- Cisco Community
- Technology and Support
- Security
- VPN
- VPN not working after adding subinterface - ASA 5510
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VPN not working after adding subinterface - ASA 5510
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2012 12:33 PM
Hello,
Currently I want to add a second lan (vlan) in a customers network. The new network will be for a wireless infrastructure.
There is also VPN Configured on the ASA - One with L2TP for Windows Clients and an IPsec for Cisco Clients.
Former we only had one outside (Eth0/0) and one inside interface (Eth0/1) on the ASA.
Now I want to use the Eth0/2 with subinterfaces, so that we will be flexible for future, when deploying more vlans.
But now, when i turn the first subinterface Eth0/2.2 to no-shut the VPN Connections does not work any more.
Bulding up the VPN connection works, but it seems that the traffic is not tunneled. (I checked this, because tracert to an internal adress goes to the internet)
Below there is my config, i don't know whats wrong. I think split-tunnel is configured correctly (because it works when i delete eth0/2.2)
TREV is the network of this location.
Company1,2,3 are remote locations.
: Saved
:
ASA Version 8.2(5)
!
hostname XXXXXXX
domain-name domain.lan
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
name 192.168.100.0 TREV
name 192.168.200.0 COMPANY3
name XXXXXXXX Company1
name 192.168.1.0 Company2
name XXXXXXXXX GCT
name XXXXXXXX BMD
name 192.168.110.0 Wireless
name 192.168.201.0 COMPANY3-VPN
name 192.168.11.0 COMPANY2-VPN
name 192.168.101.0 TREV-VPN
!
interface Ethernet0/0
description Outside
nameif outside
security-level 0
ip address XXXXX 255.255.255.248
!
interface Ethernet0/1
description Inside
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
description Trunk Interface
no nameif
no security-level
no ip address
!
interface Ethernet0/2.2
description Wireless
vlan 110
nameif wlan
security-level 100
ip address 192.168.110.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.100.10
domain-name domain.lan
dns server-group COMPANY2
name-server 192.168.1.16
domain-name domain.local
dns server-group COMPANY3
name-server 192.168.200.1
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network VPN_Networks
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object TREV 255.255.255.0
network-object TREV-VPN 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object COMPANY2 255.255.255.0
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object Wireless 255.255.255.0
access-list INCOMING remark *** ICMP Erlauben ***
access-list INCOMING extended permit icmp any any echo-reply
access-list INCOMING extended permit icmp any any time-exceeded
access-list INCOMING extended permit icmp any any unreachable
access-list INCOMING extended permit icmp any any parameter-problem
access-list INCOMING extended permit icmp any any source-quench
access-list INCOMING extended permit icmp any any echo
access-list INCOMING remark *** Wartung Company1 ***
........
access-list INCOMING remark *** Wartung BMD ***
.....
access-list INCOMING remark *** Mail ***
access-list ......
access-list Trev-nat0 remark *** NoNat ***
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list DefaultRAGroup_splitTunnelAcl standard permit TREV 255.255.255.0
access-list outside_1_cryptomap extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_debug extended permit tcp any host 192.168.100.5
access-list inside_debug extended permit tcp any TREV 255.255.255.0
access-list Wireless-nat0 extended permit ip Wireless 255.255.255.0 TREV 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu wlan 1500
ip local pool VPN-Pool 192.168.101.1-192.168.101.31 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 XXXXXXXXXXX
nat (inside) 0 access-list Trev-nat0
nat (inside) 2 192.168.100.25 255.255.255.255
nat (inside) 2 192.168.100.250 255.255.255.255
nat (inside) 1 TREV 255.255.255.0
nat (wlan) 0 access-list Wireless-nat0
static (inside,outside) tcp interface 444 192.168.100.10 444 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.10 https netmask 255.255.255.255
.... a lot of statics..............
static (inside,outside) tcp XXXXXXXXXX pop3 192.168.100.25 pop3 netmask 255.255.255.255
static (inside,outside) tcp XXXXXXXXXX 995 192.168.100.25 995 netmask 255.255.255.255
access-group INCOMING in interface outside
route outside 0.0.0.0 0.0.0.0 XXXXXXXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.100.10
timeout 5
key *****
radius-common-pw *****
aaa-server RADIUS2 protocol radius
aaa-server RADIUS2 (inside) host 192.168.100.10
key *****
radius-common-pw *****
aaa authentication ssh console LOCAL
http server enable 4430
http COMPANY2 255.255.255.0 management
http TREV 255.255.255.0 inside
http Company1 255.255.255.224 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_256_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_AES_128_SHA TRANS_ESP_AES_256_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 178.188.202.78
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 5
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh bit-Studio 255.255.255.224 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh TREV 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
!
dhcprelay server 192.168.100.10 inside
dhcprelay enable wlan
dhcprelay setroute wlan
dhcprelay timeout 90
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
intercept-dhcp enable
group-policy IPsecVPN internal
group-policy IPsecVPN attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
username admin password XXXXXXXXXX encrypted privilege 15
username vpntest password XXXXXXXXX nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group XXXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXXXXXX ipsec-attributes
pre-shared-key *****
tunnel-group IPsecVPN type remote-access
tunnel-group IPsecVPN general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy IPsecVPN
tunnel-group IPsecVPN ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f2041a5902e945a130fe25fbb8e5d368
: end
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-30-2012 04:06 AM
Hi,
First I would go through all the NAT0/NAT Exempt rules you have for VPNs. They seem to contain useless lines where either destination or source network isnt correct.
Lets look at the NAT0 ACL you have line by line
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
- The above access-list has the correct source network configured
- Yet it has its destination addresses configured with an "object-group" which contains your LAN network
- You should probably remove the LAN network from the object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
- To my understanding the above ACL line doesnt serve any purpose as the networks configured under VPN_Networks arent located behind your "inside" interface (Other than the one I'm asking to remove from the object-group)
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
- The above ACL overlap with the very first ACL lines configurations and needlesly makes the configuration harder to read. It also contains the Wireless network which it shouldnt
I would suggest simplifying your NAT0 configurations for example in the following way (change the names if you want if youre going to try it out)
object-group network TREV-LAN
description Local networks
network-object 192.168.100.0 255.255.255.0
object-group network VPN-NETWORKS
description Remote networks
network-object 192.168.200.0 255.255.255.0
network-object 192.168.201.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0
access-list TREV-LAN-NAT0 remark NAT0 / NAT Exempt for VPN Connections
access-list TREV-LAN-NAT0 permit ip object-group TREV-LAN object-group VPN-NETWORKS
With the above configurations
- You have all NAT0 with a single line of access-list configuration (not counting the remark line as it doesnt affect anything)
- If there is changes in the VPN pools, VPN remote networks or LAN networks you can simply change them under the configured object-groups instead of touching the actual ACL. There might be situations where you should change the ACL from the above if there is some bigger changes to network
So as I said, I would start with changing the above NAT configurations and then test the VPN again. If it doesnt work we will have to check some other things out.
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-30-2012 04:13 AM
Almost forgot,
Your L2L VPN Encryption Domain configuration access-list is also using that one object-group DM_INLINE_NETWORK_1 so it would be good to clear up also since it contains the Wireless network.
Maybe make an separate new object-group for the L2L VPN destination networks
For example
object-group network L2L-VPN-NETWORKS
description L2L VPN Remote networks
network-object 192.168.200.0 255.255.255.0
network-object 192.168.201.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group L2L-VPN-NETWORKS
no access-list outside_1_cryptomap extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
Ofcourse have to take into consideration that this could affect the L2L VPN for a short while
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2012 01:46 PM
Hey,
first thanks for your answers.
I undone the changes, before the VPN was working. Then configured the interfaces again.
Now the L2TP VPN is working again, but ONLY for Windows 7 Clients. If I connect through a Windows XP, the interesting traffic isn't tunneled again. Thats quite strange. (The initialisation of the VPN works perfectly).
I will defenitely review my nat0 access lists. But I doubt this will change something. But i will try!
Some other ideas?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: