- Cisco Community
- Technology and Support
- Security
- VPN
- Re: VLANs not reaching remote hosts on site to site vpn
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VLANs not reaching remote hosts on site to site vpn
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2020 10:25 AM
he have a A 5516X that we recently configure multiple VLANs on. Main network (IF 0/1 10.100.21.0/24). no VLANs on this network. IF 0/2 10.100.1.0/24 had the VLANs created on it. The VLANs were created as follows (IF 2.31 - 10.100.31.0/24, IF 2.41 - 10.100.41.0/24, IF 2.51 - 10.100.51.0/24 IF 2.61 - 10.100.61.0/24). all VLANS can access all local hosts/devices on the 10.100.21.0/24 network and all have Internet access. We have a remote (Colo) site with an internal ip of 10.100.20.0/24. the site-to-site vpn is working well from the 10.100.21.0 network and all other remote sites to the colo site. The only thing not working is the VLANs to the colo site.
I can do a packet trace using the packet tracer on the 10.100.21.1 ASA where the VLANs were created. I'm doing a ICMP from the VLAN 41 interface with host ip on one vlan 10.100.41.50 to destination host/server 10.100.20.5 type: echo, IP Version: IPv4 code: 1. no dropped packet...all checks out. But if you go to a host, on any of the VLANs and try to ping the remote server 10.100.20.5, it times out.
I've attached a image of the high level network diagram and a image of the packet tracer test.
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2020 11:28 AM
From the packet tracer it does not look like the traffic is going over the VPN tunnel. Did you make sure the encryption domains, identity NAT and all the relative VPN configuration between site 01 and 05 are in place?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2020 12:02 PM
yes, they should be. The VPNs between all locations have been up and running for years. Other than adding ACL Manager changes/permits for the new VLans, no other changes were made that should effect the VPNs. VPN connections are all working as before with no interruptions in network traffic. The VLANs connect to all other local resources and they connect to the internet with no issues. it just doesn't make sense that i can ping from a host on the sub interface - VLans, through interface (0/2) then through interface 0/1 to local hosts or through interface 0/1 to interface 0/0 to the internet with no issue, but not to one of the VPN networks/hosts. The ACL rules were already in place, we just expanded them to allow the additional interface and sub interface VLans/networks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2020 12:53 PM
Here is a portion of the site 01 config.
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.100.21.1 255.255.255.0
!
interface GigabitEthernet0/2
description UBNT Uplink for VLans
nameif UBNT_SwitchPort_Trunk
security-level 100
ip address 10.100.1.1 255.255.255.0
!
interface GigabitEthernet0/2.31
description Admin Office VLan
vlan 31
nameif AdminOffice
security-level 100
ip address 10.100.31.1 255.255.255.0
!
interface GigabitEthernet0/2.41
description Truck Sales VLan
vlan 41
nameif TruckSales
security-level 100
ip address 10.100.41.1 255.255.255.0
!
interface GigabitEthernet0/2.51
description Parts & Warehouse VLan
vlan 51
nameif PartsWarehouse
security-level 100
ip address 10.100.51.1 255.255.255.0
!
interface GigabitEthernet0/2.61
description Service VLan
vlan 61
nameif Service
security-level 100
ip address 10.100.61.1 255.255.255.0
!
object network VPN_Site_Remote_Apk_Colo
subnet 10.100.20.0 255.255.255.0
object network VPN_Site_Remote_Sat_Blvd
subnet 10.100.22.0 255.255.255.0
object network VPN_Site_Remote_Ocala
subnet 10.100.23.0 255.255.255.0
object network VPN_Site_Remote_Polk
subnet 10.100.24.0 255.255.255.0
object network VPN_Site_Remote_Training_Location
subnet 10.100.25.0 255.255.255.0
object network VPN_Site_Local_Apk
subnet 10.100.21.0 255.255.255.0
object network VPN_Site_Local_Apk_31
subnet 10.100.31.0 255.255.255.0
object network VPN_Site_Local_Apk_41
subnet 10.100.41.0 255.255.255.0
object network VPN_Site_Local_Apk_51
subnet 10.100.51.0 255.255.255.0
object network VPN_Site_Local_Apk_61
subnet 10.100.61.0 255.255.255.0
object network VPN_Site_Local_Apk_01
subnet 10.100.1.0 255.255.255.0
network-object object VPN_Site_Local_Apk
network-object object VPN_Site_Local_Apk_31
network-object object VPN_Site_Local_Apk_41
network-object object VPN_Site_Local_Apk_51
network-object object VPN_Site_Local_Apk_61
network-object object VPN_Site_Local_Apk_01
access-list outside_cryptomap_7 extended permit ip object VPN_Site_Local_Apk object VPN_Site_Remote_Sat_Blvd
access-list outside_cryptomap_1 extended permit ip object VPN_Site_Local_Apk object VPN_Site_Remote_Ocala
access-list inside_inbound extended permit ip any any
access-list inside_inbound extended permit icmp any any
access-list outside_cryptomap extended permit ip object VPN_Site_Local_Apk object VPN_Site_Remote_Polk
access-list outside_cryptomap_3 extended permit ip object VPN_Site_Local_Apk object VPN_Site_Remote_Training_Location
access-list AdminOffice_access_in extended permit ip any any
access-list AdminOffice_access_in extended permit icmp any any
access-list PartsWarehouse_access_in extended permit ip any any
access-list PartsWarehouse_access_in extended permit icmp any any
access-list TruckSales_access_in extended permit ip any any
access-list TruckSales_access_in extended permit icmp any any
access-list Service_access_in extended permit ip any any
access-list Service_access_in extended permit icmp any any
access-list Service_access_in_1 extended permit ip any any
access-list Service_access_in_1 extended permit icmp any any
access-list AdminOffice_access_in_1 extended permit ip any any
access-list AdminOffice_access_in_1 extended permit icmp any any
access-list UBNT_SwitchPort_Trunk_access_in extended permit ip any any
access-list UBNT_SwitchPort_Trunk_access_in extended permit icmp any any
access-list TruckSales_access_in_1 extended permit ip any any
access-list TruckSales_access_in_1 extended permit icmp any any
access-list PartsWarehouse_access_in_1 extended permit ip any any
access-list PartsWarehouse_access_in_1 extended permit icmp any any
pager lines 24
logging enable
logging list VPN_INFO level errors class vpdn
logging list VPN_INFO level errors class vpn
logging list VPN_INFO level errors class vpnc
logging list VPN_INFO level errors class vpnfo
logging list VPN_INFO level errors class vpnlb
logging asdm notifications
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu UBNT_SwitchPort_Trunk 1500
mtu PartsWarehouse 1500
mtu TruckSales 1500
mtu Service 1500
mtu AdminOffice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static VPN_Site_Local_Apk VPN_Site_Local_Apk destination static VPN_Site_Remote_Ocala VPN_Site_Remote_Ocala no-proxy-arp route-lookup
nat (inside,outside) source static VPN_Site_Local_Apk VPN_Site_Local_Apk destination static VPN_Site_Remote_Sat_Blvd VPN_Site_Remote_Sat_Blvd no-proxy-arp route-lookup
nat (inside,outside) source static VPN_Site_Local_Apk VPN_Site_Local_Apk destination static VPN_Site_Remote_Polk VPN_Site_Remote_Polk no-proxy-arp route-lookup
nat (inside,outside) source static VPN_Site_Local_Apk VPN_Site_Local_Apk destination static VPN_Site_Remote_Training_Location VPN_Site_Remote_Training_Location no-proxy-arp route-lookup
nat (inside,outside) source static VPN_Site_Local_Apk VPN_Site_Local_Apk destination static VPN_Site_Remote_Apk_Colo VPN_Site_Remote_Apk_Colo no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_inbound in interface outside
access-group inside_inbound in interface inside
access-group UBNT_SwitchPort_Trunk_access_in in interface UBNT_SwitchPort_Trunk
access-group PartsWarehouse_access_in_1 in interface PartsWarehouse
access-group TruckSales_access_in_1 in interface TruckSales
access-group Service_access_in_1 in interface Service
access-group AdminOffice_access_in_1 in interface AdminOffice
route outside 0.0.0.0 0.0.0.0 75.112.187.113 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.100.21.0 255.255.255.0 inside
http 75.112.187.112 255.255.255.240 outside
http 192.168.10.0 255.255.255.0 management
http 10.100.24.0 255.255.255.0 outside
http 10.100.22.0 255.255.255.0 inside
http 10.100.23.0 255.255.255.0 inside
http 10.100.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
dhcpd dns 65.32.1.65 65.32.1.70
dhcpd auto_config outside
!
dhcpd address 10.100.21.236-10.100.21.254 inside
dhcpd dns 65.32.1.65 65.32.1.70 interface inside
dhcpd lease 600 interface inside
dhcpd enable inside
!
dhcpd address 192.168.10.50-192.168.10.254 management
dhcpd dns 65.32.1.65 65.32.1.70 interface management
dhcpd enable management
!
dhcpd address 10.100.1.50-10.100.1.254 UBNT_SwitchPort_Trunk
dhcpd dns 65.32.1.65 65.32.1.70 interface UBNT_SwitchPort_Trunk
!
dhcpd address 10.100.51.50-10.100.51.254 PartsWarehouse
dhcpd dns 65.32.1.65 65.32.1.70 interface PartsWarehouse
dhcpd enable PartsWarehouse
!
dhcpd address 10.100.41.50-10.100.41.254 TruckSales
dhcpd dns 65.32.1.65 65.32.1.70 interface TruckSales
dhcpd enable TruckSales
!
dhcpd address 10.100.61.50-10.100.61.254 Service
dhcpd dns 65.32.1.65 65.32.1.70 interface Service
dhcpd enable Service
!
dhcpd address 10.100.31.50-10.100.31.254 AdminOffice
dhcpd dns 65.32.1.65 65.32.1.70 interface AdminOffice
dhcpd enable AdminOffice
!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2020 02:49 PM
Maybe I'm missing something here, but I don't see the crypto ACL for the traffic sourced from your VLANs destined to Colo?!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2020 06:58 AM
I didn't copy the entire running config, that that was left out. it is below.
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime kilobytes unlimited
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap_7
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 97.68.139.194
crypto map outside_map 1 set ikev1 phase1-mode aggressive
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 63.144.199.226
crypto map outside_map 2 set ikev1 phase1-mode aggressive
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 75.112.187.123
crypto map outside_map 3 set ikev1 phase1-mode aggressive
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 3 set ikev2 pre-shared-key *****
crypto map outside_map 3 set security-association lifetime kilobytes unlimited
crypto map outside_map 4 match address outside_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 107.144.131.218
crypto map outside_map 4 set ikev1 phase1-mode aggressive
crypto map outside_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 4 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 4 set ikev2 pre-shared-key *****
crypto map outside_map 7 match address outside_cryptomap_3
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 97.71.244.242
crypto map outside_map 7 set ikev1 phase1-mode aggressive
crypto map outside_map 7 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 7 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 7 set ikev2 pre-shared-key *****
crypto map outside_map 7 set security-association lifetime kilobytes unlimited
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=75.112.187.114,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 73f3f35b
308201cf 30820138 a0030201 02020473 f3f35b30 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 03550403
130e3735 2e313132 2e313837 2e313134 301e170d 31383132 30333134 34383431
5a170d32 38313133 30313434 3834315a 302c3111 300f0603 55040313 08636973
636f6173 61311730 15060355 0403130e 37352e31 31322e31 38372e31 31343081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100a2 07dfabfd
4f9f9e48 08cb16dd f95aead1 95b1469e 4a566a4e 75589ede 865c8a21 7730d281
905efc49 3ad0fa2c e8f7426f 7ea53434 9400edca beb51f82 6314199c b4a95ee8
308de998 558cec75 c3dd69fa 904c6aa8 fc8a6cda 3c9f052d 90522871 15d92ce4
a91db5f6 388771e5 28d3e88f 0b92b723 e7c4eef0 2404a5e5 80d95b02 03010001
300d0609 2a864886 f70d0101 05050003 81810067 599f47d7 268d4737 89f5d072
0866217d e4b1eb21 1718522e 32fae169 72e8be1b 94aeab02 c67b32b5 67c07c99
04fd0e05 8771f7d7 13a8b361 5a0cd30f 7d05fe5f d1b675cc 04a6f313 8f2d14e1
e28c15e8 ecc13b87 b5ac3223 7f666afc 2a13488f d4756df2 2356d0fc 7df836a0
28333c99 a1d36f84 5983018e a8576968 471d99
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 50
encryption des
integrity md5
group 1
prf md5
lifetime seconds 28800
crypto ikev2 policy 60
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto ikev2 policy 70
encryption 3des
integrity md5
group 2
prf sha
lifetime seconds 28800
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 160
authentication pre-share
encryption des
hash md5
group 1
lifetime 28800
crypto ikev1 policy 180
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2020 06:59 AM
75.112.187.123 is the colo external ip
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2020 02:27 PM
see under line B command check it,
Here is a portion of the site 01 config.
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.100.21.1 255.255.255.0
!
interface GigabitEthernet0/2
description UBNT Uplink for VLans
nameif UBNT_SwitchPort_Trunk
security-level 100
ip address 10.100.1.1 255.255.255.0
!
interface GigabitEthernet0/2.31
description Admin Office VLan
vlan 31
nameif AdminOffice
security-level 100
ip address 10.100.31.1 255.255.255.0
!
interface GigabitEthernet0/2.41
description Truck Sales VLan
vlan 41
nameif TruckSales
security-level 100
ip address 10.100.41.1 255.255.255.0
!
interface GigabitEthernet0/2.51
description Parts & Warehouse VLan
vlan 51
nameif PartsWarehouse
security-level 100
ip address 10.100.51.1 255.255.255.0
!
interface GigabitEthernet0/2.61
description Service VLan
vlan 61
nameif Service
security-level 100
ip address 10.100.61.1 255.255.255.0
!
object network VPN_Site_Remote_Apk_Colo
subnet 10.100.20.0 255.255.255.0
object network VPN_Site_Remote_Sat_Blvd
subnet 10.100.22.0 255.255.255.0
object network VPN_Site_Remote_Ocala
subnet 10.100.23.0 255.255.255.0
object network VPN_Site_Remote_Polk
subnet 10.100.24.0 255.255.255.0
object network VPN_Site_Remote_Training_Location
subnet 10.100.25.0 255.255.255.0
object network VPN_Site_Local_Apk <--THIS ONE
subnet 10.100.21.0 255.255.255.0
object network VPN_Site_Local_Apk_31
subnet 10.100.31.0 255.255.255.0
object network VPN_Site_Local_Apk_41
subnet 10.100.41.0 255.255.255.0
object network VPN_Site_Local_Apk_51
subnet 10.100.51.0 255.255.255.0
object network VPN_Site_Local_Apk_61
subnet 10.100.61.0 255.255.255.0
object network VPN_Site_Local_Apk_01
subnet 10.100.1.0 255.255.255.0
network-object object VPN_Site_Local_Apk<--THIS ONE
network-object object VPN_Site_Local_Apk_31
network-object object VPN_Site_Local_Apk_41
network-object object VPN_Site_Local_Apk_51
network-object object VPN_Site_Local_Apk_61
network-object object VPN_Site_Local_Apk_01
access-list outside_cryptomap_7 extended permit ip object VPN_Site_Local_Apk object VPN_Site_Remote_Sat_Blvd
access-list outside_cryptomap_1 extended permit ip object VPN_Site_Local_Apk object VPN_Site_Remote_Ocala
access-list inside_inbound extended permit ip any any
access-list inside_inbound extended permit icmp any any
access-list outside_cryptomap extended permit ip object VPN_Site_Local_Apk object VPN_Site_Remote_Polk
access-list outside_cryptomap_3 extended permit ip object VPN_Site_Local_Apk object VPN_Site_Remote_Training_Location
access-list AdminOffice_access_in extended permit ip any any
access-list AdminOffice_access_in extended permit icmp any any
access-list PartsWarehouse_access_in extended permit ip any any
access-list PartsWarehouse_access_in extended permit icmp any any
access-list TruckSales_access_in extended permit ip any any
access-list TruckSales_access_in extended permit icmp any any
access-list Service_access_in extended permit ip any any
access-list Service_access_in extended permit icmp any any
access-list Service_access_in_1 extended permit ip any any
access-list Service_access_in_1 extended permit icmp any any
access-list AdminOffice_access_in_1 extended permit ip any any
access-list AdminOffice_access_in_1 extended permit icmp any any
access-list UBNT_SwitchPort_Trunk_access_in extended permit ip any any
access-list UBNT_SwitchPort_Trunk_access_in extended permit icmp any any
access-list TruckSales_access_in_1 extended permit ip any any
access-list TruckSales_access_in_1 extended permit icmp any any
access-list PartsWarehouse_access_in_1 extended permit ip any any
access-list PartsWarehouse_access_in_1 extended permit icmp any any
pager lines 24
logging enable
logging list VPN_INFO level errors class vpdn
logging list VPN_INFO level errors class vpn
logging list VPN_INFO level errors class vpnc
logging list VPN_INFO level errors class vpnfo
logging list VPN_INFO level errors class vpnlb
logging asdm notifications
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu UBNT_SwitchPort_Trunk 1500
mtu PartsWarehouse 1500
mtu TruckSales 1500
mtu Service 1500
mtu AdminOffice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static VPN_Site_Local_Apk VPN_Site_Local_Apk destination static VPN_Site_Remote_Ocala VPN_Site_Remote_Ocala no-proxy-arp route-lookup
nat (inside,outside) source static VPN_Site_Local_Apk VPN_Site_Local_Apk destination static VPN_Site_Remote_Sat_Blvd VPN_Site_Remote_Sat_Blvd no-proxy-arp route-lookup
nat (inside,outside) source static VPN_Site_Local_Apk VPN_Site_Local_Apk destination static VPN_Site_Remote_Polk VPN_Site_Remote_Polk no-proxy-arp route-lookup
nat (inside,outside) source static VPN_Site_Local_Apk VPN_Site_Local_Apk destination static VPN_Site_Remote_Training_Location VPN_Site_Remote_Training_Location no-proxy-arp route-lookup
nat (inside,outside) source static VPN_Site_Local_Apk VPN_Site_Local_Apk destination static VPN_Site_Remote_Apk_Colo VPN_Site_Remote_Apk_Colo no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_inbound in interface outside
access-group inside_inbound in interface inside
access-group UBNT_SwitchPort_Trunk_access_in in interface UBNT_SwitchPort_Trunk
access-group PartsWarehouse_access_in_1 in interface PartsWarehouse
access-group TruckSales_access_in_1 in interface TruckSales
access-group Service_access_in_1 in interface Service
access-group AdminOffice_access_in_1 in interface AdminOffice
route outside 0.0.0.0 0.0.0.0 75.112.187.113 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.100.21.0 255.255.255.0 inside
http 75.112.187.112 255.255.255.240 outside
http 192.168.10.0 255.255.255.0 management
http 10.100.24.0 255.255.255.0 outside
http 10.100.22.0 255.255.255.0 inside
http 10.100.23.0 255.255.255.0 inside
http 10.100.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
dhcpd dns 65.32.1.65 65.32.1.70
dhcpd auto_config outside
!
dhcpd address 10.100.21.236-10.100.21.254 inside
dhcpd dns 65.32.1.65 65.32.1.70 interface inside
dhcpd lease 600 interface inside
dhcpd enable inside
!
dhcpd address 192.168.10.50-192.168.10.254 management
dhcpd dns 65.32.1.65 65.32.1.70 interface management
dhcpd enable management
!
dhcpd address 10.100.1.50-10.100.1.254 UBNT_SwitchPort_Trunk
dhcpd dns 65.32.1.65 65.32.1.70 interface UBNT_SwitchPort_Trunk
!
dhcpd address 10.100.51.50-10.100.51.254 PartsWarehouse
dhcpd dns 65.32.1.65 65.32.1.70 interface PartsWarehouse
dhcpd enable PartsWarehouse
!
dhcpd address 10.100.41.50-10.100.41.254 TruckSales
dhcpd dns 65.32.1.65 65.32.1.70 interface TruckSales
dhcpd enable TruckSales
!
dhcpd address 10.100.61.50-10.100.61.254 Service
dhcpd dns 65.32.1.65 65.32.1.70 interface Service
dhcpd enable Service
!
dhcpd address 10.100.31.50-10.100.31.254 AdminOffice
dhcpd dns 65.32.1.65 65.32.1.70 interface AdminOffice
dhcpd enable AdminOffice
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2020 12:10 PM
they are two different things. one it an object "network" and the other is a network "object". I did check to make sure there were no duplications of any kind.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2020 12:53 PM
friend the ACL + Peer is proxy of IPSec VPN
so you must be sure that the ACL is identical and flap in each side
permit ip X.X.X.X Y.Y.Y.Y in one side
permit ip Y.Y.Y.Y X.X.X.X in other side
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2020 07:09 AM
you are correct sir. And, yes it is configured that way. thanks, Charles
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2020 12:06 PM
Hi,
From fig,
APK there is SW with
4 VLAN "31,41,51,61"
and this SW connect to ASA with 10.100.21.0/24?
Now for all other Site there is ACL used for crypto contain
10.100.21.0/24, it simply mention if you want to go to 10.100.21.0 please use VPN IPSec tunnel.
if other then use internet send without encrypt it.
Now in APK site,
you config VPN_Site with 10.100.21.0/24 then same name use with additional object,
finally you point under IPSec to VPN_Site 10.100.21.0/24 not that new with additional object.
this must be rearrange and make new name and apply it and see the different.
try and let me know the result.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2020 07:31 AM
Can you please share the content of the ACL "outside_cryptomap_2"?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2020 12:28 PM
OK here it is. Crypto map outside_map 2 is NOT to the colo. It's to another location
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 63.144.199.226
crypto map outside_map 2 set ikev1 phase1-mode aggressive
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
Here is Apk outside Crypto for Colo vpn -
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 75.112.187.123
crypto map outside_map 3 set ikev1 phase1-mode aggressive
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 3 set ikev2 pre-shared-key *****
crypto map outside_map 3 set security-association lifetime kilobytes unlimited
Please remember all VPNs are working and all VLANs work between interface 0/2 10.100.1.0/24 (including all 0/2 sub interfaces) and all interface 0/1 10.100.21.0/24 connected hosts/devices and works to the internet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2020 12:55 PM
Do you check
VPN_Site_Local_Apk
there are two object
one with 10.100.21.0/24
other contain all
both have same name
I think this is errr here
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: