dstanton007
asked on
Site to Site VPN no longer works after I create VLAN sub interfaces
I managed to get intervlan routing working, but now the site to site no longer is working. Can someone let me know if I am missing something? I do see that the VPN tunnel is active and is decrypting and encrypting packets with success.
ciscoasa# sh run
: Saved
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name domain.com
enable password xxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/1
no nameif
security-level 100
no ip address
!
interface Ethernet0/1.1
vlan 1
nameif inside
security-level 100
ip address 192.1.1.149 255.255.255.0
!
interface Ethernet0/1.2
vlan 2
nameif voice
security-level 100
ip address 192.1.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq https
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 192.1.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.1.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu voice 1500
mtu management 1500
ip local pool mypool 10.10.10.1-10.10.10.254
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.1.1.0 255.255.255.0
nat (voice) 1 192.1.2.0 255.255.255.0
static (inside,voice) 192.1.1.0 192.1.1.0 netmask 255.255.255.0
static (voice,inside) 192.1.2.0 192.1.2.0 netmask 255.255.255.0
static (inside,outside) xxx.xxx.xxx.xxx 192.1.1.1 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access in interface inside
route outside 192.168.100.0 255.255.255.0 xxx.xxx.xxx.xxx 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy xxxxxx internal
group-policy xxxxxx attributes
wins-server value 192.1.1.1
dns-server value 192.1.1.1
webvpn
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set ESP-3DES-MD5
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 120
tunnel-group xxxxx type ipsec-ra
tunnel-group xxxxx general-attributes
address-pool mypool
default-group-policy xxxxxxx
tunnel-group xxxxxx ipsec-attributes
pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns xxx.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect tftp
!
service-policy global_policy global
Cryptochecksum:1a19f962fdf1ba02bf255b96b5064f8c
: endASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Does either location have two providers? Wan ip issue? Peer ip mismatch.
ASKER
I don't think there was an issue. User Error.
Why are you using public IPs 192.1.x.x for your inside and management or is that a typo?
Double check the crypto_map on the other side.
Is the VPN failing to establish or does it fail to pass data?
show crypto isakmp sa
Etc.
show crypto ipsec sa