contains a seperate IP pool for the VPN connection and instruct users to connect using this profile when a failover has occured. Remember to create Nat exempt statements for this traffic also.
--
Please rate all helpful posts
11-26-2013 03:41 PM
Thanks Marius, NAT has been the issue.
its solved now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide