• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 921
  • Last Modified:

Cisco ASA Site2Site VPN to VPN-DMZ no phase one (route problem)

Hello all,

We currently have 2 Site to Site VPN's working to our INSIDE networks.
That was not setup really smart, and would like to create a new (VPN-)DMZ for new VPN Customers comming soon.

I created a new DMZ-VPN on an empty interface with a low security (25)
configured a Site 2 Site VPN to a Cisco PIX from our LAB network.

I have been busy with troubleshooting for 2 days now, and having a problem with route probably. I can't see any Phase one activity at all.

Also "SH crypto isakpm sa detail" doesn't show me some info. (only 2 Site-2-Site and Remote Access VPN currently active)

The VPN having trouble with is:
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 88.246.197.109

I tried to find problems, and think it is a route problem . See attached screenshot packedge tracer. The traffic goes to INSIDE interface, not OUTSIDE.

I have a static route for INSIDE 10.0.0.0 255.0.0.0 for Internal LAN only. Does that conflicting my VPN ?

I have been looking on internet for some hours, but can't find any good info or example connecting a VPN to a DMZ interface...

Can you have a fresh look on this issue, or have a good site with info or example so i can figger out the problem. I would really appreciate any ideas.

800 points for the resulting answer since I think it's not an easy one.
ASA Version 8.0(2) 
 
dns-guard
!
interface Ethernet0/0
 description internet side
 nameif outside
 security-level 0
 ip address 78.128.139.66 255.255.255.192 
!
interface Ethernet0/1
 description LAN Teleplan
 nameif inside
 security-level 100
 ip address 10.32.32.x 255.255.248.0 
!
interface Ethernet0/3
 nameif DMZ-VPN
 security-level 25
 ip address VPN-TEST-172.16.48.1 255.255.255.0 
 
!
boot system disk0:/asa802-k8.bin
boot system disk0:/asa803-19-k8.bin
 
 
access-list dmz_access_in extended permit tcp host 
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
 
access-list outside_access_in extended permit tcp any object-group WEBSITES object-group WEBSERVICE_TCP 
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 eq ssh 
 
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS object-group VPN-CLIENTS 
access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 
access-list NO-NAT extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 
access-list NO-NAT extended permit ip object-group SPS-ACL 172.19.250.248 255.255.255.248 
access-list NO-NAT extended permit ip object-group KPN-ACL 145.7.196.0 255.255.255.0 
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.48.0 255.255.255.0 
access-list NO-NAT remark Disable NAT for traffic from inside to DMZ and VPN clients
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.34.0 255.255.255.0
 
access-list DMZ_nat0_outbound extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 
access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.101 172.19.250.248 255.255.255.248 
access-list DMZ_nat0_outbound extended permit ip host TPNL03S008-172.16.34.66 172.19.250.248 255.255.255.248 
access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.103 172.16.48.0 255.255.255.0
 
access-list outside_cryptomap_15 extended permit ip 10.32.32.0 255.255.248.0 145.7.196.0 255.255.255.0
access-list outside_cryptomap_30 extended permit ip 10.32.32.0 255.255.248.0 172.19.250.248 255.255.255.248 
access-list outside_cryptomap_30 extended permit ip 172.16.34.0 255.255.255.0 172.19.250.248 255.255.255.248
access-list outside_cryptomap_40 extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0
 
access-list DMZ-VPN_access_in extended permit tcp 172.16.48.0 255.255.255.0 host TPNL03S013-172.16.34.103 object-group WEBSERVICE_TCP 
access-list DMZ-VPN_access_in extended permit object-group DM_INLINE_SERVICE_4 172.16.48.0 255.255.255.0 80.246.197.108 255.255.255.252 
 
access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 80.246.197.108 255.255.255.252
 
access-list inside_access_in extended permit tcp host TPNL03M073-10.32.32.73 any eq smtp log disable  
access-list inside_access_in extended deny tcp object-group INSIDE-NETWORKS any eq smtp log errors 
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group INSIDE-NETWORKS any log disable 
 
nat-control
global (outside) 1 78.128.139.90
global (outside) 2 78.128.139.91
nat (inside) 0 access-list NO-NAT
nat (inside) 1 10.32.32.0 255.255.248.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ-VPN) 0 access-list DMZ-VPN_nat0_outbound
nat (DMZ-VPN) 2 172.16.48.0 255.255.255.0
 
static (inside,outside) 
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface DMZ
access-group DMZ-VPN_access_in in interface DMZ-VPN
 
route outside 0.0.0.0 0.0.0.0 78.128.139.126 10
route inside 10.0.0.0 255.0.0.0 10.32.32.5 10
 
crypto map outside_map 15 match address outside_cryptomap_15
crypto map outside_map 15 set pfs 
crypto map outside_map 15 set peer 148.9.191.154 
crypto map outside_map 15 set transform-set ESP-3DES-SHA
crypto map outside_map 15 set nat-t-disable
 
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set pfs 
crypto map outside_map 30 set peer 196.172.177.210 
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 30 set nat-t-disable
 
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set pfs 
crypto map outside_map 40 set peer 88.246.197.109 
crypto map outside_map 40 set transform-set ESP-3DES-SHA
 
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
 
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable DMZ-VPN
 
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
 
crypto isakmp policy 15
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 30
 
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 40
 
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
 
tunnel-group DefaultRAGroup general-attributes
 default-group-policy Teleplan-RemoteAccess
 
tunnel-group 88.246.197.109 type ipsec-l2l
tunnel-group 88.246.197.109 ipsec-attributes
 pre-shared-key *
 
tunnel-group 196.172.177.210 type ipsec-l2l
tunnel-group 196.172.177.210 ipsec-attributes
 pre-shared-key *
 
tunnel-group 148.9.191.154 type ipsec-l2l
tunnel-group 148.9.191.154 ipsec-attributes
 pre-shared-key *
 
tunnel-group Teleplan-RemoteAccess type remote-access
tunnel-group Teleplan-RemoteAccess general-attributes
 address-pool VPNClient
 authentication-server-group TGN-Login LOCAL
 default-group-policy Teleplan-RemoteAccess
tunnel-group Teleplan-RemoteAccess ipsec-attributes
 pre-shared-key *
 
tunnel-group Telerepair-CZ type remote-access
tunnel-group Telerepair-CZ general-attributes
 address-pool Telerepair-cz
 default-group-policy Teleplan-RemoteAccess
tunnel-group Telerepair-CZ ipsec-attributes
 pre-shared-key *
 
tunnel-group-map enable rules
tunnel-group-map default-group DefaultL2LGroup

Open in new window

dmz-vpn.gif
0
urfried
Asked:
urfried
  • 6
  • 2
  • 2
1 Solution
 
MikeKaneCommented:
The Destination IP address in this sample is on the 10.0.0.0 network defined by the route you specified in your explanation.     That is send to the inside network.   The traffic sent inside is being dropped by an access list.  


If the peer for the vpn is  88.246.197.109, why are you testing to 10.16.40.x?  
0
 
urfriedAuthor Commented:
10.16.40.x is inside-lan of LAB network on the other side of the VPN.

access-list outside_cryptomap_40 extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0
0
 
MikeKaneCommented:
ok.   If you are trying to hit 10.16.40.x, the asa is mixed up as to where to send the traffic.  

#1 - you have a nonat : access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
#2 - you have a route : route inside 10.0.0.0 255.0.0.0 10.32.32.5 10


If you have a a 24 bit subnet mask on the 10.0.0.0 subnets, then why not use it to separate where you want traffic to flow?  

Otherwise, you should remote the route and, if needed, replace it with a more specific route if subnets exist beyound the next inside hop.  

0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
lrmooreCommented:
You have to add a route
route outside 10.16.40.0 255.255.255.0 78.128.139.126
0
 
urfriedAuthor Commented:
Thanx gents,

I will have a look right away, and let it know.

Mike, The #2 - route inside 10.0.0.0 255.0.0.0 10.32.32.5 10 is pointing to a router which routes a BIG  10.0.0.0 LAN over the world. 32 countries with even more sites are connected to each other. It is almost impossible to split it up more specific, since i (we) don't know exactly all the configured routes on the router.

There is one possible solution by just deleting the 10.0.0.0 route on de Firewall.
I configured all clients and server already with an extra default route (add) 10.0.0.0 255.0.0.0 to 10.32.32.5
But i am still a little scared to delete the rule during production.

Good idea to fix that coming Sunday and test thoroughly
Thanx so far.
0
 
urfriedAuthor Commented:
Oke....
lrmoore you were right. A big step in right direction.
By adding your line, the package is routed to the right interface and allowed to travel true the vpn.

BUT.....unfortunately I still have no attempt for Phase one knock on the door. (both sites)
0
 
lrmooreCommented:
>ASA Version 8.0(2)
Lot of bugs in this version. Suggest 8.0(4)

I don't see anything like this:
access-list DMZ-VPN_access_in  permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0

no access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 80.246.197.108 255.255.255.252
access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0
0
 
urfriedAuthor Commented:
I updated to a newer version once. asa803-19K
It screwed my night for several days in a raw.
The firewall crashed multiple times, due to a failure of memory leg.
Somehow the firewall build up memory, and cannot free some to re-allocate it.
Since then i am really scared changing the asa804-k8.bin

I will have a look at your points...thnx so far
0
 
urfriedAuthor Commented:
MMM.....nothing YET.
Can i see if the VPN handshake is send away from the ASA ?
I don't see anything pass in the Monitoring.
0
 
urfriedAuthor Commented:
New run conf
ASA Version 8.0(2) 
 
dns-guard
!
interface Ethernet0/0
 description internet side
 nameif outside
 security-level 0
 ip address 78.128.139.66 255.255.255.192 
!
interface Ethernet0/1
 description LAN Teleplan
 nameif inside
 security-level 100
 ip address 10.32.32.x 255.255.248.0 
!
interface Ethernet0/3
 nameif DMZ-VPN
 security-level 25
 ip address VPN-TEST-172.16.48.1 255.255.255.0 
 
!
boot system disk0:/asa802-k8.bin
boot system disk0:/asa803-19-k8.bin
 
 
access-list dmz_access_in extended permit tcp host 
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
access-list dmz_access_in extended permit tcp host
 
access-list outside_access_in extended permit tcp any object-group WEBSITES object-group WEBSERVICE_TCP 
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 eq ssh 
 
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS object-group VPN-CLIENTS 
access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 
access-list NO-NAT extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 
access-list NO-NAT extended permit ip object-group SPS-ACL 172.19.250.248 255.255.255.248 
access-list NO-NAT extended permit ip object-group KPN-ACL 145.7.196.0 255.255.255.0 
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.48.0 255.255.255.0 
access-list NO-NAT remark Disable NAT for traffic from inside to DMZ and VPN clients
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.34.0 255.255.255.0
 
access-list DMZ_nat0_outbound extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 
access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.101 172.19.250.248 255.255.255.248 
access-list DMZ_nat0_outbound extended permit ip host TPNL03S008-172.16.34.66 172.19.250.248 255.255.255.248 
access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.103 172.16.48.0 255.255.255.0
 
access-list outside_cryptomap_15 extended permit ip 10.32.32.0 255.255.248.0 145.7.196.0 255.255.255.0
access-list outside_cryptomap_30 extended permit ip 10.32.32.0 255.255.248.0 172.19.250.248 255.255.255.248 
access-list outside_cryptomap_30 extended permit ip 172.16.34.0 255.255.255.0 172.19.250.248 255.255.255.248
access-list outside_cryptomap_40 extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0
 
access-list DMZ-VPN_access_in extended permit tcp 172.16.48.0 255.255.255.0 host TPNL03S013-172.16.34.103 object-group WEBSERVICE_TCP 
access-list DMZ-VPN_access_in extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0 
 
access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0 
 
access-list inside_access_in extended permit tcp host TPNL03M073-10.32.32.73 any eq smtp log disable  
access-list inside_access_in extended deny tcp object-group INSIDE-NETWORKS any eq smtp log errors 
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group INSIDE-NETWORKS any log disable 
 
nat-control
global (outside) 1 78.128.139.90
global (outside) 2 78.128.139.91
nat (inside) 0 access-list NO-NAT
nat (inside) 1 10.32.32.0 255.255.248.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ-VPN) 0 access-list DMZ-VPN_nat0_outbound
nat (DMZ-VPN) 2 172.16.48.0 255.255.255.0
 
static (inside,outside) 
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
static (DMZ,outside) xxx
 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface DMZ
access-group DMZ-VPN_access_in in interface DMZ-VPN
 
route outside 0.0.0.0 0.0.0.0 78.128.139.126 10
route inside 10.0.0.0 255.0.0.0 10.32.32.5 10
route outside 10.16.40.0 255.255.255.0 78.108.136.126 10
 
crypto map outside_map 15 match address outside_cryptomap_15
crypto map outside_map 15 set pfs 
crypto map outside_map 15 set peer 148.9.191.154 
crypto map outside_map 15 set transform-set ESP-3DES-SHA
crypto map outside_map 15 set nat-t-disable
 
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set pfs 
crypto map outside_map 30 set peer 196.172.177.210 
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 30 set nat-t-disable
 
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set pfs 
crypto map outside_map 40 set peer 88.246.197.109 
crypto map outside_map 40 set transform-set ESP-3DES-SHA
 
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
 
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable DMZ-VPN
 
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
 
crypto isakmp policy 15
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 30
 
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 40
 
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
 
tunnel-group DefaultRAGroup general-attributes
 default-group-policy Teleplan-RemoteAccess
 
tunnel-group 88.246.197.109 type ipsec-l2l
tunnel-group 88.246.197.109 ipsec-attributes
 pre-shared-key *
 
tunnel-group 196.172.177.210 type ipsec-l2l
tunnel-group 196.172.177.210 ipsec-attributes
 pre-shared-key *
 
tunnel-group 148.9.191.154 type ipsec-l2l
tunnel-group 148.9.191.154 ipsec-attributes
 pre-shared-key *
 
tunnel-group Teleplan-RemoteAccess type remote-access
tunnel-group Teleplan-RemoteAccess general-attributes
 address-pool VPNClient
 authentication-server-group TGN-Login LOCAL
 default-group-policy Teleplan-RemoteAccess
tunnel-group Teleplan-RemoteAccess ipsec-attributes
 pre-shared-key *
 
tunnel-group Telerepair-CZ type remote-access
tunnel-group Telerepair-CZ general-attributes
 address-pool Telerepair-cz
 default-group-policy Teleplan-RemoteAccess
tunnel-group Telerepair-CZ ipsec-attributes
 pre-shared-key *
 
tunnel-group-map enable rules
tunnel-group-map default-group DefaultL2LGroup
 

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now