Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

VPN Tunnels using VLSM

Posted on 2008-10-10
9
Medium Priority
?
846 Views
Last Modified: 2012-05-05
At my HQ office I have a Cisco ASA 5510 with several vpn tunnels from remote offices.  I have just installed ASA 5505s at 4 new remote offices with one to three users each.  With so few users, i decided to use networks with a /28 subnet mask (255.255.255.240), giving each location 14 usable addresses.  the first office has network 10.10.0.0, the next is network 10.10.0.16, then 10.10.0.32 and 10.10.0.48.  With this setup, I'm having trouble creating the tunnels.  I've set many of these up before, but these tunnels won't come up... and I'm not sure how to troubleshoot.  I set both ends pointing to the static ip of the peer, use the same authentication key, but they won't come up....  Is there something special you have to do when the networks aren't given a full class c subnet, 255.255.255.0????  I'm stumped...

thanks
randy
0
Comment
Question by:rhcellxion
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 

Author Comment

by:rhcellxion
ID: 22692348
OK, so I got one of the tunnels up, and have tried to ping from both sides, but not luck...  Now I'm stumped as to why the tunnel is up but no communication between either side.
0
 

Author Comment

by:rhcellxion
ID: 22692635
sorry to keep responding to my own question, but I've discoverd that I can in fact ping between the ASAs on both ends, but the workstations still are not talking to one another.  Makes me think it is a gateway problem, but they all get to the internet just fine.....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22694026
Post your HQ config and one of the non-working remotes
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:rhcellxion
ID: 22694192
configs are attached with passwords and IPs changed... this is specifically the tunnel for AllenOK on the 10.10.0.32/28 network, which is where the remote-confg is from.....  I can ping from between the routers, but that is all...  no communication betweek the 10.0.0.0 (HQ) and 10.10.0.32 (remote) networks.

thanks
HQ-confg.txt
remote-confg.txt
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22696147
Remove the crypto map from wrong interfaces on HQ
no crypto isakmp enable inside

Add
crypto isakmp identity address
0
 

Author Comment

by:rhcellxion
ID: 22803154
I have these tunnels up and running, they remain stable all day...  However I have a couple that drop at night, and the only way to get them back up is to restart the ASA on the remote end...  Is there maybe a timeout of no traffic that they will automatically drop, and how might I keep them up consistently??
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22803318
Yes, the tunnels are dynamic and only alive when they need to be with matching traffic.
They should automatically reconnect without having to reboot the far end.
What changes have you made to the posted configs?
It could be the PPPoE dropping. Do end users at remote site have Internet access just not vpn?
You can setup a periodic ping every few minutes to ping a printer or something over the vpn.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 22803561
Upon closer examination I see that you may have some overlap here...

>name 10.10.0.0 SoilFarming
>name 10.10.0.32 AllenOK

>access-list Outside2_8_cryptomap extended permit ip All_Inside_Subnets 255.255.255.0 SoilFarming 255.255.255.0
>access-list Outside2_9_cryptomap extended permit ip All_Inside_Subnets 255.255.255.0 AllenOK 255.255.255.240

You would have to change the mask of the first one from SoilFarming 255.255.255.0
to SoilFarming 255.255.255.240
0
 

Author Comment

by:rhcellxion
ID: 22803784
Yes, the configs have changed since then, the overlap was the problem.  I will try the scheduled pings and see what happens...  Thanks for the help...
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question