ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1319
Views
0
Helpful
25
Replies
Highlighted
Beginner

Re: VPN Access HELP

I get this error: Crypto map associated with multiple interfaces. Cannot enable rri

Highlighted
Cisco Employee

Re: VPN Access HELP

remove this line

crypto map inside_map interface inside

no crypto map inside_map interface inside
Highlighted
Cisco Employee

Re: VPN Access HELP

Hi Jonathan,

I would suggest a small test to troubleshoot this issue and see if routing is an issue here:


On one of the PC's in the internal network belonging to the subnet 192.168.1.0, open a command prompt and do a tracert to 192.168.3.10 (random ip in the vpn pool), and see where it dies. It ideally should end up at the ASA. If not then we need to check the routing, and i see that you are uding RIP, so make sure the routes are advertized properly among the internal routers.

Let me know if this helps,

Cheers,

Rudresh V

Highlighted
Beginner

Re: VPN Access HELP

Ok, the tracert ends on my router 192.168.1.1

Highlighted
Cisco Employee

Re: VPN Access HELP

is tht after reverse-route???

in any case u see that it ends on the 1.1 which i belive is the 3800 router can u please routes on that

Highlighted
Beginner

Re: VPN Access HELP

Yes that is after the reverse route.... would you like the config for 3660 router? if so it is listed below:


Building configuration...

Current configuration : 6265 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.7Q9$mJ4Y0sVUoAw8QZ/33g1JD/
enable password henry999
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.7
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.11 192.168.1.19
ip dhcp excluded-address 192.168.1.1 192.168.1.19
!
ip dhcp pool 192.168.1.0/24
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool 192.168.1.2/24
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip admission name NAC eapoudp inactivity-time 60 list NAC1
ip ips sdf location flash://SDF autosave
ip ips notify SDEE
ip ips name sdm_ips_rule
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username woodjl privilege 15 secret 5 $1$w.xT$cFJweRcOx29N9hKafqu4h1
username wooldjl privilege 15 secret 5 $1$4o6/$IO13XCGj9XXjIAGTsN3Yj0
!
!
!
class-map match-any SDM-Transactional-1
match  dscp af21
match  dscp af22
match  dscp af23
class-map match-any SDM-Signaling-1
match  dscp cs3
match  dscp af31
class-map match-any SDM-Routing-1
match  dscp cs6
class-map match-any SDM-Voice-1
match  dscp ef
class-map match-any SDM-Management-1
match  dscp cs2
!
!
policy-map SDM-QoS-Policy-1
class SDM-Voice-1
  priority percent 33
   police cir 33000000
     conform-action transmit
     exceed-action drop
class SDM-Signaling-1
  bandwidth percent 5
   police cir 5000000
     conform-action transmit
     exceed-action drop
class SDM-Routing-1
  bandwidth percent 5
   police cir 5000000
     conform-action transmit
     exceed-action drop
class SDM-Management-1
  bandwidth percent 5
   police cir 5000000
     conform-action transmit
     exceed-action drop
class SDM-Transactional-1
  bandwidth percent 5
   police cir 5000000
     conform-action transmit
     exceed-action drop
class class-default
  fair-queue
  random-detect
   police cir 22000000
     conform-action transmit
     exceed-action drop
!
!
!
crypto isakmp client configuration group HomeUsers
key henrydixie7153
dns 192.168.1.14 8.8.8.8
domain wood.homeserv.com
pool SDM_POOL_1
include-local-lan
max-users 5
netmask 255.255.255.0
!
crypto isakmp client configuration group VPNHome
key henry999
dns 192.168.1.14 8.8.4.4
domain wood.homeserv.com
pool SDM_POOL_2
include-local-lan
max-users 10
netmask 255.255.255.0
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_2 esp-3des esp-sha-hmac
!
crypto ipsec profile VPNHome
set transform-set SDM_TRANSFORMSET_2
!
!
crypto map VPNHome 1 ipsec-isakmp
set peer 192.168.3.0
set security-association idle-time 7200
set transform-set SDM_TRANSFORMSET_1
set pfs group1
match address VPN1
!
!
!
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 192.168.2.2 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip admission NAC
ip ips sdm_ips_rule in
ip ips sdm_ips_rule out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip verify unicast reverse-path
ip nat inside
ip ips sdm_ips_rule in
ip ips sdm_ips_rule out
ip virtual-reassembly
duplex auto
speed auto
service-policy output SDM-QoS-Policy-1
!
router rip
version 2
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1
network 192.168.1.0
no auto-summary
!
ip local pool SDM_POOL_1 192.168.3.1 192.168.3.10
ip local pool SDM_POOL_2 192.168.4.0 192.168.4.10
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 0.0.0.0 0.0.0.0 192.168.3.1
!
!
ip nat pool Home 192.168.1.1 192.168.1.24 netmask 255.255.255.0
!
!
ip access-list extended NAC1
remark NAC
remark SDM_ACL Category=64
remark NAC Rule
permit ip 192.0.0.0 0.255.255.255 any
ip access-list extended VPN
remark VPN Access
remark SDM_ACL Category=4
remark VPN
permit ip any any
ip access-list extended VPN1
remark VPN Access
remark SDM_ACL Category=4
permit ip host 192.168.3.1 any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip host 255.255.255.0 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 192.168.2.2 echo-reply
access-list 101 permit icmp any host 192.168.2.2 time-exceeded
access-list 101 permit icmp any host 192.168.2.2 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
snmp-server community 192.168.1.1 RO
snmp-server enable traps tty
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
transport output all
line aux 0
transport output all
line vty 0 4
password henry
transport input telnet
transport output all
!
!
end

Highlighted
Cisco Employee

Re: VPN Access HELP

i dont qiuite understand why you have vpon config in this router

if it is not required plz remove it

also see if you require this to be like this remove if not in use already

ip route 0.0.0.0 0.0.0.0 192.168.3.1

add this route

ip route 192.168.3.0 0.0.0.255 192.168.2.1

also i see you have acl applied on int fa0/0 which is connected to ASA

please permit vpn traffic in that acl

ip access-list extended 101

1 permit 192.168.3.0 0.0.0.255 any

Highlighted
Beginner

Re: VPN Access HELP

Since I getting an error with this line ip route 192.168.3.0 0.0.0.255 192.168.2.1 could I use the subnet 255.255.255.0 instead of 0.0.0.255?

Highlighted
Cisco Employee

Re: VPN Access HELP

Hi Jonathan,

If the trace route ends at the router, it means the router is not handing over the packet to the ASA for the destination subnet of 192.168.3.0

Now i see that you are advertizing 192.168.3.0 subnet at the ASA via RIP. I think this is not propagating to the router for some reason. So please check the routes on the router and make sure there is a route for 192.168.3.0 pointing to the ASA via RIP. If not, then the routing protocol RIP is our route cause of the issue.

You can add a static route at the router for this, and it shoulr work. But since you are using RIP, a dynamic routing protocol, you would need to check the routing config and correct this for correct route advertizements, either at the router or the ASA.

Now since you are already advertizing 192.168.3.0 in RIP (as per your configuration), i don't think reverse route is needed for the vpn pool.

Let me know if it works,

Cheers,

Rudresh V

Highlighted
Beginner

Re: VPN Access HELP

Ok, I restored the factory default to the router, to clear all unneeded items.  I am back up and running like I was before, I entered in line :

ip route 192.168.3.0 0.0.0.255 192.168.2.1 and this is what came up: Router(config)#ip route 192.168.3.0 0.0.0.255 192.168.2.1
%Inconsistent address and mask.I am not understanding the 192.168.3.0 0.0.0.255 command, what is the 0.0.0.255 subnet for?

Current Show Run:

Router#show run
Building configuration...

Current configuration : 1096 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.19
!
ip dhcp pool 192.168.1.0/24
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8 8.8.4.4 192.168.1.14 192.168.1.13
!
!
username woodjl privilege 15 secret 5 $1$FJyW$Ozgsn9oO0acvYSSeohvzX/
!
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!

!
control-plane
!
!

!
line con 0
line aux 0
line vty 0 4
!
!
end

Highlighted
Cisco Employee

Re: VPN Access HELP

SInce you already have a default route to the ASA, you don't need the more specific one.

But, looking at the most recent ASA config you posted, I think there was some confusion about the split tunnel config.

You have

access-list VPNWoodHome_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list WoodVPN_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0 

But only one of these is actually used in the group-policy.

group-policy WoodVPN attributes
  split-tunnel-network-list value WoodVPN_splitTunnelAcl
So my suggestion is to add:

access-list WoodVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
(and remove the other 2 access-lists unless they're used for something else)

hth
Herbert

View solution in original post