Solved

VPN Tunnels using VLSM

Posted on 2008-10-10
9
834 Views
Last Modified: 2012-05-05
At my HQ office I have a Cisco ASA 5510 with several vpn tunnels from remote offices.  I have just installed ASA 5505s at 4 new remote offices with one to three users each.  With so few users, i decided to use networks with a /28 subnet mask (255.255.255.240), giving each location 14 usable addresses.  the first office has network 10.10.0.0, the next is network 10.10.0.16, then 10.10.0.32 and 10.10.0.48.  With this setup, I'm having trouble creating the tunnels.  I've set many of these up before, but these tunnels won't come up... and I'm not sure how to troubleshoot.  I set both ends pointing to the static ip of the peer, use the same authentication key, but they won't come up....  Is there something special you have to do when the networks aren't given a full class c subnet, 255.255.255.0????  I'm stumped...

thanks
randy
0
Comment
Question by:rhcellxion
  • 5
  • 4
9 Comments
 

Author Comment

by:rhcellxion
ID: 22692348
OK, so I got one of the tunnels up, and have tried to ping from both sides, but not luck...  Now I'm stumped as to why the tunnel is up but no communication between either side.
0
 

Author Comment

by:rhcellxion
ID: 22692635
sorry to keep responding to my own question, but I've discoverd that I can in fact ping between the ASAs on both ends, but the workstations still are not talking to one another.  Makes me think it is a gateway problem, but they all get to the internet just fine.....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22694026
Post your HQ config and one of the non-working remotes
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:rhcellxion
ID: 22694192
configs are attached with passwords and IPs changed... this is specifically the tunnel for AllenOK on the 10.10.0.32/28 network, which is where the remote-confg is from.....  I can ping from between the routers, but that is all...  no communication betweek the 10.0.0.0 (HQ) and 10.10.0.32 (remote) networks.

thanks
HQ-confg.txt
remote-confg.txt
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22696147
Remove the crypto map from wrong interfaces on HQ
no crypto isakmp enable inside

Add
crypto isakmp identity address
0
 

Author Comment

by:rhcellxion
ID: 22803154
I have these tunnels up and running, they remain stable all day...  However I have a couple that drop at night, and the only way to get them back up is to restart the ASA on the remote end...  Is there maybe a timeout of no traffic that they will automatically drop, and how might I keep them up consistently??
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22803318
Yes, the tunnels are dynamic and only alive when they need to be with matching traffic.
They should automatically reconnect without having to reboot the far end.
What changes have you made to the posted configs?
It could be the PPPoE dropping. Do end users at remote site have Internet access just not vpn?
You can setup a periodic ping every few minutes to ping a printer or something over the vpn.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22803561
Upon closer examination I see that you may have some overlap here...

>name 10.10.0.0 SoilFarming
>name 10.10.0.32 AllenOK

>access-list Outside2_8_cryptomap extended permit ip All_Inside_Subnets 255.255.255.0 SoilFarming 255.255.255.0
>access-list Outside2_9_cryptomap extended permit ip All_Inside_Subnets 255.255.255.0 AllenOK 255.255.255.240

You would have to change the mask of the first one from SoilFarming 255.255.255.0
to SoilFarming 255.255.255.240
0
 

Author Comment

by:rhcellxion
ID: 22803784
Yes, the configs have changed since then, the overlap was the problem.  I will try the scheduled pings and see what happens...  Thanks for the help...
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question