Solved

Site to Site VPN no longer works after I create VLAN sub interfaces

Posted on 2012-03-31
4
559 Views
Last Modified: 2012-04-05
I managed to get intervlan routing working, but now the site to site no longer is working.  Can someone let me know if I am missing something?  I do see that the VPN tunnel is active and is decrypting and encrypting packets with success.

ciscoasa# sh run
: Saved
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name domain.com
enable password xxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/1
 no nameif
 security-level 100
 no ip address
!
interface Ethernet0/1.1
 vlan 1
 nameif inside
 security-level 100
 ip address 192.1.1.149 255.255.255.0
!
interface Ethernet0/1.2
 vlan 2
 nameif voice
 security-level 100
 ip address 192.1.2.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq https
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 192.1.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.1.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu voice 1500
mtu management 1500
ip local pool mypool 10.10.10.1-10.10.10.254
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.1.1.0 255.255.255.0
nat (voice) 1 192.1.2.0 255.255.255.0
static (inside,voice) 192.1.1.0 192.1.1.0 netmask 255.255.255.0
static (voice,inside) 192.1.2.0 192.1.2.0 netmask 255.255.255.0
static (inside,outside) xxx.xxx.xxx.xxx 192.1.1.1 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access in interface inside
route outside 192.168.100.0 255.255.255.0 xxx.xxx.xxx.xxx 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy xxxxxx internal
group-policy xxxxxx attributes
 wins-server value 192.1.1.1
 dns-server value 192.1.1.1
 webvpn
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set ESP-3DES-MD5
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  120
tunnel-group xxxxx type ipsec-ra
tunnel-group xxxxx general-attributes
 address-pool mypool
 default-group-policy xxxxxxx
tunnel-group xxxxxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns xxx.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:1a19f962fdf1ba02bf255b96b5064f8c
: end

Open in new window

0
Comment
Question by:dstanton007
  • 2
  • 2
4 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Presumably 192.168.100.0 is on the other side

Why are you using public IPs 192.1.x.x for your inside and management or is that a typo?

Double check the crypto_map on the other side.

Is the VPN failing to establish or does it fail to pass data?
show crypto isakmp sa
Etc.

show crypto ipsec sa
0
 

Accepted Solution

by:
dstanton007 earned 0 total points
Comment Utility
Not sure what happened, but it's working.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Does either location have two providers? Wan ip issue? Peer ip mismatch.
0
 

Author Closing Comment

by:dstanton007
Comment Utility
I don't think there was an issue.  User Error.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now