Solved

Cisco ASA Site2Site VPN to VPN-DMZ no phase one (route problem)

Posted on 2009-05-07
10
903 Views
Last Modified: 2012-05-06
Hello all,

We currently have 2 Site to Site VPN's working to our INSIDE networks.
That was not setup really smart, and would like to create a new (VPN-)DMZ for new VPN Customers comming soon.

I created a new DMZ-VPN on an empty interface with a low security (25)
configured a Site 2 Site VPN to a Cisco PIX from our LAB network.

I have been busy with troubleshooting for 2 days now, and having a problem with route probably. I can't see any Phase one activity at all.

Also "SH crypto isakpm sa detail" doesn't show me some info. (only 2 Site-2-Site and Remote Access VPN currently active)

The VPN having trouble with is:
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 88.246.197.109

I tried to find problems, and think it is a route problem . See attached screenshot packedge tracer. The traffic goes to INSIDE interface, not OUTSIDE.

I have a static route for INSIDE 10.0.0.0 255.0.0.0 for Internal LAN only. Does that conflicting my VPN ?

I have been looking on internet for some hours, but can't find any good info or example connecting a VPN to a DMZ interface...

Can you have a fresh look on this issue, or have a good site with info or example so i can figger out the problem. I would really appreciate any ideas.

800 points for the resulting answer since I think it's not an easy one.
ASA Version 8.0(2) 
 

dns-guard

!

interface Ethernet0/0

 description internet side

 nameif outside

 security-level 0

 ip address 78.128.139.66 255.255.255.192 

!

interface Ethernet0/1

 description LAN Teleplan

 nameif inside

 security-level 100

 ip address 10.32.32.x 255.255.248.0 

!

interface Ethernet0/3

 nameif DMZ-VPN

 security-level 25

 ip address VPN-TEST-172.16.48.1 255.255.255.0 
 

!

boot system disk0:/asa802-k8.bin

boot system disk0:/asa803-19-k8.bin
 
 

access-list dmz_access_in extended permit tcp host 

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host
 

access-list outside_access_in extended permit tcp any object-group WEBSITES object-group WEBSERVICE_TCP 

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 eq ssh 
 

access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS object-group VPN-CLIENTS 

access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 

access-list NO-NAT extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 

access-list NO-NAT extended permit ip object-group SPS-ACL 172.19.250.248 255.255.255.248 

access-list NO-NAT extended permit ip object-group KPN-ACL 145.7.196.0 255.255.255.0 

access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.48.0 255.255.255.0 

access-list NO-NAT remark Disable NAT for traffic from inside to DMZ and VPN clients

access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.34.0 255.255.255.0
 

access-list DMZ_nat0_outbound extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 

access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.101 172.19.250.248 255.255.255.248 

access-list DMZ_nat0_outbound extended permit ip host TPNL03S008-172.16.34.66 172.19.250.248 255.255.255.248 

access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.103 172.16.48.0 255.255.255.0
 

access-list outside_cryptomap_15 extended permit ip 10.32.32.0 255.255.248.0 145.7.196.0 255.255.255.0

access-list outside_cryptomap_30 extended permit ip 10.32.32.0 255.255.248.0 172.19.250.248 255.255.255.248 

access-list outside_cryptomap_30 extended permit ip 172.16.34.0 255.255.255.0 172.19.250.248 255.255.255.248

access-list outside_cryptomap_40 extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0

 

access-list DMZ-VPN_access_in extended permit tcp 172.16.48.0 255.255.255.0 host TPNL03S013-172.16.34.103 object-group WEBSERVICE_TCP 

access-list DMZ-VPN_access_in extended permit object-group DM_INLINE_SERVICE_4 172.16.48.0 255.255.255.0 80.246.197.108 255.255.255.252 
 

access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 80.246.197.108 255.255.255.252

 

access-list inside_access_in extended permit tcp host TPNL03M073-10.32.32.73 any eq smtp log disable  

access-list inside_access_in extended deny tcp object-group INSIDE-NETWORKS any eq smtp log errors 

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group INSIDE-NETWORKS any log disable 
 

nat-control

global (outside) 1 78.128.139.90

global (outside) 2 78.128.139.91

nat (inside) 0 access-list NO-NAT

nat (inside) 1 10.32.32.0 255.255.248.0

nat (DMZ) 0 access-list DMZ_nat0_outbound

nat (DMZ-VPN) 0 access-list DMZ-VPN_nat0_outbound

nat (DMZ-VPN) 2 172.16.48.0 255.255.255.0
 

static (inside,outside) 

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx
 

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface DMZ

access-group DMZ-VPN_access_in in interface DMZ-VPN
 

route outside 0.0.0.0 0.0.0.0 78.128.139.126 10

route inside 10.0.0.0 255.0.0.0 10.32.32.5 10
 

crypto map outside_map 15 match address outside_cryptomap_15

crypto map outside_map 15 set pfs 

crypto map outside_map 15 set peer 148.9.191.154 

crypto map outside_map 15 set transform-set ESP-3DES-SHA

crypto map outside_map 15 set nat-t-disable
 

crypto map outside_map 30 match address outside_cryptomap_30

crypto map outside_map 30 set pfs 

crypto map outside_map 30 set peer 196.172.177.210 

crypto map outside_map 30 set transform-set ESP-3DES-SHA

crypto map outside_map 30 set nat-t-disable
 

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set pfs 

crypto map outside_map 40 set peer 88.246.197.109 

crypto map outside_map 40 set transform-set ESP-3DES-SHA
 

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside
 

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp enable DMZ-VPN
 

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 3600
 

crypto isakmp policy 15

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 28800

crypto isakmp policy 30
 

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 28800

crypto isakmp policy 40
 

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400
 

no crypto isakmp nat-traversal

no vpn-addr-assign aaa

no vpn-addr-assign dhcp
 

tunnel-group DefaultRAGroup general-attributes

 default-group-policy Teleplan-RemoteAccess
 

tunnel-group 88.246.197.109 type ipsec-l2l

tunnel-group 88.246.197.109 ipsec-attributes

 pre-shared-key *
 

tunnel-group 196.172.177.210 type ipsec-l2l

tunnel-group 196.172.177.210 ipsec-attributes

 pre-shared-key *
 

tunnel-group 148.9.191.154 type ipsec-l2l

tunnel-group 148.9.191.154 ipsec-attributes

 pre-shared-key *
 

tunnel-group Teleplan-RemoteAccess type remote-access

tunnel-group Teleplan-RemoteAccess general-attributes

 address-pool VPNClient

 authentication-server-group TGN-Login LOCAL

 default-group-policy Teleplan-RemoteAccess

tunnel-group Teleplan-RemoteAccess ipsec-attributes

 pre-shared-key *
 

tunnel-group Telerepair-CZ type remote-access

tunnel-group Telerepair-CZ general-attributes

 address-pool Telerepair-cz

 default-group-policy Teleplan-RemoteAccess

tunnel-group Telerepair-CZ ipsec-attributes

 pre-shared-key *
 

tunnel-group-map enable rules

tunnel-group-map default-group DefaultL2LGroup

Open in new window

dmz-vpn.gif
0
Comment
Question by:urfried
  • 6
  • 2
  • 2
10 Comments
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
The Destination IP address in this sample is on the 10.0.0.0 network defined by the route you specified in your explanation.     That is send to the inside network.   The traffic sent inside is being dropped by an access list.  


If the peer for the vpn is  88.246.197.109, why are you testing to 10.16.40.x?  
0
 

Author Comment

by:urfried
Comment Utility
10.16.40.x is inside-lan of LAB network on the other side of the VPN.

access-list outside_cryptomap_40 extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
ok.   If you are trying to hit 10.16.40.x, the asa is mixed up as to where to send the traffic.  

#1 - you have a nonat : access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
#2 - you have a route : route inside 10.0.0.0 255.0.0.0 10.32.32.5 10


If you have a a 24 bit subnet mask on the 10.0.0.0 subnets, then why not use it to separate where you want traffic to flow?  

Otherwise, you should remote the route and, if needed, replace it with a more specific route if subnets exist beyound the next inside hop.  

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You have to add a route
route outside 10.16.40.0 255.255.255.0 78.128.139.126
0
 

Author Comment

by:urfried
Comment Utility
Thanx gents,

I will have a look right away, and let it know.

Mike, The #2 - route inside 10.0.0.0 255.0.0.0 10.32.32.5 10 is pointing to a router which routes a BIG  10.0.0.0 LAN over the world. 32 countries with even more sites are connected to each other. It is almost impossible to split it up more specific, since i (we) don't know exactly all the configured routes on the router.

There is one possible solution by just deleting the 10.0.0.0 route on de Firewall.
I configured all clients and server already with an extra default route (add) 10.0.0.0 255.0.0.0 to 10.32.32.5
But i am still a little scared to delete the rule during production.

Good idea to fix that coming Sunday and test thoroughly
Thanx so far.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:urfried
Comment Utility
Oke....
lrmoore you were right. A big step in right direction.
By adding your line, the package is routed to the right interface and allowed to travel true the vpn.

BUT.....unfortunately I still have no attempt for Phase one knock on the door. (both sites)
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>ASA Version 8.0(2)
Lot of bugs in this version. Suggest 8.0(4)

I don't see anything like this:
access-list DMZ-VPN_access_in  permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0

no access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 80.246.197.108 255.255.255.252
access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0
0
 

Author Comment

by:urfried
Comment Utility
I updated to a newer version once. asa803-19K
It screwed my night for several days in a raw.
The firewall crashed multiple times, due to a failure of memory leg.
Somehow the firewall build up memory, and cannot free some to re-allocate it.
Since then i am really scared changing the asa804-k8.bin

I will have a look at your points...thnx so far
0
 

Author Comment

by:urfried
Comment Utility
MMM.....nothing YET.
Can i see if the VPN handshake is send away from the ASA ?
I don't see anything pass in the Monitoring.
0
 

Accepted Solution

by:
urfried earned 0 total points
Comment Utility
New run conf
ASA Version 8.0(2) 

 

dns-guard

!

interface Ethernet0/0

 description internet side

 nameif outside

 security-level 0

 ip address 78.128.139.66 255.255.255.192 

!

interface Ethernet0/1

 description LAN Teleplan

 nameif inside

 security-level 100

 ip address 10.32.32.x 255.255.248.0 

!

interface Ethernet0/3

 nameif DMZ-VPN

 security-level 25

 ip address VPN-TEST-172.16.48.1 255.255.255.0 

 

!

boot system disk0:/asa802-k8.bin

boot system disk0:/asa803-19-k8.bin

 

 

access-list dmz_access_in extended permit tcp host 

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

access-list dmz_access_in extended permit tcp host

 

access-list outside_access_in extended permit tcp any object-group WEBSITES object-group WEBSERVICE_TCP 

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 eq ssh 

 

access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS object-group VPN-CLIENTS 

access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 

access-list NO-NAT extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 

access-list NO-NAT extended permit ip object-group SPS-ACL 172.19.250.248 255.255.255.248 

access-list NO-NAT extended permit ip object-group KPN-ACL 145.7.196.0 255.255.255.0 

access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.48.0 255.255.255.0 

access-list NO-NAT remark Disable NAT for traffic from inside to DMZ and VPN clients

access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.34.0 255.255.255.0

 

access-list DMZ_nat0_outbound extended permit ip any VPN-CLIENT-10.34.53.32 255.255.255.224 

access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.101 172.19.250.248 255.255.255.248 

access-list DMZ_nat0_outbound extended permit ip host TPNL03S008-172.16.34.66 172.19.250.248 255.255.255.248 

access-list DMZ_nat0_outbound extended permit ip host TPNL03S013-172.16.34.103 172.16.48.0 255.255.255.0

 

access-list outside_cryptomap_15 extended permit ip 10.32.32.0 255.255.248.0 145.7.196.0 255.255.255.0

access-list outside_cryptomap_30 extended permit ip 10.32.32.0 255.255.248.0 172.19.250.248 255.255.255.248 

access-list outside_cryptomap_30 extended permit ip 172.16.34.0 255.255.255.0 172.19.250.248 255.255.255.248

access-list outside_cryptomap_40 extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0
 

access-list DMZ-VPN_access_in extended permit tcp 172.16.48.0 255.255.255.0 host TPNL03S013-172.16.34.103 object-group WEBSERVICE_TCP 

access-list DMZ-VPN_access_in extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0 
 

access-list DMZ-VPN_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 10.16.40.0 255.255.255.0 

 

access-list inside_access_in extended permit tcp host TPNL03M073-10.32.32.73 any eq smtp log disable  

access-list inside_access_in extended deny tcp object-group INSIDE-NETWORKS any eq smtp log errors 

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group INSIDE-NETWORKS any log disable 
 

nat-control

global (outside) 1 78.128.139.90

global (outside) 2 78.128.139.91

nat (inside) 0 access-list NO-NAT

nat (inside) 1 10.32.32.0 255.255.248.0

nat (DMZ) 0 access-list DMZ_nat0_outbound

nat (DMZ-VPN) 0 access-list DMZ-VPN_nat0_outbound

nat (DMZ-VPN) 2 172.16.48.0 255.255.255.0

 

static (inside,outside) 

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

static (DMZ,outside) xxx

 

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface DMZ

access-group DMZ-VPN_access_in in interface DMZ-VPN

 

route outside 0.0.0.0 0.0.0.0 78.128.139.126 10

route inside 10.0.0.0 255.0.0.0 10.32.32.5 10

route outside 10.16.40.0 255.255.255.0 78.108.136.126 10

 

crypto map outside_map 15 match address outside_cryptomap_15

crypto map outside_map 15 set pfs 

crypto map outside_map 15 set peer 148.9.191.154 

crypto map outside_map 15 set transform-set ESP-3DES-SHA

crypto map outside_map 15 set nat-t-disable

 

crypto map outside_map 30 match address outside_cryptomap_30

crypto map outside_map 30 set pfs 

crypto map outside_map 30 set peer 196.172.177.210 

crypto map outside_map 30 set transform-set ESP-3DES-SHA

crypto map outside_map 30 set nat-t-disable

 

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set pfs 

crypto map outside_map 40 set peer 88.246.197.109 

crypto map outside_map 40 set transform-set ESP-3DES-SHA

 

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

 

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp enable DMZ-VPN

 

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 3600

 

crypto isakmp policy 15

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 28800

crypto isakmp policy 30

 

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 28800

crypto isakmp policy 40

 

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

 

no crypto isakmp nat-traversal

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

 

tunnel-group DefaultRAGroup general-attributes

 default-group-policy Teleplan-RemoteAccess

 

tunnel-group 88.246.197.109 type ipsec-l2l

tunnel-group 88.246.197.109 ipsec-attributes

 pre-shared-key *

 

tunnel-group 196.172.177.210 type ipsec-l2l

tunnel-group 196.172.177.210 ipsec-attributes

 pre-shared-key *

 

tunnel-group 148.9.191.154 type ipsec-l2l

tunnel-group 148.9.191.154 ipsec-attributes

 pre-shared-key *

 

tunnel-group Teleplan-RemoteAccess type remote-access

tunnel-group Teleplan-RemoteAccess general-attributes

 address-pool VPNClient

 authentication-server-group TGN-Login LOCAL

 default-group-policy Teleplan-RemoteAccess

tunnel-group Teleplan-RemoteAccess ipsec-attributes

 pre-shared-key *

 

tunnel-group Telerepair-CZ type remote-access

tunnel-group Telerepair-CZ general-attributes

 address-pool Telerepair-cz

 default-group-policy Teleplan-RemoteAccess

tunnel-group Telerepair-CZ ipsec-attributes

 pre-shared-key *

 

tunnel-group-map enable rules

tunnel-group-map default-group DefaultL2LGroup

 

Open in new window

0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now