VPN connectivity help?
Hi
I have recently finished creating a VPN site to site network but it doesn't seem to be working correctly. Everything that I've done seems to be in order but obviously something must be wrong but I'm not sure what though.
Basically i have 2 site networks, 1 with 3 machines on a 10.30.0.0/24 network connected to a switched that connects to an ASA which then connects to an edge device which is a router. The exact same topology is present on the other side but it uses the 10.20.0.0/24 network etc...
I will post the ASA and edge router configs below also. I appreciate any help anyone can give me on this.
ASA Version 8.4(2)
!
hostname ASA1
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 20
!
interface Ethernet0/2
switchport access vlan 20
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.20.2 255.255.255.0
!
interface Vlan20
nameif inside
security-level 100
ip address 10.20.0.1 255.255.255.0
!
webvpn
enable
!
route outside 0.0.0.0 0.0.0.0 172.16.20.1 1
!
access-list VPN extended permit icmp 10.20.0.0 255.255.255.0 10.30.0.0 255.255.255.0
access-list test extended permit icmp 10.30.0.0 255.255.255.0 10.20.0.0 255.255.255.0
!
!
!
!
!
!
class-map inspect
match default-inspection-traffic
!
policy-map global
class inspect
inspect icmp
!
service-policy global global
!
telnet timeout 5
ssh timeout 5
!
dhcpd enable
!
!
!
!
crypto ipsec ikev1 transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto map VPN_MAP 1 match address VPN
crypto map VPN_MAP 1 set peer 172.16.30.2
crypto map VPN_MAP 1 set security-association lifetime seconds 8600
crypto map VPN_MAP 1 set ikev1 transform-set VPN
crypto map VPN_MAP interface outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 5
lifetime 8600
!
tunnel-group 172.16.30.2 type ipsec-l2l
tunnel-group 172.16.30.2 ipsec-attributes
ikev1 pre-shared-key cisco
!
Router on the edge:
interface FastEthernet0/0
ip address 172.16.20.1 255.255.255.0 <<<<<<<<<<<<connects to the ASA
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface Serial2/0
no ip address
encapsulation frame-relay
frame-relay interface-dlci 102
!
interface Serial2/0.201 point-to-point
ip address 192.168.0.2 255.255.255.0
frame-relay interface-dlci 201
!
interface Serial2/0.203 point-to-point
ip address 192.168.3.2 255.255.255.0
frame-relay interface-dlci 203
!
interface Serial3/0
no ip address
clock rate 2000000
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 192.168.0.0 0.0.255.255 area 0
network 172.16.20.0 0.0.0.255 area 0
!
ip classless
ip route 10.20.0.0 255.255.255.0 172.16.20.2
ip route 10.30.0.0 255.255.255.0 192.168.3.1
!
ip flow-export version 9
!
!
!
no cdp run
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
!
!
!
!
!
!
!
!
ASA Version 8.4(2)
!
hostname ASA2
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 30
!
interface Ethernet0/2
switchport access vlan 30
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
no nameif
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.30.2 255.255.255.0
!
interface Vlan30
nameif inside
security-level 100
ip address 10.30.0.1 255.255.255.0
!
webvpn
!
route outside 0.0.0.0 0.0.0.0 172.16.30.1 1
!
access-list VPN_1 extended permit icmp 10.30.0.0 255.255.255.0 10.20.0.0 255.255.255.0
!
!
!
!
!
group-policy vpn internal
group-policy VPN_S2S internal
group-policy internal internal
!
class-map inspect
match default-inspection-traffic
class-map test
!
policy-map global
class inspect
inspect icmp
class test
!
service-policy global global
!
telnet timeout 5
ssh timeout 5
!
!
dhcpd enable
!
dhcpd address 10.30.0.10-10.30.0.15 inside
dhcpd enable inside
!
!
!
crypto ipsec ikev1 transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto map VPN_MAP 1 match address VPN_1
crypto map VPN_MAP 1 set peer 172.16.20.2
crypto map VPN_MAP 1 set security-association lifetime seconds 8600
crypto map VPN_MAP 1 set ikev1 transform-set VPN
crypto map VPN_MAP interface outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 5
lifetime 8600
!
tunnel-group webvpn type remote-access
tunnel-group 172.16.20.2 type ipsec-l2l
tunnel-group 172.16.20.2 ipsec-attributes
ikev1 pre-shared-key cisco
!
!
!
Router on the edge:
interface FastEthernet0/0
ip address 172.16.30.1 255.255.255.0 <<<<<<<<<<<<connects to the ASA
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface Serial2/0
no ip address
encapsulation frame-relay
frame-relay interface-dlci 103
!
interface Serial2/0.301 point-to-point
ip address 192.168.1.3 255.255.255.0
frame-relay interface-dlci 301
!
interface Serial2/0.302 point-to-point
ip address 192.168.3.1 255.255.255.0
frame-relay interface-dlci 302
!
interface Serial3/0
no ip address
clock rate 2000000
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
network 192.168.0.0 0.0.255.255 area 0
network 172.16.30.0 0.0.0.255 area 0
!
ip classless
ip route 10.20.0.0 255.255.255.0 192.168.3.2
ip route 10.30.0.0 255.255.255.0 172.16.30.2
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
login
!
line aux 0
!
line vty 0 4
password cisco
login
transport input ssh
line vty 5
no login
transport input ssh
line vty 6 15
login
transport input ssh
!
!
!
end
I would just like to point out that both interior networks can ping over the frame relay and past the edge route to the "outside" interface of the destined ASA's.
Thank you for the help! It is greatly appreciated!
I have recently finished creating a VPN site to site network but it doesn't seem to be working correctly. Everything that I've done seems to be in order but obviously something must be wrong but I'm not sure what though.
Basically i have 2 site networks, 1 with 3 machines on a 10.30.0.0/24 network connected to a switched that connects to an ASA which then connects to an edge device which is a router. The exact same topology is present on the other side but it uses the 10.20.0.0/24 network etc...
I will post the ASA and edge router configs below also. I appreciate any help anyone can give me on this.
ASA Version 8.4(2)
!
hostname ASA1
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 20
!
interface Ethernet0/2
switchport access vlan 20
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.20.2 255.255.255.0
!
interface Vlan20
nameif inside
security-level 100
ip address 10.20.0.1 255.255.255.0
!
webvpn
enable
!
route outside 0.0.0.0 0.0.0.0 172.16.20.1 1
!
access-list VPN extended permit icmp 10.20.0.0 255.255.255.0 10.30.0.0 255.255.255.0
access-list test extended permit icmp 10.30.0.0 255.255.255.0 10.20.0.0 255.255.255.0
!
!
!
!
!
!
class-map inspect
match default-inspection-traffic
!
policy-map global
class inspect
inspect icmp
!
service-policy global global
!
telnet timeout 5
ssh timeout 5
!
dhcpd enable
!
!
!
!
crypto ipsec ikev1 transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto map VPN_MAP 1 match address VPN
crypto map VPN_MAP 1 set peer 172.16.30.2
crypto map VPN_MAP 1 set security-association lifetime seconds 8600
crypto map VPN_MAP 1 set ikev1 transform-set VPN
crypto map VPN_MAP interface outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 5
lifetime 8600
!
tunnel-group 172.16.30.2 type ipsec-l2l
tunnel-group 172.16.30.2 ipsec-attributes
ikev1 pre-shared-key cisco
!
Router on the edge:
interface FastEthernet0/0
ip address 172.16.20.1 255.255.255.0 <<<<<<<<<<<<connects to the ASA
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface Serial2/0
no ip address
encapsulation frame-relay
frame-relay interface-dlci 102
!
interface Serial2/0.201 point-to-point
ip address 192.168.0.2 255.255.255.0
frame-relay interface-dlci 201
!
interface Serial2/0.203 point-to-point
ip address 192.168.3.2 255.255.255.0
frame-relay interface-dlci 203
!
interface Serial3/0
no ip address
clock rate 2000000
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 192.168.0.0 0.0.255.255 area 0
network 172.16.20.0 0.0.0.255 area 0
!
ip classless
ip route 10.20.0.0 255.255.255.0 172.16.20.2
ip route 10.30.0.0 255.255.255.0 192.168.3.1
!
ip flow-export version 9
!
!
!
no cdp run
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
!
!
!
!
!
!
!
!
ASA Version 8.4(2)
!
hostname ASA2
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 30
!
interface Ethernet0/2
switchport access vlan 30
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
no nameif
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.30.2 255.255.255.0
!
interface Vlan30
nameif inside
security-level 100
ip address 10.30.0.1 255.255.255.0
!
webvpn
!
route outside 0.0.0.0 0.0.0.0 172.16.30.1 1
!
access-list VPN_1 extended permit icmp 10.30.0.0 255.255.255.0 10.20.0.0 255.255.255.0
!
!
!
!
!
group-policy vpn internal
group-policy VPN_S2S internal
group-policy internal internal
!
class-map inspect
match default-inspection-traffic
class-map test
!
policy-map global
class inspect
inspect icmp
class test
!
service-policy global global
!
telnet timeout 5
ssh timeout 5
!
!
dhcpd enable
!
dhcpd address 10.30.0.10-10.30.0.15 inside
dhcpd enable inside
!
!
!
crypto ipsec ikev1 transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto map VPN_MAP 1 match address VPN_1
crypto map VPN_MAP 1 set peer 172.16.20.2
crypto map VPN_MAP 1 set security-association lifetime seconds 8600
crypto map VPN_MAP 1 set ikev1 transform-set VPN
crypto map VPN_MAP interface outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 5
lifetime 8600
!
tunnel-group webvpn type remote-access
tunnel-group 172.16.20.2 type ipsec-l2l
tunnel-group 172.16.20.2 ipsec-attributes
ikev1 pre-shared-key cisco
!
!
!
Router on the edge:
interface FastEthernet0/0
ip address 172.16.30.1 255.255.255.0 <<<<<<<<<<<<connects to the ASA
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface Serial2/0
no ip address
encapsulation frame-relay
frame-relay interface-dlci 103
!
interface Serial2/0.301 point-to-point
ip address 192.168.1.3 255.255.255.0
frame-relay interface-dlci 301
!
interface Serial2/0.302 point-to-point
ip address 192.168.3.1 255.255.255.0
frame-relay interface-dlci 302
!
interface Serial3/0
no ip address
clock rate 2000000
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
network 192.168.0.0 0.0.255.255 area 0
network 172.16.30.0 0.0.0.255 area 0
!
ip classless
ip route 10.20.0.0 255.255.255.0 192.168.3.2
ip route 10.30.0.0 255.255.255.0 172.16.30.2
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
login
!
line aux 0
!
line vty 0 4
password cisco
login
transport input ssh
line vty 5
no login
transport input ssh
line vty 6 15
login
transport input ssh
!
!
!
end
I would just like to point out that both interior networks can ping over the frame relay and past the edge route to the "outside" interface of the destined ASA's.
Thank you for the help! It is greatly appreciated!
Comments
-
Robbo777 Member Posts: 331 ■■■□□□□□□□The actual VPN connection, i have been told it may be something to do with the access list being ICMP and not IP but with it being packet tracer i cant use IP in an extended access list on the ASA. I'm just thinking how i could get around this? Would object groups work?