Solved

Site to Site VPN no longer works after I create VLAN sub interfaces

Posted on 2012-03-31
4
566 Views
Last Modified: 2012-04-05
I managed to get intervlan routing working, but now the site to site no longer is working.  Can someone let me know if I am missing something?  I do see that the VPN tunnel is active and is decrypting and encrypting packets with success.

ciscoasa# sh run
: Saved
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name domain.com
enable password xxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/1
 no nameif
 security-level 100
 no ip address
!
interface Ethernet0/1.1
 vlan 1
 nameif inside
 security-level 100
 ip address 192.1.1.149 255.255.255.0
!
interface Ethernet0/1.2
 vlan 2
 nameif voice
 security-level 100
 ip address 192.1.2.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq https
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 192.1.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.1.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu voice 1500
mtu management 1500
ip local pool mypool 10.10.10.1-10.10.10.254
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.1.1.0 255.255.255.0
nat (voice) 1 192.1.2.0 255.255.255.0
static (inside,voice) 192.1.1.0 192.1.1.0 netmask 255.255.255.0
static (voice,inside) 192.1.2.0 192.1.2.0 netmask 255.255.255.0
static (inside,outside) xxx.xxx.xxx.xxx 192.1.1.1 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access in interface inside
route outside 192.168.100.0 255.255.255.0 xxx.xxx.xxx.xxx 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy xxxxxx internal
group-policy xxxxxx attributes
 wins-server value 192.1.1.1
 dns-server value 192.1.1.1
 webvpn
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set ESP-3DES-MD5
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  120
tunnel-group xxxxx type ipsec-ra
tunnel-group xxxxx general-attributes
 address-pool mypool
 default-group-policy xxxxxxx
tunnel-group xxxxxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns xxx.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:1a19f962fdf1ba02bf255b96b5064f8c
: end

Open in new window

0
Comment
Question by:dstanton007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 37791801
Presumably 192.168.100.0 is on the other side

Why are you using public IPs 192.1.x.x for your inside and management or is that a typo?

Double check the crypto_map on the other side.

Is the VPN failing to establish or does it fail to pass data?
show crypto isakmp sa
Etc.

show crypto ipsec sa
0
 

Accepted Solution

by:
dstanton007 earned 0 total points
ID: 37791911
Not sure what happened, but it's working.
0
 
LVL 78

Expert Comment

by:arnold
ID: 37792011
Does either location have two providers? Wan ip issue? Peer ip mismatch.
0
 

Author Closing Comment

by:dstanton007
ID: 37810118
I don't think there was an issue.  User Error.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA 5506 blocks telnet 11 66
Cisco Wireless Access Controller 3 51
WLC and radius 4 49
CISCO wireless controller & AP 2 63
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question