?
Solved

VPN Tunnels using VLSM

Posted on 2008-10-10
9
Medium Priority
?
844 Views
Last Modified: 2012-05-05
At my HQ office I have a Cisco ASA 5510 with several vpn tunnels from remote offices.  I have just installed ASA 5505s at 4 new remote offices with one to three users each.  With so few users, i decided to use networks with a /28 subnet mask (255.255.255.240), giving each location 14 usable addresses.  the first office has network 10.10.0.0, the next is network 10.10.0.16, then 10.10.0.32 and 10.10.0.48.  With this setup, I'm having trouble creating the tunnels.  I've set many of these up before, but these tunnels won't come up... and I'm not sure how to troubleshoot.  I set both ends pointing to the static ip of the peer, use the same authentication key, but they won't come up....  Is there something special you have to do when the networks aren't given a full class c subnet, 255.255.255.0????  I'm stumped...

thanks
randy
0
Comment
Question by:rhcellxion
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 

Author Comment

by:rhcellxion
ID: 22692348
OK, so I got one of the tunnels up, and have tried to ping from both sides, but not luck...  Now I'm stumped as to why the tunnel is up but no communication between either side.
0
 

Author Comment

by:rhcellxion
ID: 22692635
sorry to keep responding to my own question, but I've discoverd that I can in fact ping between the ASAs on both ends, but the workstations still are not talking to one another.  Makes me think it is a gateway problem, but they all get to the internet just fine.....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22694026
Post your HQ config and one of the non-working remotes
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 

Author Comment

by:rhcellxion
ID: 22694192
configs are attached with passwords and IPs changed... this is specifically the tunnel for AllenOK on the 10.10.0.32/28 network, which is where the remote-confg is from.....  I can ping from between the routers, but that is all...  no communication betweek the 10.0.0.0 (HQ) and 10.10.0.32 (remote) networks.

thanks
HQ-confg.txt
remote-confg.txt
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22696147
Remove the crypto map from wrong interfaces on HQ
no crypto isakmp enable inside

Add
crypto isakmp identity address
0
 

Author Comment

by:rhcellxion
ID: 22803154
I have these tunnels up and running, they remain stable all day...  However I have a couple that drop at night, and the only way to get them back up is to restart the ASA on the remote end...  Is there maybe a timeout of no traffic that they will automatically drop, and how might I keep them up consistently??
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22803318
Yes, the tunnels are dynamic and only alive when they need to be with matching traffic.
They should automatically reconnect without having to reboot the far end.
What changes have you made to the posted configs?
It could be the PPPoE dropping. Do end users at remote site have Internet access just not vpn?
You can setup a periodic ping every few minutes to ping a printer or something over the vpn.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 22803561
Upon closer examination I see that you may have some overlap here...

>name 10.10.0.0 SoilFarming
>name 10.10.0.32 AllenOK

>access-list Outside2_8_cryptomap extended permit ip All_Inside_Subnets 255.255.255.0 SoilFarming 255.255.255.0
>access-list Outside2_9_cryptomap extended permit ip All_Inside_Subnets 255.255.255.0 AllenOK 255.255.255.240

You would have to change the mask of the first one from SoilFarming 255.255.255.0
to SoilFarming 255.255.255.240
0
 

Author Comment

by:rhcellxion
ID: 22803784
Yes, the configs have changed since then, the overlap was the problem.  I will try the scheduled pings and see what happens...  Thanks for the help...
0

Featured Post

Limited time offer using promo code EXPERTS30

Designed with a wealth of functionality and convenience, ATEN's new Thunderbolt™ 2 Sharing Switch takes your Thunderbolt setup to the next level. Now through September 15, 2017, Experts Exchange members get 30% off the US7220 on the ATEN USA eShop using promo code EXPERTS30.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question