Solved

ASA 5505 dual isp issue with traffic redirection

Posted on 2012-04-12
28
765 Views
Last Modified: 2012-06-19
hi, i have an asa5505 connected to 2 different ISP.

got 2 internal networks 10.1.1.0 and 10.5.5.0 which go out thru the default ISP (interface name: Outside) But, now i have a second ISP and a Videoconference unit that sits inside the 10.1.1.0 network. This unit MUST go out thru the secondary ISP (interface name: CTN) and it must go out with its own public IP (*.*.73.112), not the CTN interface IP (*.*73.2).. Calls from the outside will connect to its ip as well and not the interface's.

ive been trying all sorts of things but i cannot get it to go out thru the CTN interface.

right now i removed all changes i did to the config and its going out thru the default interface (interface name: outside)

what do i need to make this work?


Config:

: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name
enable password XFy9CjYNnphRv1bP encrypted
passwd udxi8XKHJKW0Yggp encrypted
names

name *.*.73.112 polyComm_public
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.14.*.*255.255.255.0
!
interface Vlan12
 nameif telemed
 security-level 100
 ip address 10.5.5.1 255.255.255.0
!
interface Vlan22
 nameif CTN
 security-level 0
 ip address *.*.73.2 255.255.255.128
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 22
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 12
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup telemed
dns server-group DefaultDNS
 domain-name communicare
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network UC-Davis
access-list CTN_access_in extended permit udp any host polyComm_public eq snmptrap
access-list CTN_access_in extended permit udp any host polyComm_public eq 2873
access-list CTN_access_in extended permit udp any host polyComm_public eq snmp
access-list CTN_access_in extended permit tcp any host polyComm_public eq 1719
access-list CTN_access_in extended permit udp any host polyComm_public eq 1719
access-list CTN_access_in extended permit udp any range 2326 2373 host polyComm_public range 2326 2373
access-list CTN_access_in extended permit udp any range 970 973 host polyComm_public range 970 973
access-list CTN_access_in extended permit udp any range 3230 3285 host polyComm_public range 3230 3285
access-list CTN_access_in extended permit tcp any range 5555 5587 host polyComm_public range 5555 5587
access-list CTN_access_in extended permit tcp any range 3230 3243 host polyComm_public range 3230 3243
access-list CTN_access_in extended permit tcp any host polyComm_public eq 3603
access-list CTN_access_in extended permit tcp any host polyComm_public eq 1503
access-list CTN_access_in extended permit tcp any host polyComm_public eq ldap
access-list CTN_access_in extended permit tcp any host polyComm_public eq h323
access-list CTN_access_in extended permit tcp any host polyComm_public eq 1027
access-list CTN_access_in extended permit tcp any host polyComm_public eq 1026
access-list CTN_access_in extended permit tcp any host polyComm_public eq 963
access-list CTN_access_in extended permit tcp any host polyComm_public eq 123
access-list CTN_access_in extended permit tcp any host polyComm_public eq telnet
access-list CTN_access_in extended permit udp any host polyComm_public eq 1718
access-list CTN_access_in extended permit tcp any host polyComm_public eq ftp
access-list CTN_access_in extended permit tcp any host polyComm_public eq www
access-list CTN_access_in extended permit tcp any host polyComm_public eq https
access-list CTN_access_in extended permit gre any host polyComm_public
access-list CTN_access_in extended permit tcp any host polyComm_public eq 1731
access-list CTN_access_in extended permit tcp any host polyComm_public eq 2776
access-list inside_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list rdp-capture extended permit tcp any interface outside eq 3389
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list telemed_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_2_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_access_in_1 extended permit icmp any any
access-list Outside_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 9000
logging buffered emergencies
logging trap emergencies
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu telemed 1500
mtu CTN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (CTN) 2 polyComm_public netmask 255.255.255.128
global (CTN) 3 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.1.228 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (telemed) 0 access-list telemed_nat0_outbound
nat (telemed) 1 0.0.0.0 0.0.0.0
access-group outside_access_in_1 in interface outside
access-group CTN_access_in in interface CTN
route outside 0.0.0.0 0.0.0.0 76.14.161.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 256
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 152.79.*.*
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer Davis-Outside
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable telemed
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.5.5.5 255.255.255.255 telemed
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group 152.79.*.* type ipsec-l2l
tunnel-group 152.79.*.* ipsec-attributes
 pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect pptp
  inspect icmp
  inspect h323 h225
  inspect h323 ras
  inspect ftp
!
service-policy global-policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:648ee0aa6fed7bbf12f4d442a5e51e1a
: end
asdm image disk0:/asdm-625.bin
no asdm history enable
0
Comment
Question by:Comptx
  • 16
  • 12
28 Comments
 
LVL 12

Expert Comment

by:ryan80
ID: 37839022
Unfortunately the ASA does not support Policy Based Routing which would solve your issue. You could get a separate router to solve this issue, or you could try this if it applies.

If the Polycom system will be using specific ports, than you could follow these directions. It also has a very thorough explanation.


http://www.packetu.com/2011/11/28/egress-interface-selection-on-the-cisco-asa/
0
 

Author Comment

by:Comptx
ID: 37839073
then what about if i make the CTN the primary outside interface, and the other ISP the secondary? i have been able to send vpn traffic thru the secondary interface before just fine
0
 

Author Comment

by:Comptx
ID: 37839084
then i wouldnt need anything special for the video conference unit since it will go out on the interface i want by default?
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37839285
sounds like that will work. If you have a particular IP address that you are connecting to for the VPN, than it is as easy as setting up a static route for that one destination IP address.
0
 

Author Comment

by:Comptx
ID: 37839628
ok i switch the interfaces and the teleconference unit works like i want it.

i added the site to site vpn again with the updates changes to the interface but its not connecting now, i get many of the following error

3      Apr 12 2012      10:29:05      305006      5.172.215.4      1526                  portmap translation creation failed for tcp src telemed:10.5.5.6/139 dst outside:5.172.215.4/1526
0
 

Author Comment

by:Comptx
ID: 37839681
the entire 10.5.5.0 doesnt get internet, so i need to get it to go outside
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37839713
Did you redo the global map?
0
 

Author Comment

by:Comptx
ID: 37839751
not quite sure what youre refering to that?
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37839777
global (outside) 1 interface
global (CTN) 2 polyComm_public netmask 255.255.255.128
global (CTN) 3 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.1.228 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (telemed) 0 access-list telemed_nat0_outbound
nat (telemed) 1 0.0.0.0 0.0.0.0

Here you have a nat translation to the interface IP address fot the outside interface with the nat (inside) 1 0.0.0.0 0.0.0.0. it is translating the inside traffic to the public IP. Since traffic will now be on the CTN connection for public internet, you should change it to nat (inside) 3 0.0.0.0 0.0.0.0, if I am understanding what you are trying to do.
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37839786
if you still have issues, can you post the config again?
0
 

Author Comment

by:Comptx
ID: 37839792
this is the latest config:

: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name
enable password XFy9CjYNnphRv1bP encrypted
passwd udxi8XKHJKW0Yggp encrypted
names

!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *.*.73.2 255.255.255.128
!
interface Vlan12
 nameif telemed
 security-level 100
 ip address 10.5.5.1 255.255.255.0
!
interface Vlan22
 nameif eyeroute
 security-level 0
 ip address *.*.161.116 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 22
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 12
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup telemed
dns server-group DefaultDNS
 name-server ccc-westsac-server
 name-server 10.0.0.13
 name-server 76.14.96.13
 domain-name communicare
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network UC-Davis
 network-object host USDAVIS101-84
 network-object host USDAVIS167.-61
 network-object host USDAVIS167-62
 network-object host USDAVIS167-65
 network-object USDAVIS112-0 255.255.255.0
 network-object host USDAVIS200-5
 network-object host USDAVIS207-187
 network-object host USDAVIS207-188
 network-object host USDAVIS207-9
 network-object host USDAVIS208121
 network-object host USDAVIS35-228
 network-object host USDAVIS35-230
 network-object host USDAVIS37-118
 network-object host USDAVIS37-83
 network-object host USDAVIS40-21
 network-object host USDAVIS40-22
 network-object host USDAVIS41-89
 network-object host USDAVIS60-10
 network-object host USDAVIS-New-159
 network-object host USDAVIS-New-175
 network-object host USDAVIS-New-214
 network-object host 152.79.60.228
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
access-list inside_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list rdp-capture extended permit tcp any interface outside eq 3389
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 peterson-lan 255.255.255.0
access-list telemed_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list eyeroute_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 1731
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq https
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq www
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 2776
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq ftp
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq telnet
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 123
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 963
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 1026
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 1027
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq h323
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq ldap
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 1503
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 3603
access-list outside_access_in_1 extended permit tcp any range 3230 3243 host polyComm_public range 3230 3243
access-list outside_access_in_1 extended permit tcp any range 5555 5587 host polyComm_public range 5555 5587
access-list outside_access_in_1 extended permit udp any range 3230 3285 host polyComm_public range 3230 3285
access-list outside_access_in_1 extended permit udp any range 970 973 host polyComm_public range 970 973
access-list outside_access_in_1 extended permit udp any range 2326 2373 host polyComm_public range 2326 2373
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 1719
access-list outside_access_in_1 extended permit udp any host polyComm_public eq 1719
access-list outside_access_in_1 extended permit udp any host polyComm_public eq snmp
access-list outside_access_in_1 extended permit udp any host polyComm_public eq snmptrap
access-list outside_access_in_1 extended permit udp any host polyComm_public eq 2873
access-list outside_access_in_1 extended permit udp any host polyComm_public eq 1718
access-list outside_access_in_1 extended permit gre any host polyComm_public
access-list outside_access_in_1 extended permit icmp any any
access-list outside_access_in_1 extended permit tcp any interface outside object-group DM_INLINE_TCP_1
access-list Outside_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 9000
logging buffered emergencies
logging trap emergencies
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu telemed 1500
mtu eyeroute 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (eyeroute) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (telemed) 0 access-list telemed_nat0_outbound
nat (telemed) 2 0.0.0.0 0.0.0.0
static (inside,outside) polyComm_public 10.1.1.228 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 10.16.73.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 256
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer Davis-Outside
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto map eyeroute_map 1 match address eyeroute_1_cryptomap
crypto map eyeroute_map 1 set peer *.*.254.10
crypto map eyeroute_map 1 set transform-set ESP-3DES-MD5
crypto map eyeroute_map interface eyeroute
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable telemed
crypto isakmp enable eyeroute
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.5.5.5 255.255.255.255 telemed
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group *.*.254.10 type ipsec-l2l
tunnel-group *.*.254.10 ipsec-attributes
 pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect pptp
  inspect icmp
  inspect h323 h225
  inspect h323 ras
  inspect ftp
!
service-policy global-policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f1cab7cb4fef3530bb27003499f05c8b
: end
asdm image disk0:/asdm-625.bin
no asdm history enable
0
 
LVL 12

Accepted Solution

by:
ryan80 earned 500 total points
ID: 37839836
right now your route goes out the outside interface. you have the nat for the telemed vlan being translated to the eyeroute interface IP. I believe this is your issue.

I think that you will need to change either the nat or the route. To test this try changing

nat (telemed) 2 0.0.0.0 0.0.0.0

to

nat (telemed) 1 0.0.0.0 0.0.0.0

This should get that 10.5.5.0 subnet working, but will not do the routing as you intend.

You can change the inside nat to

nat (inside) 2 0.0.0.0 0.0.0.0

and then deleted the current route command and enter

route eyeroute 0.0.0.0 0.0.0.0 <isp route ip address>
route outside <endpoint of VPN> <netmask> 10.16.73.1 1
0
 

Author Comment

by:Comptx
ID: 37839906
adding nat (telemed) 1 0.0.0.0 0.0.0.0 gave internet access to the 10.5.5.0

however, for the route part of your message, do i add it like that, even tho the VPN does not connect thru the 10.16.73.1 gateway?

outside interface gateway = 10.16.73.1 1
eyeroute interface gateway - 76.14.161.1
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37839915
sorry, i though it was the other way in terms of where the VPN should be routed. you can just add the route for the VPN endpoint and use the gateway that it should be using.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:Comptx
ID: 37839954
vpn will still not connect.
latest config:

: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name communicare
enable password XFy9CjYNnphRv1bP encrypted
passwd udxi8XKHJKW0Yggp encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *.*.73.2 255.255.255.128
!
interface Vlan12
 nameif telemed
 security-level 100
 ip address 10.5.5.1 255.255.255.0
!
interface Vlan22
 nameif eyeroute
 security-level 0
 ip address *.*.161.116 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 22
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 12
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup telemed
dns server-group DefaultDNS
 object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
access-list inside_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_20_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list rdp-capture extended permit tcp any interface outside eq 3389
access-list eyeroute_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list telemed_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
 DM_INLINE_TCP_1
access-list Outside_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 10.5.5.0 255.255.255.0 10.1.1.0 255.255.255.0
global (outside) 1 interface
global (eyeroute) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (telemed) 0 access-list telemed_nat0_outbound
nat (telemed) 1 0.0.0.0 0.0.0.0
static (inside,outside) polyComm_public 10.1.1.228 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 10.16.73.1 1
route eyeroute *.*.254.10 255.255.255.255 76.14.161.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 telemed
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 256
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer Davis-Outside
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto map eyeroute_map 1 match address eyeroute_1_cryptomap
crypto map eyeroute_map 1 set peer *.*.254.10
crypto map eyeroute_map 1 set transform-set ESP-3DES-MD5
crypto map eyeroute_map interface eyeroute
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable telemed
crypto isakmp enable eyeroute
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.5.5.5 255.255.255.255 telemed
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group *.*.254.10 type ipsec-l2l
tunnel-group *.*.254.10 ipsec-attributes
 pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect pptp
  inspect icmp
  inspect h323 h225
  inspect h323 ras
  inspect ftp
!
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37840148
Just to confirm, the endpoints of the VPN didnt change in this configuration correct?
0
 

Author Comment

by:Comptx
ID: 37840237
correct, only my gateways were switched
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37842389
the first thing that I see is that you have two different tunnels on two different interfaces. In the original config they were both on the same interface.

Are any of the tunnels up? you can use 'show crypto ipsec sa' to see if anything is up.
0
 

Author Comment

by:Comptx
ID: 37843232
Result of the command: "show crypto ipsec sa"

There are no ipsec sas
0
 

Author Comment

by:Comptx
ID: 37843446
i dont even see the asa trying to establish a connection :(
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37843456
You should up the debug level and see what is going on with it.

debug crypto isakmp <level 1-225> (the higher the more detailed it will be.
debug crypto ipsec <level>

This will output a lot of information but should give some more insight into whether the connection is being attempted.
0
 

Author Comment

by:Comptx
ID: 37843463
none of this makes sense on why it wont work, so i checked all my settings again and noticed a typo on my public ip address for the VPN interface -_-  gonna try it now
0
 

Author Comment

by:Comptx
ID: 37843489
Ok VPN connected. however, i cannot ping the computer on the other side. am i missing a command for this?
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37843591
Which vlan are you pinging from? vlan 1 or 12?
0
 

Author Comment

by:Comptx
ID: 37843612
vlan12
0
 

Author Comment

by:Comptx
ID: 37853378
so an update... vpn connects, but i cannot ping the other side's host...
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37873244
sorry that I have not responded, have been away for a few days. Are you still not able to access the other side of the VPN?

Have you used packet tracer from ASDM or from the CLI to make sure that the traffic is flowing through the VPN?
0
 

Author Closing Comment

by:Comptx
ID: 38101920
the answer by ryan, plus the typo correction fixed the issue.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now