Solved

VPN Tunnels using VLSM

Posted on 2008-10-10
9
832 Views
Last Modified: 2012-05-05
At my HQ office I have a Cisco ASA 5510 with several vpn tunnels from remote offices.  I have just installed ASA 5505s at 4 new remote offices with one to three users each.  With so few users, i decided to use networks with a /28 subnet mask (255.255.255.240), giving each location 14 usable addresses.  the first office has network 10.10.0.0, the next is network 10.10.0.16, then 10.10.0.32 and 10.10.0.48.  With this setup, I'm having trouble creating the tunnels.  I've set many of these up before, but these tunnels won't come up... and I'm not sure how to troubleshoot.  I set both ends pointing to the static ip of the peer, use the same authentication key, but they won't come up....  Is there something special you have to do when the networks aren't given a full class c subnet, 255.255.255.0????  I'm stumped...

thanks
randy
0
Comment
Question by:rhcellxion
  • 5
  • 4
9 Comments
 

Author Comment

by:rhcellxion
Comment Utility
OK, so I got one of the tunnels up, and have tried to ping from both sides, but not luck...  Now I'm stumped as to why the tunnel is up but no communication between either side.
0
 

Author Comment

by:rhcellxion
Comment Utility
sorry to keep responding to my own question, but I've discoverd that I can in fact ping between the ASAs on both ends, but the workstations still are not talking to one another.  Makes me think it is a gateway problem, but they all get to the internet just fine.....
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Post your HQ config and one of the non-working remotes
0
 

Author Comment

by:rhcellxion
Comment Utility
configs are attached with passwords and IPs changed... this is specifically the tunnel for AllenOK on the 10.10.0.32/28 network, which is where the remote-confg is from.....  I can ping from between the routers, but that is all...  no communication betweek the 10.0.0.0 (HQ) and 10.10.0.32 (remote) networks.

thanks
HQ-confg.txt
remote-confg.txt
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Remove the crypto map from wrong interfaces on HQ
no crypto isakmp enable inside

Add
crypto isakmp identity address
0
 

Author Comment

by:rhcellxion
Comment Utility
I have these tunnels up and running, they remain stable all day...  However I have a couple that drop at night, and the only way to get them back up is to restart the ASA on the remote end...  Is there maybe a timeout of no traffic that they will automatically drop, and how might I keep them up consistently??
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Yes, the tunnels are dynamic and only alive when they need to be with matching traffic.
They should automatically reconnect without having to reboot the far end.
What changes have you made to the posted configs?
It could be the PPPoE dropping. Do end users at remote site have Internet access just not vpn?
You can setup a periodic ping every few minutes to ping a printer or something over the vpn.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
Upon closer examination I see that you may have some overlap here...

>name 10.10.0.0 SoilFarming
>name 10.10.0.32 AllenOK

>access-list Outside2_8_cryptomap extended permit ip All_Inside_Subnets 255.255.255.0 SoilFarming 255.255.255.0
>access-list Outside2_9_cryptomap extended permit ip All_Inside_Subnets 255.255.255.0 AllenOK 255.255.255.240

You would have to change the mask of the first one from SoilFarming 255.255.255.0
to SoilFarming 255.255.255.240
0
 

Author Comment

by:rhcellxion
Comment Utility
Yes, the configs have changed since then, the overlap was the problem.  I will try the scheduled pings and see what happens...  Thanks for the help...
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now