Solved

Cisco ASA Site2Site VPN to VPN-DMZ no phase one (route problem)

Posted on 2009-05-07
10
905 Views
Last Modified: 2012-05-06
Hello all,

We currently have 2 Site to Site VPN's working to our INSIDE networks.
That was not setup really smart, and would like to create a new (VPN-)DMZ for new VPN Customers comming soon.

I created a new DMZ-VPN on an empty interface with a low security (25)
configured a Site 2 Site VPN to a Cisco PIX from our LAB network.

I have been busy with troubleshooting for 2 days now, and having a problem with route probably. I can't see any Phase one activity at all.

Also "SH crypto isakpm sa detail" doesn't show me some info. (only 2 Site-2-Site and Remote Access VPN currently active)

The VPN having trouble with is:
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 88.246.197.109

I tried to find problems, and think it is a route problem . See attached screenshot packedge tracer. The traffic goes to INSIDE interface, not OUTSIDE.

I have a static route for INSIDE 10.0.0.0 255.0.0.0 for Internal LAN only. Does that conflicting my VPN ?

I have been looking on internet for some hours, but can't find any good info or example connecting a VPN to a DMZ interface...

Can you have a fresh look on this issue, or have a good site with info or example so i can figger out the problem. I would really appreciate any ideas.

800 points for the resulting answer since I think it's not an easy one.
ASA Version 8.0(2) 
 

dns-guard

!

interface Ethernet0/0

 description internet side

 nameif outside

 security-level 0

 ip address 78.128.139.66 255.255.255.192 

!

interface Ethernet0/1

 description LAN Teleplan

 nameif inside

 security-level 100

 ip address 10.32.32.x 255.255.248.0 

!

interface Ethernet0/3

 nameif DMZ-VPN

 security-level 25

 ip address VPN-TEST-172.16.48.1 255.255.255.0 
 

!

boot system disk0:/asa802-k8.bin

boot system disk0:/asa803-19-k8.bin
 
 

access-list dmz_access_in extended permit tcp host 

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host
 

access-list outside_access_in extended permit tcp any object-group WEBSITES object-group WEBSERVICE_TCP 

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 eq ssh 
 

access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS object-group VPN-CLIENTS 

access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 

access-list NO-NAT extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 

access-list NO-NAT extended permit ip object-group SPS-ACL 172.19.250.248 255.255.255.248 

access-list NO-NAT extended permit ip object-group KPN-ACL 145.7.196.0 255.255.255.0 

access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.48.0 255.255.255.0 

access-list NO-NAT remark Disable NAT for traffic from inside to DMZ and VPN clients

access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.34.0 255.255.255.0
 

access-list DMZ_nat0_outbound extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 

access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.101 172.19.250.248 255.255.255.248 

access-list DMZ_nat0_outbound extended permit ip host TPNL03S008-172.16.34.66 172.19.250.248 255.255.255.248 

access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.103 172.16.48.0 255.255.255.0
 

access-list outside_cryptomap_15 extended permit ip 10.32.32.0 255.255.248.0 145.7.196.0 255.255.255.0

access-list outside_cryptomap_30 extended permit ip 10.32.32.0 255.255.248.0 172.19.250.248 255.255.255.248 

access-list outside_cryptomap_30 extended permit ip 172.16.34.0 255.255.255.0 172.19.250.248 255.255.255.248

access-list outside_cryptomap_40 extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0

 

access-list DMZ-VPN_access_in extended permit tcp 172.16.48.0 255.255.255.0 host TPNL03S013-172.16.34.103 object-group WEBSERVICE_TCP 

access-list DMZ-VPN_access_in extended permit object-group DM_INLINE_SERVICE_4 172.16.48.0 255.255.255.0 80.246.197.108 255.255.255.252 
 

access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 80.246.197.108 255.255.255.252

 

access-list inside_access_in extended permit tcp host TPNL03M073-10.32.32.73 any eq smtp log disable  

access-list inside_access_in extended deny tcp object-group INSIDE-NETWORKS any eq smtp log errors 

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group INSIDE-NETWORKS any log disable 
 

nat-control

global (outside) 1 78.128.139.90

global (outside) 2 78.128.139.91

nat (inside) 0 access-list NO-NAT

nat (inside) 1 10.32.32.0 255.255.248.0

nat (DMZ) 0 access-list DMZ_nat0_outbound

nat (DMZ-VPN) 0 access-list DMZ-VPN_nat0_outbound

nat (DMZ-VPN) 2 172.16.48.0 255.255.255.0
 

static (inside,outside) 

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx
 

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface DMZ

access-group DMZ-VPN_access_in in interface DMZ-VPN
 

route outside 0.0.0.0 0.0.0.0 78.128.139.126 10

route inside 10.0.0.0 255.0.0.0 10.32.32.5 10
 

crypto map outside_map 15 match address outside_cryptomap_15

crypto map outside_map 15 set pfs 

crypto map outside_map 15 set peer 148.9.191.154 

crypto map outside_map 15 set transform-set ESP-3DES-SHA

crypto map outside_map 15 set nat-t-disable
 

crypto map outside_map 30 match address outside_cryptomap_30

crypto map outside_map 30 set pfs 

crypto map outside_map 30 set peer 196.172.177.210 

crypto map outside_map 30 set transform-set ESP-3DES-SHA

crypto map outside_map 30 set nat-t-disable
 

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set pfs 

crypto map outside_map 40 set peer 88.246.197.109 

crypto map outside_map 40 set transform-set ESP-3DES-SHA
 

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside
 

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp enable DMZ-VPN
 

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 3600
 

crypto isakmp policy 15

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 28800

crypto isakmp policy 30
 

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 28800

crypto isakmp policy 40
 

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400
 

no crypto isakmp nat-traversal

no vpn-addr-assign aaa

no vpn-addr-assign dhcp
 

tunnel-group DefaultRAGroup general-attributes

 default-group-policy Teleplan-RemoteAccess
 

tunnel-group 88.246.197.109 type ipsec-l2l

tunnel-group 88.246.197.109 ipsec-attributes

 pre-shared-key *
 

tunnel-group 196.172.177.210 type ipsec-l2l

tunnel-group 196.172.177.210 ipsec-attributes

 pre-shared-key *
 

tunnel-group 148.9.191.154 type ipsec-l2l

tunnel-group 148.9.191.154 ipsec-attributes

 pre-shared-key *
 

tunnel-group Teleplan-RemoteAccess type remote-access

tunnel-group Teleplan-RemoteAccess general-attributes

 address-pool VPNClient

 authentication-server-group TGN-Login LOCAL

 default-group-policy Teleplan-RemoteAccess

tunnel-group Teleplan-RemoteAccess ipsec-attributes

 pre-shared-key *
 

tunnel-group Telerepair-CZ type remote-access

tunnel-group Telerepair-CZ general-attributes

 address-pool Telerepair-cz

 default-group-policy Teleplan-RemoteAccess

tunnel-group Telerepair-CZ ipsec-attributes

 pre-shared-key *
 

tunnel-group-map enable rules

tunnel-group-map default-group DefaultL2LGroup

Open in new window

dmz-vpn.gif
0
Comment
Question by:urfried
  • 6
  • 2
  • 2
10 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24325951
The Destination IP address in this sample is on the 10.0.0.0 network defined by the route you specified in your explanation.     That is send to the inside network.   The traffic sent inside is being dropped by an access list.  


If the peer for the vpn is  88.246.197.109, why are you testing to 10.16.40.x?  
0
 

Author Comment

by:urfried
ID: 24326181
10.16.40.x is inside-lan of LAB network on the other side of the VPN.

access-list outside_cryptomap_40 extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24326580
ok.   If you are trying to hit 10.16.40.x, the asa is mixed up as to where to send the traffic.  

#1 - you have a nonat : access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
#2 - you have a route : route inside 10.0.0.0 255.0.0.0 10.32.32.5 10


If you have a a 24 bit subnet mask on the 10.0.0.0 subnets, then why not use it to separate where you want traffic to flow?  

Otherwise, you should remote the route and, if needed, replace it with a more specific route if subnets exist beyound the next inside hop.  

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24332387
You have to add a route
route outside 10.16.40.0 255.255.255.0 78.128.139.126
0
 

Author Comment

by:urfried
ID: 24333712
Thanx gents,

I will have a look right away, and let it know.

Mike, The #2 - route inside 10.0.0.0 255.0.0.0 10.32.32.5 10 is pointing to a router which routes a BIG  10.0.0.0 LAN over the world. 32 countries with even more sites are connected to each other. It is almost impossible to split it up more specific, since i (we) don't know exactly all the configured routes on the router.

There is one possible solution by just deleting the 10.0.0.0 route on de Firewall.
I configured all clients and server already with an extra default route (add) 10.0.0.0 255.0.0.0 to 10.32.32.5
But i am still a little scared to delete the rule during production.

Good idea to fix that coming Sunday and test thoroughly
Thanx so far.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:urfried
ID: 24333767
Oke....
lrmoore you were right. A big step in right direction.
By adding your line, the package is routed to the right interface and allowed to travel true the vpn.

BUT.....unfortunately I still have no attempt for Phase one knock on the door. (both sites)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24334724
>ASA Version 8.0(2)
Lot of bugs in this version. Suggest 8.0(4)

I don't see anything like this:
access-list DMZ-VPN_access_in  permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0

no access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 80.246.197.108 255.255.255.252
access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0
0
 

Author Comment

by:urfried
ID: 24334819
I updated to a newer version once. asa803-19K
It screwed my night for several days in a raw.
The firewall crashed multiple times, due to a failure of memory leg.
Somehow the firewall build up memory, and cannot free some to re-allocate it.
Since then i am really scared changing the asa804-k8.bin

I will have a look at your points...thnx so far
0
 

Author Comment

by:urfried
ID: 24335117
MMM.....nothing YET.
Can i see if the VPN handshake is send away from the ASA ?
I don't see anything pass in the Monitoring.
0
 

Accepted Solution

by:
urfried earned 0 total points
ID: 24335294
New run conf
ASA Version 8.0(2) 

 

dns-guard

!

interface Ethernet0/0

 description internet side

 nameif outside

 security-level 0

 ip address 78.128.139.66 255.255.255.192 

!

interface Ethernet0/1

 description LAN Teleplan

 nameif inside

 security-level 100

 ip address 10.32.32.x 255.255.248.0 

!

interface Ethernet0/3

 nameif DMZ-VPN

 security-level 25

 ip address VPN-TEST-172.16.48.1 255.255.255.0 

 

!

boot system disk0:/asa802-k8.bin

boot system disk0:/asa803-19-k8.bin

 

 

access-list dmz_access_in extended permit tcp host 

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

 

access-list outside_access_in extended permit tcp any object-group WEBSITES object-group WEBSERVICE_TCP 

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 eq ssh 

 

access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS object-group VPN-CLIENTS 

access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 

access-list NO-NAT extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 

access-list NO-NAT extended permit ip object-group SPS-ACL 172.19.250.248 255.255.255.248 

access-list NO-NAT extended permit ip object-group KPN-ACL 145.7.196.0 255.255.255.0 

access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.48.0 255.255.255.0 

access-list NO-NAT remark Disable NAT for traffic from inside to DMZ and VPN clients

access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.34.0 255.255.255.0

 

access-list DMZ_nat0_outbound extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 

access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.101 172.19.250.248 255.255.255.248 

access-list DMZ_nat0_outbound extended permit ip host TPNL03S008-172.16.34.66 172.19.250.248 255.255.255.248 

access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.103 172.16.48.0 255.255.255.0

 

access-list outside_cryptomap_15 extended permit ip 10.32.32.0 255.255.248.0 145.7.196.0 255.255.255.0

access-list outside_cryptomap_30 extended permit ip 10.32.32.0 255.255.248.0 172.19.250.248 255.255.255.248 

access-list outside_cryptomap_30 extended permit ip 172.16.34.0 255.255.255.0 172.19.250.248 255.255.255.248

access-list outside_cryptomap_40 extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0
 

access-list DMZ-VPN_access_in extended permit tcp 172.16.48.0 255.255.255.0 host TPNL03S013-172.16.34.103 object-group WEBSERVICE_TCP 

access-list DMZ-VPN_access_in extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0 
 

access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0 

 

access-list inside_access_in extended permit tcp host TPNL03M073-10.32.32.73 any eq smtp log disable  

access-list inside_access_in extended deny tcp object-group INSIDE-NETWORKS any eq smtp log errors 

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group INSIDE-NETWORKS any log disable 
 

nat-control

global (outside) 1 78.128.139.90

global (outside) 2 78.128.139.91

nat (inside) 0 access-list NO-NAT

nat (inside) 1 10.32.32.0 255.255.248.0

nat (DMZ) 0 access-list DMZ_nat0_outbound

nat (DMZ-VPN) 0 access-list DMZ-VPN_nat0_outbound

nat (DMZ-VPN) 2 172.16.48.0 255.255.255.0

 

static (inside,outside) 

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

 

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface DMZ

access-group DMZ-VPN_access_in in interface DMZ-VPN

 

route outside 0.0.0.0 0.0.0.0 78.128.139.126 10

route inside 10.0.0.0 255.0.0.0 10.32.32.5 10

route outside 10.16.40.0 255.255.255.0 78.108.136.126 10

 

crypto map outside_map 15 match address outside_cryptomap_15

crypto map outside_map 15 set pfs 

crypto map outside_map 15 set peer 148.9.191.154 

crypto map outside_map 15 set transform-set ESP-3DES-SHA

crypto map outside_map 15 set nat-t-disable

 

crypto map outside_map 30 match address outside_cryptomap_30

crypto map outside_map 30 set pfs 

crypto map outside_map 30 set peer 196.172.177.210 

crypto map outside_map 30 set transform-set ESP-3DES-SHA

crypto map outside_map 30 set nat-t-disable

 

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set pfs 

crypto map outside_map 40 set peer 88.246.197.109 

crypto map outside_map 40 set transform-set ESP-3DES-SHA

 

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

 

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp enable DMZ-VPN

 

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 3600

 

crypto isakmp policy 15

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 28800

crypto isakmp policy 30

 

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 28800

crypto isakmp policy 40

 

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

 

no crypto isakmp nat-traversal

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

 

tunnel-group DefaultRAGroup general-attributes

 default-group-policy Teleplan-RemoteAccess

 

tunnel-group 88.246.197.109 type ipsec-l2l

tunnel-group 88.246.197.109 ipsec-attributes

 pre-shared-key *

 

tunnel-group 196.172.177.210 type ipsec-l2l

tunnel-group 196.172.177.210 ipsec-attributes

 pre-shared-key *

 

tunnel-group 148.9.191.154 type ipsec-l2l

tunnel-group 148.9.191.154 ipsec-attributes

 pre-shared-key *

 

tunnel-group Teleplan-RemoteAccess type remote-access

tunnel-group Teleplan-RemoteAccess general-attributes

 address-pool VPNClient

 authentication-server-group TGN-Login LOCAL

 default-group-policy Teleplan-RemoteAccess

tunnel-group Teleplan-RemoteAccess ipsec-attributes

 pre-shared-key *

 

tunnel-group Telerepair-CZ type remote-access

tunnel-group Telerepair-CZ general-attributes

 address-pool Telerepair-cz

 default-group-policy Teleplan-RemoteAccess

tunnel-group Telerepair-CZ ipsec-attributes

 pre-shared-key *

 

tunnel-group-map enable rules

tunnel-group-map default-group DefaultL2LGroup

 

Open in new window

0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Move Malwarebytes Enterprise to perimeter of our Cisco ASA? Ideas for setup? 6 95
cisco VIRL 3 44
CCNA Data center exam questions 8 76
PEAP authentication 7 24
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now