Solved

Cisco ASA Site2Site VPN to VPN-DMZ no phase one (route problem)

Posted on 2009-05-07
10
910 Views
Last Modified: 2012-05-06
Hello all,

We currently have 2 Site to Site VPN's working to our INSIDE networks.
That was not setup really smart, and would like to create a new (VPN-)DMZ for new VPN Customers comming soon.

I created a new DMZ-VPN on an empty interface with a low security (25)
configured a Site 2 Site VPN to a Cisco PIX from our LAB network.

I have been busy with troubleshooting for 2 days now, and having a problem with route probably. I can't see any Phase one activity at all.

Also "SH crypto isakpm sa detail" doesn't show me some info. (only 2 Site-2-Site and Remote Access VPN currently active)

The VPN having trouble with is:
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 88.246.197.109

I tried to find problems, and think it is a route problem . See attached screenshot packedge tracer. The traffic goes to INSIDE interface, not OUTSIDE.

I have a static route for INSIDE 10.0.0.0 255.0.0.0 for Internal LAN only. Does that conflicting my VPN ?

I have been looking on internet for some hours, but can't find any good info or example connecting a VPN to a DMZ interface...

Can you have a fresh look on this issue, or have a good site with info or example so i can figger out the problem. I would really appreciate any ideas.

800 points for the resulting answer since I think it's not an easy one.
ASA Version 8.0(2) 
 
dns-guard
!
interface Ethernet0/0
 description internet side
 nameif outside
 security-level 0
 ip address 78.128.139.66 255.255.255.192 
!
interface Ethernet0/1
 description LAN Teleplan
 nameif inside
 security-level 100
 ip address 10.32.32.x 255.255.248.0 
!
interface Ethernet0/3
 nameif DMZ-VPN
 security-level 25
 ip address VPN-TEST-172.16.48.1 255.255.255.0 
 
!
boot system disk0:/asa802-k8.bin
boot system disk0:/asa803-19-k8.bin
 
 
access-list dmz_access_in extended permit tcp host 
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
 
access-list outside_access_in extended permit tcp any object-group WEBSITES object-group WEBSERVICE_TCP 
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 eq ssh 
 
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS object-group VPN-CLIENTS 
access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 
access-list NO-NAT extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 
access-list NO-NAT extended permit ip object-group SPS-ACL 172.19.250.248 255.255.255.248 
access-list NO-NAT extended permit ip object-group KPN-ACL 145.7.196.0 255.255.255.0 
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.48.0 255.255.255.0 
access-list NO-NAT remark Disable NAT for traffic from inside to DMZ and VPN clients
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.34.0 255.255.255.0
 
access-list DMZ_nat0_outbound extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 
access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.101 172.19.250.248 255.255.255.248 
access-list DMZ_nat0_outbound extended permit ip host TPNL03S008-172.16.34.66 172.19.250.248 255.255.255.248 
access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.103 172.16.48.0 255.255.255.0
 
access-list outside_cryptomap_15 extended permit ip 10.32.32.0 255.255.248.0 145.7.196.0 255.255.255.0
access-list outside_cryptomap_30 extended permit ip 10.32.32.0 255.255.248.0 172.19.250.248 255.255.255.248 
access-list outside_cryptomap_30 extended permit ip 172.16.34.0 255.255.255.0 172.19.250.248 255.255.255.248
access-list outside_cryptomap_40 extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0
 
access-list DMZ-VPN_access_in extended permit tcp 172.16.48.0 255.255.255.0 host TPNL03S013-172.16.34.103 object-group WEBSERVICE_TCP 
access-list DMZ-VPN_access_in extended permit object-group DM_INLINE_SERVICE_4 172.16.48.0 255.255.255.0 80.246.197.108 255.255.255.252 
 
access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 80.246.197.108 255.255.255.252
 
access-list inside_access_in extended permit tcp host TPNL03M073-10.32.32.73 any eq smtp log disable  
access-list inside_access_in extended deny tcp object-group INSIDE-NETWORKS any eq smtp log errors 
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group INSIDE-NETWORKS any log disable 
 
nat-control
global (outside) 1 78.128.139.90
global (outside) 2 78.128.139.91
nat (inside) 0 access-list NO-NAT
nat (inside) 1 10.32.32.0 255.255.248.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ-VPN) 0 access-list DMZ-VPN_nat0_outbound
nat (DMZ-VPN) 2 172.16.48.0 255.255.255.0
 
static (inside,outside) 
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface DMZ
access-group DMZ-VPN_access_in in interface DMZ-VPN
 
route outside 0.0.0.0 0.0.0.0 78.128.139.126 10
route inside 10.0.0.0 255.0.0.0 10.32.32.5 10
 
crypto map outside_map 15 match address outside_cryptomap_15
crypto map outside_map 15 set pfs 
crypto map outside_map 15 set peer 148.9.191.154 
crypto map outside_map 15 set transform-set ESP-3DES-SHA
crypto map outside_map 15 set nat-t-disable
 
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set pfs 
crypto map outside_map 30 set peer 196.172.177.210 
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 30 set nat-t-disable
 
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set pfs 
crypto map outside_map 40 set peer 88.246.197.109 
crypto map outside_map 40 set transform-set ESP-3DES-SHA
 
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
 
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable DMZ-VPN
 
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
 
crypto isakmp policy 15
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 30
 
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 40
 
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
 
tunnel-group DefaultRAGroup general-attributes
 default-group-policy Teleplan-RemoteAccess
 
tunnel-group 88.246.197.109 type ipsec-l2l
tunnel-group 88.246.197.109 ipsec-attributes
 pre-shared-key *
 
tunnel-group 196.172.177.210 type ipsec-l2l
tunnel-group 196.172.177.210 ipsec-attributes
 pre-shared-key *
 
tunnel-group 148.9.191.154 type ipsec-l2l
tunnel-group 148.9.191.154 ipsec-attributes
 pre-shared-key *
 
tunnel-group Teleplan-RemoteAccess type remote-access
tunnel-group Teleplan-RemoteAccess general-attributes
 address-pool VPNClient
 authentication-server-group TGN-Login LOCAL
 default-group-policy Teleplan-RemoteAccess
tunnel-group Teleplan-RemoteAccess ipsec-attributes
 pre-shared-key *
 
tunnel-group Telerepair-CZ type remote-access
tunnel-group Telerepair-CZ general-attributes
 address-pool Telerepair-cz
 default-group-policy Teleplan-RemoteAccess
tunnel-group Telerepair-CZ ipsec-attributes
 pre-shared-key *
 
tunnel-group-map enable rules
tunnel-group-map default-group DefaultL2LGroup

Open in new window

dmz-vpn.gif
0
Comment
Question by:urfried
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
10 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24325951
The Destination IP address in this sample is on the 10.0.0.0 network defined by the route you specified in your explanation.     That is send to the inside network.   The traffic sent inside is being dropped by an access list.  


If the peer for the vpn is  88.246.197.109, why are you testing to 10.16.40.x?  
0
 

Author Comment

by:urfried
ID: 24326181
10.16.40.x is inside-lan of LAB network on the other side of the VPN.

access-list outside_cryptomap_40 extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24326580
ok.   If you are trying to hit 10.16.40.x, the asa is mixed up as to where to send the traffic.  

#1 - you have a nonat : access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
#2 - you have a route : route inside 10.0.0.0 255.0.0.0 10.32.32.5 10


If you have a a 24 bit subnet mask on the 10.0.0.0 subnets, then why not use it to separate where you want traffic to flow?  

Otherwise, you should remote the route and, if needed, replace it with a more specific route if subnets exist beyound the next inside hop.  

0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 79

Expert Comment

by:lrmoore
ID: 24332387
You have to add a route
route outside 10.16.40.0 255.255.255.0 78.128.139.126
0
 

Author Comment

by:urfried
ID: 24333712
Thanx gents,

I will have a look right away, and let it know.

Mike, The #2 - route inside 10.0.0.0 255.0.0.0 10.32.32.5 10 is pointing to a router which routes a BIG  10.0.0.0 LAN over the world. 32 countries with even more sites are connected to each other. It is almost impossible to split it up more specific, since i (we) don't know exactly all the configured routes on the router.

There is one possible solution by just deleting the 10.0.0.0 route on de Firewall.
I configured all clients and server already with an extra default route (add) 10.0.0.0 255.0.0.0 to 10.32.32.5
But i am still a little scared to delete the rule during production.

Good idea to fix that coming Sunday and test thoroughly
Thanx so far.
0
 

Author Comment

by:urfried
ID: 24333767
Oke....
lrmoore you were right. A big step in right direction.
By adding your line, the package is routed to the right interface and allowed to travel true the vpn.

BUT.....unfortunately I still have no attempt for Phase one knock on the door. (both sites)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24334724
>ASA Version 8.0(2)
Lot of bugs in this version. Suggest 8.0(4)

I don't see anything like this:
access-list DMZ-VPN_access_in  permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0

no access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 80.246.197.108 255.255.255.252
access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0
0
 

Author Comment

by:urfried
ID: 24334819
I updated to a newer version once. asa803-19K
It screwed my night for several days in a raw.
The firewall crashed multiple times, due to a failure of memory leg.
Somehow the firewall build up memory, and cannot free some to re-allocate it.
Since then i am really scared changing the asa804-k8.bin

I will have a look at your points...thnx so far
0
 

Author Comment

by:urfried
ID: 24335117
MMM.....nothing YET.
Can i see if the VPN handshake is send away from the ASA ?
I don't see anything pass in the Monitoring.
0
 

Accepted Solution

by:
urfried earned 0 total points
ID: 24335294
New run conf
ASA Version 8.0(2) 
 
dns-guard
!
interface Ethernet0/0
 description internet side
 nameif outside
 security-level 0
 ip address 78.128.139.66 255.255.255.192 
!
interface Ethernet0/1
 description LAN Teleplan
 nameif inside
 security-level 100
 ip address 10.32.32.x 255.255.248.0 
!
interface Ethernet0/3
 nameif DMZ-VPN
 security-level 25
 ip address VPN-TEST-172.16.48.1 255.255.255.0 
 
!
boot system disk0:/asa802-k8.bin
boot system disk0:/asa803-19-k8.bin
 
 
access-list dmz_access_in extended permit tcp host 
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
 
access-list outside_access_in extended permit tcp any object-group WEBSITES object-group WEBSERVICE_TCP 
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 eq ssh 
 
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS object-group VPN-CLIENTS 
access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 
access-list NO-NAT extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 
access-list NO-NAT extended permit ip object-group SPS-ACL 172.19.250.248 255.255.255.248 
access-list NO-NAT extended permit ip object-group KPN-ACL 145.7.196.0 255.255.255.0 
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.48.0 255.255.255.0 
access-list NO-NAT remark Disable NAT for traffic from inside to DMZ and VPN clients
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.34.0 255.255.255.0
 
access-list DMZ_nat0_outbound extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 
access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.101 172.19.250.248 255.255.255.248 
access-list DMZ_nat0_outbound extended permit ip host TPNL03S008-172.16.34.66 172.19.250.248 255.255.255.248 
access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.103 172.16.48.0 255.255.255.0
 
access-list outside_cryptomap_15 extended permit ip 10.32.32.0 255.255.248.0 145.7.196.0 255.255.255.0
access-list outside_cryptomap_30 extended permit ip 10.32.32.0 255.255.248.0 172.19.250.248 255.255.255.248 
access-list outside_cryptomap_30 extended permit ip 172.16.34.0 255.255.255.0 172.19.250.248 255.255.255.248
access-list outside_cryptomap_40 extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0
 
access-list DMZ-VPN_access_in extended permit tcp 172.16.48.0 255.255.255.0 host TPNL03S013-172.16.34.103 object-group WEBSERVICE_TCP 
access-list DMZ-VPN_access_in extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0 
 
access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0 
 
access-list inside_access_in extended permit tcp host TPNL03M073-10.32.32.73 any eq smtp log disable  
access-list inside_access_in extended deny tcp object-group INSIDE-NETWORKS any eq smtp log errors 
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group INSIDE-NETWORKS any log disable 
 
nat-control
global (outside) 1 78.128.139.90
global (outside) 2 78.128.139.91
nat (inside) 0 access-list NO-NAT
nat (inside) 1 10.32.32.0 255.255.248.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ-VPN) 0 access-list DMZ-VPN_nat0_outbound
nat (DMZ-VPN) 2 172.16.48.0 255.255.255.0
 
static (inside,outside) 
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface DMZ
access-group DMZ-VPN_access_in in interface DMZ-VPN
 
route outside 0.0.0.0 0.0.0.0 78.128.139.126 10
route inside 10.0.0.0 255.0.0.0 10.32.32.5 10
route outside 10.16.40.0 255.255.255.0 78.108.136.126 10
 
crypto map outside_map 15 match address outside_cryptomap_15
crypto map outside_map 15 set pfs 
crypto map outside_map 15 set peer 148.9.191.154 
crypto map outside_map 15 set transform-set ESP-3DES-SHA
crypto map outside_map 15 set nat-t-disable
 
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set pfs 
crypto map outside_map 30 set peer 196.172.177.210 
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 30 set nat-t-disable
 
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set pfs 
crypto map outside_map 40 set peer 88.246.197.109 
crypto map outside_map 40 set transform-set ESP-3DES-SHA
 
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
 
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable DMZ-VPN
 
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
 
crypto isakmp policy 15
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 30
 
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 40
 
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
 
tunnel-group DefaultRAGroup general-attributes
 default-group-policy Teleplan-RemoteAccess
 
tunnel-group 88.246.197.109 type ipsec-l2l
tunnel-group 88.246.197.109 ipsec-attributes
 pre-shared-key *
 
tunnel-group 196.172.177.210 type ipsec-l2l
tunnel-group 196.172.177.210 ipsec-attributes
 pre-shared-key *
 
tunnel-group 148.9.191.154 type ipsec-l2l
tunnel-group 148.9.191.154 ipsec-attributes
 pre-shared-key *
 
tunnel-group Teleplan-RemoteAccess type remote-access
tunnel-group Teleplan-RemoteAccess general-attributes
 address-pool VPNClient
 authentication-server-group TGN-Login LOCAL
 default-group-policy Teleplan-RemoteAccess
tunnel-group Teleplan-RemoteAccess ipsec-attributes
 pre-shared-key *
 
tunnel-group Telerepair-CZ type remote-access
tunnel-group Telerepair-CZ general-attributes
 address-pool Telerepair-cz
 default-group-policy Teleplan-RemoteAccess
tunnel-group Telerepair-CZ ipsec-attributes
 pre-shared-key *
 
tunnel-group-map enable rules
tunnel-group-map default-group DefaultL2LGroup
 

Open in new window

0

Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question