Solved

Cisco ASA 5510

Posted on 2013-01-25
9
371 Views
Last Modified: 2013-10-13
I have a Cisco ASA 5510, that has 4 Interfaces + the Management Interface.

I have for business reasons 5 VLAN's

Originally they were configured like this

Outside Interface - Ethernet 0
LAN - Ethernet 1
LAN 2 - Ethernet 2
Ethernet 3  - A Switch --- WWW50 VLAN & Webserver/DMZ VLAN

The outside Interface has 80 VPN tunnels configured, which are on an old 2MB line along with the Internet connectivity for the site. The VPN's are used only for SQL replication so the 2MB line is sufficient, but the Internet Access at the site is slow.

The WWW50 VLAN is used to connect to 4 sites via a VPN and I would like to use this for Internet Access as well, since this is a 50MB line. The Router on this network is a BT managed Router, so I cannot put any routing on this device or modify it's Config.

I Moved the Webserver to the Management Interface of the ASA and this works fine, I then moved the WWW50 line to Interface 3, so the the ASA connects directly to the router, and Modified the route 0.0.0.0 0.0.0.0 111.111.111.111 (where 111. is the IP addres of the managed router on the 50MB line) This then gave the site a 50MB connection to the Internet.

Here is the new setup


Outside Interface - Ethernet 0
LAN - Ethernet 1
LAN 2 - Ethernet 2
WWW50  - Ethernet 3
Webserver/DMZ - Management

Since doing this all of the VPN tunnels have dropped out completely, the ones that were on the Outside Interface and the ones on the Oldwww50 Interface. In the ASDM I can the Interface that the VPN tunnels are configured on, they all say www50, if I delete the www50 Interface they all revert to the Interface "Outside" but the tunnels still don't work correctly .

Can anyone advise how I can get the VPN tunnels to work correctly ?
Screen-Shot-2013-01-25-at-10.53..png
0
Comment
Question by:ronnie_urbanit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38818206
Could you post a sanitized for us to have a look at?
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38818538
I assume your VPNs were broken because you changed your default route..
0
 
LVL 17

Expert Comment

by:MAG03
ID: 38825013
Has the external IP changed since you moved to the www50 interface? if so, has this been updated on the branch office firewall/routers?
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 1

Author Comment

by:ronnie_urbanit
ID: 38826321
Hi MAG03

There are 2 groups of VPN connections, 1 is set to the outside Interface, I would like this set of 80 or so VPN's to stay on the outside Interface

The  second group of VPN's in already on the WWW50 Interface.


Erniebeek  I will cleanse the config (and remove some of the VPN's there is no need for all 80 or so to be in there) and post it here shortly
0
 
LVL 17

Expert Comment

by:MAG03
ID: 38827263
so you have 80 vpns on the "outside" interface and about 4 on the WWW50 interface?  do you have static routes for the 80 VPNs pointing out the outside interface?  I think you might be running into an asynchonous routing issue, since you have set the default route out www50 interface while the remote sites see the VPN peer address on another interface.

try setting static routes for some of the VPNs and see if they come up.
0
 
LVL 1

Author Comment

by:ronnie_urbanit
ID: 38827489
So I will need 80 static routes send the traffic to the Outside Interface, what about the 4 VPN's on the www50 interface that do not come up either.

I have attached the cleansed config
Cleansed-Config.txt
0
 
LVL 17

Expert Comment

by:MAG03
ID: 38827624
You said you set the default route next hop to the router IP address? But the router is connected to interface Ethernet 0/3? Yet your default route points out the outside interface.  This will need to be changed.  this should bring up the VPNs on the www50 interface.

route outside 0.0.0.0 0.0.0.0 15.15.15.15 1
0
 
LVL 1

Accepted Solution

by:
ronnie_urbanit earned 0 total points
ID: 38827667
Sorry, I reverted back to the original config, because the tunnel wasn't working
0
 
LVL 1

Author Closing Comment

by:ronnie_urbanit
ID: 39569009
Original config worked
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
URGENT- Can't login to Bizportal over VPN 2 54
Wireless Authentication 3 51
Cisco AnyConnect VPN 4 37
SSL VPN and open two factor authentication 3 67
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question