Solved

Cisco ASA 5510 + 5 * Cisco 877 VPN routing issue

Posted on 2007-11-28
3
1,223 Views
Last Modified: 2008-12-31
Hi

I have 1 * Cisco ASA 5510 with VPN's to 5 * Cisco 877 routers in a hub and spoke arrangement.
IP subnets are as follows

ASA5510 = 10.10.100.0/24 (hub)
877 #1 = 10.10.101.0/24
877 #1 = 10.10.102.0/24
877 #1 = 10.10.103.0/24
877 #1 = 10.10.104.0/24
877 #1 = 10.10.105.0/24

The ASA5510 (hub) is able to ping every site, but each of the spoke sites can only communicate with the hub site.
How can I enable full vpn routing so that each spoke site is able to communicate with the other spoke sites (ie have 10.10.101.1 ping 10.10.102.1 routing via the hub)?

I have tried playing with the local/remote subnet definitions of the VPN tunnels
(ie - setting the remote lan subnet on each spoke router = 10.10.0.0/16 and matching it on the ASA)
but this seems to have no effect.

I suspect the issue is with either the NAT rules or the Access rules, but I am not sure.

I have attached the config from the ASA5510 and one of the 877 spoke routers.
Any help would be greatly appreciated.

regards
Mike

Cisco 877 Spoke Config
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret *****
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone PCTime 12
clock summer-time PCTime date Mar 16 2003 3:00 Oct 5 2003 2:00
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name *****
!
!
crypto pki trustpoint TP-self-signed-2465651109
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2465651109
 revocation-check none
 rsakeypair TP-self-signed-2465651109
!
!
crypto pki certificate chain TP-self-signed-2465651109
 certificate self-signed 01
  *****
  quit
!
!
username ***** privilege 15 view root secret *****
!
!
!
crypto isakmp policy 2
 encr aes
 authentication pre-share
 group 2
crypto isakmp key ***** address *****
!
!
crypto ipsec transform-set ESP_AES128_SHA esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to hub
 set peer *****
 set security-association lifetime kilobytes 10240000
 set security-association lifetime seconds 86400
 set transform-set ESP_AES128_SHA
 set pfs group2
 match address 100
 reverse-route
!
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no snmp trap link-status
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 10.10.105.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username ***** password *****
 crypto map SDM_CMAP_1
!
!
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip flow-top-talkers
 top 200
 sort-by bytes
 cache-timeout 60000
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.10.105.10 3389 interface Dialer0 3389
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.105.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.10.105.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.10.105.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.10.105.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 permit ip 10.10.105.0 0.0.0.255 any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.10.105.0 0.0.0.255 any
access-list 102 deny   ip any any
dialer-list 1 protocol ip permit
snmp-server community ***** RO
snmp-server location *****
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
banner login ^C*****************************************************************
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
*****************************************************************^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 10.10.100.10 prefer
end




Cisco ASA5510 Hub Config
ASA Version 8.0(2)
!
hostname *****
domain-name *****
enable password km/8fxAASy.D7Aeu encrypted
names
name ***** CRM-Public description CRM Server 10.10.100.13
name ***** DC-Public description Domain Controller 10.10.100.10
name ***** EXCHANGE-Public description Exchange Server 10.10.100.11
name ***** SQL-Public description SQL Server 10.10.100.12
name 10.10.100.13 CRM-Private description CRM Server Internal Address
name 10.10.100.10 DC-Private description Domain Controller Internal Address
name 10.10.100.11 EXCHANGE-Private description Exchange Server Internal Address
name 10.10.100.12 SQL-Private description SQL Server Internal Address
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address ***** *****
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd ***** encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
dns server-group DefaultDNS
 domain-name *****
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network *****
 description 10.10.104.0/24
 network-object 10.10.104.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_20_cryptomap extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 172.30.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.102.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.104.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.103.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.105.0 255.255.255.0
access-list outside_access_in extended permit tcp any host DC-Public eq 3389
access-list outside_access_in extended permit tcp any host EXCHANGE-Public eq www
access-list outside_access_in extended permit tcp any host EXCHANGE-Public eq https
access-list outside_access_in extended permit tcp any host EXCHANGE-Public eq smtp
access-list RemoteAccess_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0
access-list outside_40_cryptomap extended permit ip 10.10.100.0 255.255.255.0 10.10.101.0 255.255.255.0
access-list outside_80_cryptomap extended permit ip 10.10.100.0 255.255.255.0 10.10.102.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.100.0 255.255.255.0 10.10.104.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 10.10.100.0 255.255.255.0 10.10.104.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.10.100.0 255.255.255.0 10.10.103.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.10.0.0 255.255.0.0 10.10.105.0 255.255.255.0
pager lines 24
logging enable
logging list vpn_debug level informational class vpn
logging asdm emergencies
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool RemoteAccess 10.10.100.200-10.10.100.250 mask 255.255.255.0
ip local pool RA_Test 172.30.30.100-172.30.30.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any management
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
global (outside) 10 interface
global (outside) 11 DC-Public netmask 255.255.255.0
global (outside) 12 EXCHANGE-Public netmask 255.255.255.0
global (outside) 13 SQL-Public netmask 255.255.255.0
global (outside) 14 CRM-Public netmask 255.255.255.0
global (inside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) DC-Public DC-Private netmask 255.255.255.255
static (inside,outside) EXCHANGE-Public EXCHANGE-Private netmask 255.255.255.255
static (inside,outside) SQL-Public SQL-Private netmask 255.255.255.255
static (inside,outside) CRM-Public CRM-Private netmask 255.255.255.255
access-group outside_access_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 ***** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server Active_Directory protocol nt
 max-failed-attempts 5
aaa-server Active_Directory host DC-Private
 timeout 5
 nt-auth-domain-controller *****
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
http server enable
http 10.10.100.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
snmp-server host inside DC-Private poll community *****
snmp-server location *****
snmp-server contact administrator
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer *****
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 1 set security-association lifetime kilobytes 10240000
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer *****
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 set security-association lifetime seconds 86400
crypto map outside_map 2 set security-association lifetime kilobytes 10240000
crypto map outside_map 2 set reverse-route
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer ****
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 set security-association lifetime seconds 86400
crypto map outside_map 3 set security-association lifetime kilobytes 10240000
crypto map outside_map 3 set reverse-route
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer *****
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer *****
crypto map outside_map 40 set transform-set ESP-AES-128-SHA
crypto map outside_map 40 set security-association lifetime seconds 86400
crypto map outside_map 40 set security-association lifetime kilobytes 10240000
crypto map outside_map 40 set reverse-route
crypto map outside_map 80 match address outside_80_cryptomap
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer *****
crypto map outside_map 80 set transform-set ESP-AES-128-SHA
crypto map outside_map 80 set security-association lifetime seconds 86400
crypto map outside_map 80 set security-association lifetime kilobytes 10240000
crypto map outside_map 80 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet DC-Private 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 10
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  svc dpd-interval client none
  svc dpd-interval gateway none
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
 dns-server value 10.10.100.10
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteAccess_splitTunnelAcl
 default-domain value *****
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 60 retry 5
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold infinite
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
 address-pool RA_Test
 authentication-server-group Active_Directory
 default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
 pre-shared-key *
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
smtp-server 10.10.100.11
prompt hostname context
Cryptochecksum:11027bd3f0849258c381bb8ea6266dcf
: end
asdm image disk0:/asdm-602.bin
asdm history enable

0
Comment
Question by:m_clarkson
3 Comments
 
LVL 21

Accepted Solution

by:
from_exp earned 63 total points
Comment Utility
in order for remote site A to communicate with remote site B via VPN hub, you should configure router A with remote networks not ony of vpn hub (10.10.100.0/24 network in your case) but also with network of site B.
Then network of A should be added as a remote network for site B.
Then from VPN hub box your should configure all remote networks to all remote VPN boxes
When you have a lot of boxes - this configuration can be very time consuming.
If it is possible, try to negotiate 10.10.0.0/16 network to pass within tunnels with all clients.

It will look like:

Site A (local 10.10.105.0/24, remote via tunnel 10.10.0.0/16)
Site B (local 10.10.106.0/24, remote via tunnel 10.10.0.0/16)
VPN hub (local 10.10.100.0/24, remote to tunnel A 10.10.0.0/16, remote to tunnel B 10.10.0.0/16)


0
 
LVL 8

Assisted Solution

by:charan_jeetsingh
charan_jeetsingh earned 63 total points
Comment Utility
By default, the security appliance does not support IPSec traffic destined for the same interface from which it enters. Names for this type of traffic include U-turn, hub-and-spoke, and hairpinning.

try using
same-security-traffic permit intra-interface

this feature can redirect incoming VPN traffic back out through the same
interface as unencrypted traffic.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now