Solved

Cisco ASA 5510

Posted on 2013-01-25
9
372 Views
Last Modified: 2013-10-13
I have a Cisco ASA 5510, that has 4 Interfaces + the Management Interface.

I have for business reasons 5 VLAN's

Originally they were configured like this

Outside Interface - Ethernet 0
LAN - Ethernet 1
LAN 2 - Ethernet 2
Ethernet 3  - A Switch --- WWW50 VLAN & Webserver/DMZ VLAN

The outside Interface has 80 VPN tunnels configured, which are on an old 2MB line along with the Internet connectivity for the site. The VPN's are used only for SQL replication so the 2MB line is sufficient, but the Internet Access at the site is slow.

The WWW50 VLAN is used to connect to 4 sites via a VPN and I would like to use this for Internet Access as well, since this is a 50MB line. The Router on this network is a BT managed Router, so I cannot put any routing on this device or modify it's Config.

I Moved the Webserver to the Management Interface of the ASA and this works fine, I then moved the WWW50 line to Interface 3, so the the ASA connects directly to the router, and Modified the route 0.0.0.0 0.0.0.0 111.111.111.111 (where 111. is the IP addres of the managed router on the 50MB line) This then gave the site a 50MB connection to the Internet.

Here is the new setup


Outside Interface - Ethernet 0
LAN - Ethernet 1
LAN 2 - Ethernet 2
WWW50  - Ethernet 3
Webserver/DMZ - Management

Since doing this all of the VPN tunnels have dropped out completely, the ones that were on the Outside Interface and the ones on the Oldwww50 Interface. In the ASDM I can the Interface that the VPN tunnels are configured on, they all say www50, if I delete the www50 Interface they all revert to the Interface "Outside" but the tunnels still don't work correctly .

Can anyone advise how I can get the VPN tunnels to work correctly ?
Screen-Shot-2013-01-25-at-10.53..png
0
Comment
Question by:ronnie_urbanit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38818206
Could you post a sanitized for us to have a look at?
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38818538
I assume your VPNs were broken because you changed your default route..
0
 
LVL 17

Expert Comment

by:MAG03
ID: 38825013
Has the external IP changed since you moved to the www50 interface? if so, has this been updated on the branch office firewall/routers?
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 1

Author Comment

by:ronnie_urbanit
ID: 38826321
Hi MAG03

There are 2 groups of VPN connections, 1 is set to the outside Interface, I would like this set of 80 or so VPN's to stay on the outside Interface

The  second group of VPN's in already on the WWW50 Interface.


Erniebeek  I will cleanse the config (and remove some of the VPN's there is no need for all 80 or so to be in there) and post it here shortly
0
 
LVL 17

Expert Comment

by:MAG03
ID: 38827263
so you have 80 vpns on the "outside" interface and about 4 on the WWW50 interface?  do you have static routes for the 80 VPNs pointing out the outside interface?  I think you might be running into an asynchonous routing issue, since you have set the default route out www50 interface while the remote sites see the VPN peer address on another interface.

try setting static routes for some of the VPNs and see if they come up.
0
 
LVL 1

Author Comment

by:ronnie_urbanit
ID: 38827489
So I will need 80 static routes send the traffic to the Outside Interface, what about the 4 VPN's on the www50 interface that do not come up either.

I have attached the cleansed config
Cleansed-Config.txt
0
 
LVL 17

Expert Comment

by:MAG03
ID: 38827624
You said you set the default route next hop to the router IP address? But the router is connected to interface Ethernet 0/3? Yet your default route points out the outside interface.  This will need to be changed.  this should bring up the VPNs on the www50 interface.

route outside 0.0.0.0 0.0.0.0 15.15.15.15 1
0
 
LVL 1

Accepted Solution

by:
ronnie_urbanit earned 0 total points
ID: 38827667
Sorry, I reverted back to the original config, because the tunnel wasn't working
0
 
LVL 1

Author Closing Comment

by:ronnie_urbanit
ID: 39569009
Original config worked
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question