02-05-2014 11:16 AM
I have an ASA 5505 at v8.2. We have been using a tunnel to a PIX in a remote office successfully for years. Originally, the main office was 192.168.0.0/24 and the remote office was 192.168.1.0/24. Recently we needed to expand the subnet at the main office to accomodate more devices, so now the main office is 192.168.0.0/22, which of course contains the remote office's subnet. The tunnel is established and I am receiving packets from the remote office, but packets are not being sent there (RX count is high, TX count is 0). I assume that this is a traffic selection problem, but adding a '
route outside 192.168.1.0 255.255.255.0 {outside gateway ip} 1' does not help. Any suggestions? Here is my config:
: Saved : ASA Version 8.2(1) ! hostname ciscoasa name 192.168.1.0 Home ! interface Vlan1 nameif inside security-level 100 ip address 192.168.0.1 255.255.252.0 ! interface Vlan2 nameif outside security-level 0 ip address 50.242.246.201 255.255.255.248 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! boot system disk0:/asa821-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring object-group service rww tcp description Remote Web Workplace port-object eq 4125 object-group service rdp tcp description 3396 port-object range 3394 3399 port-object range 3385 3390 port-object range 3392 3394 object-group service Server tcp description 987 group-object rww port-object eq ftp port-object eq www port-object eq https port-object eq pptp group-object rdp port-object eq 444 port-object eq 446 port-object range 902 903 port-object eq 987 port-object eq imap4 port-object eq ssh object-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object icmp protocol-object udp protocol-object tcp object-group service smtp-26 tcp port-object eq 26 object-group service DM_INLINE_UDP_1 udp port-object eq snmp port-object eq snmptrap object-group network DM_INLINE_NETWORK_1 network-object host xx.xx.xx.xx network-object host xx.xx.xx.xx object-group protocol DM_INLINE_PROTOCOL_2 protocol-object ip protocol-object icmp protocol-object udp protocol-object tcp object-group protocol DM_INLINE_PROTOCOL_3 protocol-object ip protocol-object icmp protocol-object udp protocol-object tcp access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit gre any any access-list outside_access_in_1 extended permit tcp any any object-group Server access-list outside_access_in_1 extended permit tcp object-group DM_INLINE_NETWORK_1 any object-group smtp-26 access-list outside_access_in_1 extended permit gre any any access-list outside_access_in_1 extended permit icmp any any access-list 100 extended permit ip 192.168.0.0 255.255.252.0 Home 255.255.255.0 access-list outside_cryptomap_20.1_1 extended permit object-group DM_INLINE_PROTOCOL_1 192.168.0.0 255.255.252.0 Home 255.255.255.0 access-list inside_access_in extended permit udp any any object-group DM_INLINE_UDP_1 access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_3 192.168.0.0 255.255.252.0 Home 255.255.255.0 pager lines 24 logging enable logging timestamp logging trap informational logging history informational logging asdm informational logging host inside Server logging permit-hostdown mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-621.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 100 nat (inside) 1 0.0.0.0 0.0.0.0 access-group inside_access_in in interface inside control-plane access-group outside_access_in_1 in interface outside route outside 0.0.0.0 0.0.0.0 50.242.246.206 1 route inside 10.1.10.0 255.255.255.0 192.168.0.112 1 route outside Home 255.255.255.0 50.242.246.206 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.0.0 255.255.255.0 inside snmp-server enable traps snmp authentication linkup linkdown coldstart snmp-server enable traps syslog snmp-server enable traps entity config-change crypto ipsec transform-set myset esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map cisco 1 match address outside_cryptomap_20.1_1 crypto dynamic-map cisco 1 set transform-set myset crypto map dyn-map 1 match address outside_cryptomap crypto map dyn-map 1 set peer {remote office gateway IP} crypto map dyn-map 1 set transform-set myset crypto map dyn-map 20 ipsec-isakmp dynamic cisco crypto map dyn-map interface outside crypto isakmp enable outside crypto isakmp policy 20 authentication pre-share encryption des hash md5 group 1 lifetime 3600 telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd auto_config outside ! dhcpd address 192.168.0.5-192.168.0.254 inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 129.6.15.28 tftp-server inside Terminal /asa120214-2.cfg webvpn tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key * tunnel-group {remote office external IP} type ipsec-l2l tunnel-group {remote office external IP} ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect pptp inspect icmp ! service-policy global_policy global prompt hostname context Cryptochecksum:90aa72e00e4dca9f3ba3f449fb851179 : end asdm image disk0:/asdm-621.bin no asdm history enable
02-05-2014 11:46 PM
Hi,
Its a problem that you have configured overlapping networks in the first place.
The problem probably has to do with the fact that your internal Main Office network things the hosts on the range 192.168.1.0/24 are included in their local network and therefore try to ARP for the destination addresses MAC addresses and fail since the host arent located on their local network.
For the traffic to even get forwarded to the ASA the ASA would have to use Proxy ARP to reply to those ARP requests.
But to me it seems a better idea to NAT the Remote Office network to some other /24 network before the L2L VPN connection and change the L2L VPN configurations to reflect that change.
You would want to have ONLY this ACL rule in the "crypto map" line using the ACL (you could replace the old ACL with this one)
access-list L2LVPN permit ip 192.168.0.0 255.255.252.0 192.168.100.0 255.255.255.0
Where the network 192.168.100.0/24 would be the new NAT network for Remote Site.
Your NAT0 ACL on Main Site should only contain the following line
access-list 100 permit ip 192.168.0.0 255.255.252.0 192.168.100.0 255.255.255.0
On the Remote Site PIX you would need to remove the NAT0 configuration and instead configure Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.252.0
static (inside,outside) 192.168.100.0 access-list L2LVPN-POLICYNAT
And the L2L VPN "crypto map" ACL would be
access-list L2LVPN permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.252.0
Naturally though again if you need access to the 192.168.1.0/24 range on the Main Office from the Remote Office you would need to perform NAT on the Main Office also. (As Remote Office would be in that case connecting to the same network that it has)
As you can see it can get a bit complex.
Other than this you might have easier time changing some local network. Perhaps at the Remote Office for example.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide