Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
0
Helpful
5
Replies

IPSec VPN Tunnel

nushrat88
Level 1
Level 1

‎10-25-2012 01:08 AM - edited ‎02-21-2020 06:26 PM

Hi,

need help with the following problem.

I have created a site-2-site IPSec VPN tunnel. I have used 192.168.183.0/24 as a internal network at remote site.

remote site asa configured to allow all traffic  from this range. i.e.

access-list xxx extended permit ip 192.168.183.0 255.255.255.0 any

Now I have used a 3560 and 2060 switch at remote site with asa. I have subnetted 192.168.183.0 into 4 different vlans inside the network.

192.168.183.0/25 = vlan 500

192.168.183.128/26 = vlan 600

192.168.183.192/27 = vlan 700

192.168.183.224/27 = vlan 800

Inter vlan routing is working fine, but only one VLAN is going over the tunnel. so all the pcs/printer located in vlan500 are working fine.

Rest all other PCs/Printers located under other vlans are not able to pass the traffic via tunnel/reach to server. As mentioned previously in access-list the /24 is permitted.

Any help/advice will be much appreciated.

Regards

Shafi

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-25-2012 01:44 AM

How do you route the rest of the VLAN? is the default route for those VLAN towards the ASA?

Can you pls share the ASA config.

0 Helpful

nushrat88
Level 1
Level 1
In response to Jennifer Halim

‎10-25-2012 04:54 AM

Hi Jennifer - Thank you for comming back to me so quickly. Please find the config bellow for both ASA and Switch 3560. I just have figured it out that there was a config issue with Nating. I have resolved now. Any suggestion will be much appreciated.

=====================================================
ASA Version 8.2(5)
!
hostname Rossington-HolmesCarr-ASA
domain-name dash.nhs.uk
enable password

names
!
interface Ethernet0/0
description Outside-N3
nameif outside
security-level 0
ip address 10.217.235.66 255.255.255.192
!
interface Ethernet0/1
description Inside-LAN
nameif inside
security-level 100
ip address 192.168.95.245 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name dash.nhs.uk
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl-in extended permit esp any host 10.21x.235.66
access-list acl-in extended permit udp any host 10.21x.235.66 eq 4500
access-list acl-in extended permit udp any host 10.21x.235.66 eq isakmp
access-list N3-VPN-RossingtonHolmesCarr extended deny ip 192.168.183.0 255.255.255.0 155.231.80.0 255.255.255.0
access-list N3-VPN-RossingtonHolmesCarr extended deny ip 192.168.183.0 255.255.255.0 155.231.48.0 255.255.255.0
access-list N3-VPN-RossingtonHolmesCarr extended deny ip 192.168.183.0 255.255.255.0 62.6.139.0 255.255.255.0
access-list N3-VPN-RossingtonHolmesCarr extended deny ip 192.168.183.0 255.255.255.0 20.146.120.0 255.255.255.0
access-list N3-VPN-RossingtonHolmesCarr extended deny ip 192.168.183.0 255.255.255.0 20.146.248.0 255.255.255.0
access-list N3-VPN-RossingtonHolmesCarr extended permit ip 192.168.183.0 255.255.255.0 any
access-list N3-NONAT extended deny ip 192.168.183.0 255.255.255.0 155.231.80.0 255.255.255.0
access-list N3-NONAT extended deny ip 192.168.183.0 255.255.255.0 155.231.48.0 255.255.255.0
access-list N3-NONAT extended deny ip 192.168.183.0 255.255.255.0 62.6.139.0 255.255.255.0
access-list N3-NONAT extended deny ip 192.168.183.0 255.255.255.0 20.146.120.0 255.255.255.0
access-list N3-NONAT extended deny ip 192.168.183.0 255.255.255.0 20.146.248.0 255.255.255.0
access-list N3-NONAT extended permit ip 192.168.183.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list N3-NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl-in in interface outside
route outside 0.0.0.0 0.0.0.0 10.217.235.65 1
route inside 192.168.183.0 255.255.255.128 192.168.95.246 1
route inside 192.168.183.128 255.255.255.192 192.168.95.246 1
route inside 192.168.183.192 255.255.255.224 192.168.95.246 1
route inside 192.168.183.224 255.255.255.224 192.168.95.246 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACS-Auth protocol tacacs+
aaa-server ACS-Auth (outside) host 10.144.208.31
key
aaa authentication http console ACS-Auth LOCAL
aaa authentication ssh console ACS-Auth LOCAL
aaa authentication telnet console ACS-Auth LOCAL
aaa authentication enable console ACS-Auth LOCAL
aaa authentication serial console ACS-Auth LOCAL
aaa accounting enable console ACS-Auth
aaa accounting serial console ACS-Auth
aaa accounting ssh console ACS-Auth
aaa accounting telnet console ACS-Auth
aaa accounting command privilege 15 ACS-Auth
http server enable
http 192.168.2.16 255.255.255.255 inside
http 192.168.10.0 255.255.255.0 inside
http 192.168.2.16 255.255.255.255 outside
http 10.144.208.13 255.255.255.255 outside
snmp-server host inside 192.168.2.16 community
no snmp-server location
no snmp-server contact
snmp-server community
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map N3-VPN 132 match address N3-VPN-RossingtonHolmesCarr
crypto map N3-VPN 132 set pfs
crypto map N3-VPN 132 set peer 10.213.0.9
crypto map N3-VPN 132 set transform-set ESP-AES-256-SHA
crypto map N3-VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.144.20x.1x 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 5
management-access inside
dhcpd dns 192.168.44.81 192.168.44.82
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd domain xdsh.nhs.uk
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.2.232
webvpn
username localadmin pass
tunnel-group 10.21x.0.9 type ipsec-l2l
tunnel-group 10.21x.0.9 ipsec-attributes
pre-shared-key
!
class-map inspection_default
match default-inspection-traffic
!

=======================================================

Switch Config 3560

=======================================================

ip dhcp pool Ross-Domain
network 192.168.183.0 255.255.255.128
dns-server 192.168.44.81 192.168.44.82
default-router 192.168.183.2
lease 0 8
!
ip dhcp pool Ross-WiFi-Corp
network 192.168.183.128 255.255.255.192
dns-server 192.168.44.81 192.168.44.82
default-router 192.168.183.129
lease 0 8
!
ip dhcp pool Ross-WiFi-Mobile
network 192.168.183.192 255.255.255.224
dns-server 192.168.44.81 192.168.44.82
default-router 192.168.183.193
lease 0 8
!
ip dhcp pool Ross-WiFi-Guest
network 192.168.183.224 255.255.255.224
dns-server 192.168.44.81 192.168.44.82
default-router 192.168.183.225
lease 0 8


interface FastEthernet0/23
description Link-2-ASA     
no switchport
ip address 192.168.95.246 255.255.255.252
!


!

interface GigabitEthernet0/1
description Link-2-SW2
switchport trunk encapsulation dot1q
switchport mode trunk


interface Vlan500
ip address 192.168.183.2 255.255.255.128
!
interface Vlan600
ip address 192.168.183.129 255.255.255.192
no ip redirects
!
interface Vlan700
ip address 192.168.183.193 255.255.255.224
no ip redirects
!
interface Vlan800
ip address 192.168.183.225 255.255.255.224
no ip redirects
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.95.245
ip tacacs source-interface Vlan500
!

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to nushrat88

‎10-25-2012 05:38 AM

Which remote subnet are you trying to access it from? There are a lot of deny statements in your crypto ACl and NONAT acl. Pls kindly advise which subnet you are trying to reach the 192.168.183.x subnet from.

0 Helpful

nushrat88
Level 1
Level 1
In response to Jennifer Halim

‎10-25-2012 06:29 AM

Hi Jennifer,

You have not read the message I sent b4 the ASA config. Apparently I've resolved the issue. I found, there was some error in the nat config. I have corrected it and its all working fine.

Regards

Shafi

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to nushrat88

‎10-25-2012 06:31 AM

Excellent...

Sorry, i also saw your message that says: Any suggestion will be much appreciated.

so i thought you have initially, but then you still need help.

But great to know all has been resolved. Thanks for the update.

0 Helpful
Customers Also Viewed These Support Documents