Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
6
Replies

VPN connectivity problem? Help

robbo79871
Level 1
Level 1

‎12-30-2015 09:53 PM

Hi

I have recently finished creating a VPN site to site network but it doesn't seem to be working correctly. Everything that I've done seems to be in order but obviously something must be wrong but I'm not sure what though.

Basically i have 2 site networks, 1 with 3 machines on a 10.30.0.0/24 network connected to a switched that connects to an ASA which then connects to an edge device which is a router. The exact same topology is present on the other side but it uses the 10.20.0.0/24 network etc...

I will post the ASA and edge router configs below also. I appreciate any help anyone can give me on this.

ASA Version 8.4(2)

!

hostname ASA1

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 20

!

interface Ethernet0/2

switchport access vlan 20

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.20.2 255.255.255.0

!

interface Vlan20

nameif inside

security-level 100

ip address 10.20.0.1 255.255.255.0

!

webvpn

enable

!

route outside 0.0.0.0 0.0.0.0 172.16.20.1 1

!

access-list VPN extended permit icmp 10.20.0.0 255.255.255.0 10.30.0.0 255.255.255.0

access-list test extended permit icmp 10.30.0.0 255.255.255.0 10.20.0.0 255.255.255.0

!

!

!

!

!

!

class-map inspect

match default-inspection-traffic

!

policy-map global

class inspect

inspect icmp

!

service-policy global global

!

telnet timeout 5

ssh timeout 5

!

dhcpd enable

!

!

!

!

crypto ipsec ikev1 transform-set VPN esp-aes 256 esp-sha-hmac

!

crypto map VPN_MAP 1 match address VPN

crypto map VPN_MAP 1 set peer 172.16.30.2

crypto map VPN_MAP 1 set security-association lifetime seconds 8600

crypto map VPN_MAP 1 set ikev1 transform-set VPN

crypto map VPN_MAP interface outside

crypto ikev1 policy 1

encr aes

authentication pre-share

group 5

lifetime 8600

!

tunnel-group 172.16.30.2 type ipsec-l2l

tunnel-group 172.16.30.2 ipsec-attributes

ikev1 pre-shared-key cisco

!

Router on the edge:

interface FastEthernet0/0

ip address 172.16.20.1 255.255.255.0  <<<<<<<<<<<<connects to the ASA

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

duplex auto

speed auto

shutdown

!

interface Serial2/0

no ip address

encapsulation frame-relay

frame-relay interface-dlci 102

!

interface Serial2/0.201 point-to-point

ip address 192.168.0.2 255.255.255.0

frame-relay interface-dlci 201

!

interface Serial2/0.203 point-to-point

ip address 192.168.3.2 255.255.255.0

frame-relay interface-dlci 203

!

interface Serial3/0

no ip address

clock rate 2000000

shutdown

!

interface FastEthernet4/0

no ip address

shutdown

!

interface FastEthernet5/0

no ip address

shutdown

!

router ospf 1

router-id 2.2.2.2

log-adjacency-changes

network 192.168.0.0 0.0.255.255 area 0

network 172.16.20.0 0.0.0.255 area 0

!

ip classless

ip route 10.20.0.0 255.255.255.0 172.16.20.2

ip route 10.30.0.0 255.255.255.0 192.168.3.1

!

ip flow-export version 9

!

!

!

no cdp run

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

!

!

!

!

!

!

!

!

ASA Version 8.4(2)

!

hostname ASA2

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 30

!

interface Ethernet0/2

switchport access vlan 30

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

no nameif

security-level 100

no ip address

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.30.2 255.255.255.0

!

interface Vlan30

nameif inside

security-level 100

ip address 10.30.0.1 255.255.255.0

!

webvpn

!

route outside 0.0.0.0 0.0.0.0 172.16.30.1 1

!

access-list VPN_1 extended permit icmp 10.30.0.0 255.255.255.0 10.20.0.0 255.255.255.0

!

!

!

!

!

group-policy vpn internal

group-policy VPN_S2S internal

group-policy internal internal

!

class-map inspect

match default-inspection-traffic

class-map test

!

policy-map global

class inspect

inspect icmp

class test

!

service-policy global global

!

telnet timeout 5

ssh timeout 5

!

!

dhcpd enable

!

dhcpd address 10.30.0.10-10.30.0.15 inside

dhcpd enable inside

!

!

!

crypto ipsec ikev1 transform-set VPN esp-aes 256 esp-sha-hmac

!

crypto map VPN_MAP 1 match address VPN_1

crypto map VPN_MAP 1 set peer 172.16.20.2

crypto map VPN_MAP 1 set security-association lifetime seconds 8600

crypto map VPN_MAP 1 set ikev1 transform-set VPN

crypto map VPN_MAP interface outside

crypto ikev1 policy 1

encr aes

authentication pre-share

group 5

lifetime 8600

!

tunnel-group webvpn type remote-access

tunnel-group 172.16.20.2 type ipsec-l2l

tunnel-group 172.16.20.2 ipsec-attributes

ikev1 pre-shared-key cisco

!

!

!

Router on the edge:

interface FastEthernet0/0

ip address 172.16.30.1 255.255.255.0 <<<<<<<<<<<<connects to the ASA

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

duplex auto

speed auto

shutdown

!

interface Serial2/0

no ip address

encapsulation frame-relay

frame-relay interface-dlci 103

!

interface Serial2/0.301 point-to-point

ip address 192.168.1.3 255.255.255.0

frame-relay interface-dlci 301

!

interface Serial2/0.302 point-to-point

ip address 192.168.3.1 255.255.255.0

frame-relay interface-dlci 302

!

interface Serial3/0

no ip address

clock rate 2000000

shutdown

!

interface FastEthernet4/0

no ip address

shutdown

!

interface FastEthernet5/0

no ip address

shutdown

!

router ospf 1

router-id 3.3.3.3

log-adjacency-changes

network 192.168.0.0 0.0.255.255 area 0

network 172.16.30.0 0.0.0.255 area 0

!

ip classless

ip route 10.20.0.0 255.255.255.0 192.168.3.2

ip route 10.30.0.0 255.255.255.0 172.16.30.2

!

ip flow-export version 9

!

!

!

!

!

!

!

line con 0

login

!

line aux 0

!

line vty 0 4

password cisco

login

transport input ssh

line vty 5

no login

transport input ssh

line vty 6 15

login

transport input ssh

!

!

!

end

I would just like to point out that both interior networks can ping over the frame relay and past the edge route to the "outside" interface of the destined ASA's.

Thank you for the help! It is greatly appreciated!

Labels:
0 Helpful
6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-02-2016 06:38 PM

The two VPN encryption lists on both ASA are using the protocol ICMP instead of IP.  Change:

access-list VPN_1 extended permit icmp 10.30.0.0 255.255.255.0 10.20.0.0 255.255.255.0

to:

access-list VPN_1 extended permit ip 10.30.0.0 255.255.255.0 10.20.0.0 255.255.255.0

0 Helpful

robbo79871
Level 1
Level 1
In response to Philip D'Ath

‎01-03-2016 02:58 AM

Hi

Thanks for the response, i have been going over and over what the problem could be with this and this might be the answer, problem is in packet tracer it doesnt allow you to include "IP" in an extended access list. Is there any other way i could do this? Maybe using an object group ?

Thanks again for the help

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to robbo79871

‎01-03-2016 12:45 PM

Well if you made it TCP then it would do all TCP protocols.

0 Helpful

robbo79871
Level 1
Level 1
In response to Philip D'Ath

‎01-03-2016 02:13 PM

Hi

I have tried to do 2 more access lists but I'm getting these errors for these access lists:

Access-list VPN permit object-group VPN object 20_network object 30_network

Error:invalid object-group type

I have no idea what that means, the object groups I have are:

Object network 20_network

Subnet 10.20.0.0 255.255.255.0

Object network 30_network

Subnet 10.30.0.0 255.255.255.0

Object-group service VPN tcp-up

!

!

!

!

!

!

Access-list VPN extended permit tcp 10.20.0.0 0.0.0.255 10.30.0.0 0.0.0.255

Error ip address, mask <10.20.0.0, 0.0.0.255> doesn't pair

I even did this:

Access-list VPN extended permit tcp any any

But still nothing! It's puzzling me so much as to what the problem is and what these errors are to.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to robbo79871

‎01-03-2016 07:06 PM

So this is some kind of simulation rather than real kit?  Perhaps consider using Cisco VIRL:

http://virl.cisco.com/

0 Helpful

robbo79871
Level 1
Level 1
In response to Philip D'Ath

‎01-04-2016 04:16 AM

I will look into that but in the mean time I've spent almost a week on this particular lab and have configured everything across it but this ONE particular problem i cannot seem to fix and its bugging me i don't know what the issue is.

I have configured new access lists:

object network 20_network

subnet 10.20.0.0 255.255.255.0

object network 30_network

subnet 10.30.0.0 255.255.255.0

!

!

access-list VPN_1 extended permit tcp object 30_network object 20_network

access-list VPN_1 extended permit icmp object 30_network object 20_network

!

!

But STILL nothing works! Funnily enough i configured this one along with the appropriate access group and i was able to ping across site to site normal traffic so i know connectivity works, its just the VPN isn't working

access-list test extended permit icmp 10.20.0.0 255.255.255.0 10.30.0.0 255.255.255.0

Any help anyone can give me would greatly appreciated!

0 Helpful
Customers Also Viewed These Support Documents