• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1219
  • Last Modified:

VPN into VLAN'd VM

Having issues using a Cisco IPSEC VPN into a VLAN'd VM. To this point I think it is a VMware issue but not completely satisfied with that conclusion. Attached is a ESX network config along with a basic diagram of what I am attempting to accomplish.

Basically I have 1 physical server along with a Cisco PIX on the remote side. This is to connect through a Cisco IPSEC site to site VPN tunnel to a ASA5510 then a Cisco 3750 which has both VLAN's configured on it (VLAN1/VLAN21). Both ESX servers and VC are on VLAN1. The VM is configured on VLAN21 along with another physical server on VLAN21. VLAN's are configured on the 3750.

Issue so far is that I cannot connect to the VM through the VPN tunnel. The VPN tunnel is configured correctly and I am able to ping consistently the VM without any drops. I am not able to connect by any other means to the VM (RDP/FTP/VNC/etc). If I apply a static public IP to the VM in the ASA I am able to RDP/FTP/etc to the VM. So in troubleshooting I configured a physical server on the same VLAN. I am able to access this server through the VPN tunnel and as a static mapped public IP.

So that is my dilemma in what is exactly is the hang up in connecting to the VM through a site to site tunnel yet through normal public means by statically mapping a external IP I am able to access the VM.

If additional configuration/detail is needed I'll be happy to provide that being this is not in a production status yet.

Thanks in advance.

Visio.jpg
Config.jpg
0
pjmac28
Asked:
pjmac28
  • 3
  • 2
2 Solutions
 
ricks_vCommented:
double check if network connections are bridge properly between actual machine and VM
0
 
pjmac28Author Commented:
Yes those are bridged properly. I had VMware in and they could not see anything that would be preventing the IP sessions to connect. The only thing I can see so far is that If I put a VM in VLAN1 where the inside interface of the VPN devices terminates I can create successful IP sessions through the VPN. If I put the VM in another VLAN that is where the IP sessions are not successful. There are no ACL's on the 3750 that would prevent the IP session from being successful.
0
 
ricks_vCommented:
double check your switch setting,

allow the port connected to carry other vlans.

you will need something like:

interface FastEthernet0/24 (whichever used for the uplnk)
 switchport trunk allowed vlan 1,2,3,1001-1005 (whatever vlan required)
 switchport mode trunk

if this still doesnt work, that means the machine connected has not allowed vlan  passtrhough for non native vlans
0
 
pjmac28Author Commented:
It seems that the return traffic is not being encrypted back to the originator from what I have come up with so far. What you stated above is in the configuration. Attached is what is pertinent from the 3750 and ASA. So I took VMware completely out of the picture and placed a physical machine on G1/0/24 in the same VLAN (VLAN 21) but end up with the same results. I placed the physical in VLAN where the E1 int of the ASA is and was successful in being able to VPN into that device. Somewhere I think the issue is routing on the 3750. The switchport trunk on G1/0/1 was added by Cisco. They have been on this for a few hours now and haven't gotten any farther than I have on why this is acting this way.

Cisco 3750
interface GigabitEthernet1/0/1
 description ASA_5510 (VLAN1)
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,20-22
 switchport mode trunk

einterface GigabitEthernet1/0/13
 description VPS Trunk Port for ESX01 VM's
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,20-22
 switchport mode trunk
!
interface GigabitEthernet1/0/14
 description VPS Trunk Port for ESX02 VM's
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,20-22
 switchport mode trunk

interface GigabitEthernet1/0/24
 switchport access vlan 21

interface Vlan1
 description VPS_Admin VLAN
 ip address 172.30.1.2 255.255.255.0

interface Vlan20
 description Baseline_Testing VLAN
 ip address 192.168.5.2 255.255.255.0
!
interface Vlan21
 description VPS_VLAN_Test
 ip address 172.30.10.1 255.255.255.0

ip default-gateway 172.30.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 172.30.1.1

 ASA5510
access-list outside_1_cryptomap remark Outside VPN access to VPS from Baseline-Test.
access-list outside_1_cryptomap extended permit ip host 172.30.10.5 host 192.168.5.10
access-list outside_1_cryptomap extended permit ip host 172.30.10.6 host 192.168.5.10
access-list outside_1_cryptomap extended permit ip host 172.30.1.5 host 192.168.5.10
access-list outside_1_cryptomap extended permit ip host 172.30.1.10 host 192.168.5.10
access-list outside_1_cryptomap extended permit ip host 172.30.1.11 host 192.168.5.10
access-list inside_nat0_outbound extended permit ip host 172.30.10.5 host 192.168.5.10
access-list inside_nat0_outbound extended permit ip host 172.30.10.6 host 192.168.5.10
access-list inside_nat0_outbound extended permit ip host 172.30.1.5 host 192.168.5.10
access-list inside_nat0_outbound extended permit ip host 172.30.1.10 host 192.168.5.10
access-list inside_nat0_outbound extended permit ip host 172.30.1.11 host 192.168.5.10

route inside 172.30.10.0 255.255.255.0 172.30.1.2 1

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

tunnel-group 111.222.333.444 type ipsec-l2l
tunnel-group 111.222.333.444 ipsec-attributes
 pre-shared-key XXXXXXXXX

PIX 506
access-list inside_outbound_nat0_acl permit ip host 192.168.5.10 host 172.30.10.5
access-list inside_outbound_nat0_acl permit ip host 192.168.5.10 host 172.30.1.5
access-list inside_outbound_nat0_acl permit ip host 192.168.5.10 host 172.30.1.10
access-list inside_outbound_nat0_acl permit ip host 192.168.5.10 host 172.30.1.11
access-list inside_outbound_nat0_acl permit ip host 192.168.5.10 host 172.30.10.6
access-list outside_cryptomap_20 permit ip host 192.168.5.10 host 172.30.10.5
access-list outside_cryptomap_20 permit ip host 192.168.5.10 host 172.30.1.5
access-list outside_cryptomap_20 permit ip host 192.168.5.10 host 172.30.1.10
access-list outside_cryptomap_20 permit ip host 192.168.5.10 host 172.30.1.11
access-list outside_cryptomap_20 permit ip host 192.168.5.10 host 172.30.10.6

nat (inside) 0 access-list inside_outbound_nat0_acl

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 207.67.41.130
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key XXXXXXXXX address 111.222.333.444 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
 
pjmac28Author Commented:
Issue was underlying that when this was setup I put the remote network and the destination network VLAN's were configured on the same switch even though physically these were seperate networks. Originating traffic would pass through the VPN tunnel but return traffic would route through the switch by intra VLAN routing. That is why I could get ICMP returns but no IP session traffic to pass. Disabled the VLAN 20 and return IP session traffic would traverse back through the VPN to the originator.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now