Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN tunnel problems with Cisco ASA 5510... really need help on this one

Reply
Thread Tools

VPN tunnel problems with Cisco ASA 5510... really need help on this one

 
 
ttripp@magnoliamanor.com
Guest
Posts: n/a
 
      09-04-2007
Here's my situation... I have a central office with a SonicWALL
PRO3060 and seven remote offices connected via VPN tunnels over DSL;
each remote office has a SonicWALL TZ170. The network layout looks
like this:

(192.168.1.0/24) --- Cisco 3825 router --- (192.168.254.0/30) ---
SonicWALL PRO 3060 --- Internet --- SonicWALL TZ170 --- (192.168.X.
0/24).

where 192.168.1.0/24 is my central office's internal network,
192.168.254.0/30 is a subnet with a Cisco 3825 router and the
SonicWALL PRO only, and 192.168.X.0/24 is one of the seven remote
offices.

Currently, the VPN tunnels are terminated between 192.168.1.0/24 and
192.168.X.0/24. This setup has worked for over a year.

Now, I'm trying to replace the PRO3060 with a Cisco ASA 5510. I've
basically configured the Cisco's VPNs exactly the same as the
PRO3060's. The tunnels come up, but they often drop, and sometimes I
can ping through the VPN, but users on the other side cannot access
the central office. I've looked through all sorts of documentation,
and ninty percent of it deals with LAN --- Firewall --- Internet ---
Firewall --- LAN kinds of configurations (with no routers involved),
or sometimes with perimeter routers involved, but nothing like what I
have, with a router inside the firewall on one end and no router on
the other.

Frankly, I'm stumped as to why, if the VPNs are configured the same on
both the ASA and the PRO3060, why I can't just drop the ASA into place
and everything work.

Anyway, my ASA config looks like this (stripped of a bunch of
unrelated stuff):


!
hostname CiscoASA5510
domain-name domain.local
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 66.20.204.98 255.255.255.224
ospf cost 10
ospf authentication null
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.254.2 255.255.255.252
ospf cost 10
ospf authentication null
!
interface Ethernet0/2
nameif dmz
security-level 0
ip address 172.16.0.1 255.255.255.252
ospf cost 10
ospf authentication null
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.15 255.255.255.0
ospf cost 10
management-only
!


access-list inside_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 192.168.6.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 192.168.8.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 192.168.9.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 192.168.13.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.1.0
255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_60_cryptomap extended permit ip 192.168.1.0
255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_80_cryptomap extended permit ip 192.168.1.0
255.255.255.0 192.168.6.0 255.255.255.0
access-list outside_100_cryptomap extended permit ip 192.168.1.0
255.255.255.0 192.168.8.0 255.255.255.0
access-list outside_120_cryptomap extended permit ip 192.168.1.0
255.255.255.0 192.168.9.0 255.255.255.0
access-list outside_140_cryptomap extended permit ip 192.168.1.0
255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_180_cryptomap extended permit ip 192.168.1.0
255.255.255.0 192.168.13.0 255.255.255.0
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) --- Bunch of static NAT mappings
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 66.20.204.97 255
!
router ospf 100
network 172.16.0.0 255.255.255.252 area 172.16.0.0
network 192.168.254.0 255.255.255.252 area 0
log-adj-changes
!
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain
criteria have not been met or due to some specific group policy, you
do not have permission to use any of the VPN features. Contact your IT
administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 65.115.188.10
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set peer 24.214.202.18
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 60 match address outside_60_cryptomap
crypto map outside_map 60 set peer 216.166.220.226
crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 80 match address outside_80_cryptomap
crypto map outside_map 80 set peer 162.39.224.81
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 100 match address outside_100_cryptomap
crypto map outside_map 100 set peer 69.21.93.54
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 120 match address outside_120_cryptomap
crypto map outside_map 120 set peer 67.141.189.17
crypto map outside_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 140 match address outside_140_cryptomap
crypto map outside_map 140 set peer 65.13.199.197
crypto map outside_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map 160 match address outside_160_cryptomap
crypto map outside_map 160 set peer 70.154.10.3
crypto map outside_map 160 set transform-set ESP-3DES-SHA
crypto map outside_map 180 match address outside_180_cryptomap
crypto map outside_map 180 set peer 71.28.22.249
crypto map outside_map 180 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp disconnect-notify
tunnel-group 65.115.188.10 type ipsec-l2l
tunnel-group 65.115.188.10 ipsec-attributes
pre-shared-key *
tunnel-group 24.214.202.18 type ipsec-l2l
tunnel-group 24.214.202.18 ipsec-attributes
pre-shared-key *
tunnel-group 216.166.220.226 type ipsec-l2l
tunnel-group 216.166.220.226 ipsec-attributes
pre-shared-key *
tunnel-group 162.39.224.81 type ipsec-l2l
tunnel-group 162.39.224.81 ipsec-attributes
pre-shared-key *
tunnel-group 69.21.93.54 type ipsec-l2l
tunnel-group 69.21.93.54 ipsec-attributes
pre-shared-key *
tunnel-group 67.141.189.17 type ipsec-l2l
tunnel-group 67.141.189.17 ipsec-attributes
pre-shared-key *
tunnel-group 65.13.199.197 type ipsec-l2l
tunnel-group 65.13.199.197 ipsec-attributes
pre-shared-key *
tunnel-group 70.154.10.3 type ipsec-l2l
tunnel-group 70.154.10.3 ipsec-attributes
pre-shared-key *
tunnel-group 71.28.22.249 type ipsec-l2l
tunnel-group 71.28.22.249 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
client-update enable
prompt hostname context

I'm really tearing my hair out on this one. Any help at all would be
greatly appreciated. Thanks.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco ASA 5510 to Cisco PIX 506E VPN Tunnel, Dropping RDP andypatterson24 Cisco 2 04-25-2008 07:41 PM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 1 08-04-2006 08:09 AM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 0 08-04-2006 04:23 AM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM
Termination of an IPSec VPN tunnel and a GRE Tunnel on one physical interface. John Ireland Cisco 1 11-11-2003 04:47 PM



Advertisments