VPN s2s Issues

david-lima · ‎09-13-2013

Hi all,

I have two cisco ASA used to connect two offices.

In the main office I have a HTTP server and SMTP server.

In the remote office I have two Vlans (vlan 1 and vlan 90).

Both remote vlans can ping to the HTTP and SMTP server, only the VLAN 1 can access to the HTTP and SMTP service, but, the VLAN 90 can access to these services.

I think is some configuration in the ASA, please give me an advice.

Best regards.

David

Jouni Forss · ‎09-13-2013

Hi,

Would really need to see some configurations to see what the problem could be.

Since there is somekind of connectivity between the servers and the 2 LAN network it would sound like a problem with some VPN Filter or Interface ACL or perhaps something on the actual servers blocking the connections.

- Jouni

david-lima · ‎09-13-2013

Hi Jouni, thanks for your reply. This is the config of the remote site:

The network 10.2.9.0 can reach all services of the main office.

The network 10.2.90.X /91.X/92.X/93.X can ping all the servers of tha main office, but cannot access the HTTP and SMTP services.

name 10.2.0.10 smtp.pro-mujer.org

!

interface Ethernet0/0

description MPLS

switchport access vlan 2

!

interface Ethernet0/1

description LAN

!

interface Ethernet0/2

description INTERNET

switchport access vlan 3

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 10.2.9.1 255.255.255.0

!

interface Vlan2

nameif mpls

security-level 0

ip address 10.2.254.29 255.255.255.252

!

interface Vlan3

no forward interface Vlan2

nameif outside

security-level 0

ip address X.X.X.X 255.255.255.248

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside extended permit icmp any any

access-list nonat extended permit ip 10.2.9.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list nonat extended permit ip 10.2.90.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list nonat extended permit ip 10.2.91.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list nonat extended permit ip 10.2.92.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list nonat extended permit ip 10.2.93.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list nonat extended permit ip 10.2.94.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list Riverbed_TCP_Option_76 extended permit tcp any any log

access-list Riverbed_TCP_Option_78 extended permit tcp any any log

access-list lpz extended permit ip 10.2.9.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list lpz extended permit ip 10.2.91.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list lpz extended permit ip 10.2.92.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list lpz extended permit ip 10.2.93.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list lpz extended permit ip 10.2.94.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list lpz extended permit ip 10.2.90.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list mpls extended permit icmp any any

!

tcp-map Riverbed_TCP_Option_76_Tmap

tcp-options range 76 76 allow

!

tcp-map Riverbed_TCP_Option_78_Tmap

tcp-options range 78 78 allow

!

pager lines 24

logging console debugging

mtu inside 1500

mtu mpls 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 10.2.9.0 255.255.255.0

nat (inside) 1 10.2.90.0 255.255.255.0

nat (inside) 1 10.2.91.0 255.255.255.0

nat (inside) 1 10.2.92.0 255.255.255.0

nat (inside) 1 10.2.93.0 255.255.255.0

nat (inside) 1 10.2.94.0 255.255.255.0

access-group mpls in interface mpls

access-group outside in interface outside

route mpls 10.2.0.0 255.255.0.0 10.2.254.30 1

route outside 0.0.0.0 0.0.0.0 190.102.X.X

route inside 10.2.90.0 255.255.255.0 10.2.9.9 1

route inside 10.2.91.0 255.255.255.0 10.2.9.9 1

route inside 10.2.92.0 255.255.255.0 10.2.9.9 1

route inside 10.2.93.0 255.255.255.0 10.2.9.9 1

route inside 10.2.94.0 255.255.255.0 10.2.9.9 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

aaa authorization command LOCAL

http server enable

http 10.2.0.0 255.255.255.0 inside

snmp-server host inside 10.2.0.83 community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map promujer 10 match address lpz

crypto map promujer 10 set peer 10.2.254.1

crypto map promujer 10 set transform-set ESP-3DES-SHA

crypto map promujer interface mpls

crypto map promujer interface outside

crypto isakmp identity address

crypto isakmp enable mpls

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 2

lifetime 3600

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

no crypto isakmp nat-traversal

!

track 10 rtr 1 reachability

telnet timeout 5

ssh 10.2.0.0 255.255.0.0 inside

ssh 10.2.0.0 255.255.0.0 mpls

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.2.0.9 source inside prefer

ntp server 10.2.0.51 source inside

webvpn

tunnel-group 10.2.254.1 type ipsec-l2l

tunnel-group 10.2.254.1 ipsec-attributes

pre-shared-key *****

class-map Riverbed_TCP_Option_76_Cmap

match access-list Riverbed_TCP_Option_76

class-map inspection_default

match default-inspection-traffic

class-map Riverbed_TCP_Option_78_Cmap

match access-list Riverbed_TCP_Option_78

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect waas

inspect http

class Riverbed_TCP_Option_76_Cmap

set connection advanced-options Riverbed_TCP_Option_76_Tmap

class Riverbed_TCP_Option_78_Cmap

set connection advanced-options Riverbed_TCP_Option_78_Tmap

service-policy global_policy global