[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 851
  • Last Modified:

VPN Tunnels using VLSM

At my HQ office I have a Cisco ASA 5510 with several vpn tunnels from remote offices.  I have just installed ASA 5505s at 4 new remote offices with one to three users each.  With so few users, i decided to use networks with a /28 subnet mask (255.255.255.240), giving each location 14 usable addresses.  the first office has network 10.10.0.0, the next is network 10.10.0.16, then 10.10.0.32 and 10.10.0.48.  With this setup, I'm having trouble creating the tunnels.  I've set many of these up before, but these tunnels won't come up... and I'm not sure how to troubleshoot.  I set both ends pointing to the static ip of the peer, use the same authentication key, but they won't come up....  Is there something special you have to do when the networks aren't given a full class c subnet, 255.255.255.0????  I'm stumped...

thanks
randy
0
rhcellxion
Asked:
rhcellxion
  • 5
  • 4
1 Solution
 
rhcellxionAuthor Commented:
OK, so I got one of the tunnels up, and have tried to ping from both sides, but not luck...  Now I'm stumped as to why the tunnel is up but no communication between either side.
0
 
rhcellxionAuthor Commented:
sorry to keep responding to my own question, but I've discoverd that I can in fact ping between the ASAs on both ends, but the workstations still are not talking to one another.  Makes me think it is a gateway problem, but they all get to the internet just fine.....
0
 
lrmooreCommented:
Post your HQ config and one of the non-working remotes
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
rhcellxionAuthor Commented:
configs are attached with passwords and IPs changed... this is specifically the tunnel for AllenOK on the 10.10.0.32/28 network, which is where the remote-confg is from.....  I can ping from between the routers, but that is all...  no communication betweek the 10.0.0.0 (HQ) and 10.10.0.32 (remote) networks.

thanks
HQ-confg.txt
remote-confg.txt
0
 
lrmooreCommented:
Remove the crypto map from wrong interfaces on HQ
no crypto isakmp enable inside

Add
crypto isakmp identity address
0
 
rhcellxionAuthor Commented:
I have these tunnels up and running, they remain stable all day...  However I have a couple that drop at night, and the only way to get them back up is to restart the ASA on the remote end...  Is there maybe a timeout of no traffic that they will automatically drop, and how might I keep them up consistently??
0
 
lrmooreCommented:
Yes, the tunnels are dynamic and only alive when they need to be with matching traffic.
They should automatically reconnect without having to reboot the far end.
What changes have you made to the posted configs?
It could be the PPPoE dropping. Do end users at remote site have Internet access just not vpn?
You can setup a periodic ping every few minutes to ping a printer or something over the vpn.
0
 
lrmooreCommented:
Upon closer examination I see that you may have some overlap here...

>name 10.10.0.0 SoilFarming
>name 10.10.0.32 AllenOK

>access-list Outside2_8_cryptomap extended permit ip All_Inside_Subnets 255.255.255.0 SoilFarming 255.255.255.0
>access-list Outside2_9_cryptomap extended permit ip All_Inside_Subnets 255.255.255.0 AllenOK 255.255.255.240

You would have to change the mask of the first one from SoilFarming 255.255.255.0
to SoilFarming 255.255.255.240
0
 
rhcellxionAuthor Commented:
Yes, the configs have changed since then, the overlap was the problem.  I will try the scheduled pings and see what happens...  Thanks for the help...
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now