VPN tunnel problems with Cisco ASA 5510... really need help on this one

Discussion in 'Cisco' started by ttripp@magnoliamanor.com, Sep 4, 2007.

  1. Guest

    Here's my situation... I have a central office with a SonicWALL
    PRO3060 and seven remote offices connected via VPN tunnels over DSL;
    each remote office has a SonicWALL TZ170. The network layout looks
    like this:

    (192.168.1.0/24) --- Cisco 3825 router --- (192.168.254.0/30) ---
    SonicWALL PRO 3060 --- Internet --- SonicWALL TZ170 --- (192.168.X.
    0/24).

    where 192.168.1.0/24 is my central office's internal network,
    192.168.254.0/30 is a subnet with a Cisco 3825 router and the
    SonicWALL PRO only, and 192.168.X.0/24 is one of the seven remote
    offices.

    Currently, the VPN tunnels are terminated between 192.168.1.0/24 and
    192.168.X.0/24. This setup has worked for over a year.

    Now, I'm trying to replace the PRO3060 with a Cisco ASA 5510. I've
    basically configured the Cisco's VPNs exactly the same as the
    PRO3060's. The tunnels come up, but they often drop, and sometimes I
    can ping through the VPN, but users on the other side cannot access
    the central office. I've looked through all sorts of documentation,
    and ninty percent of it deals with LAN --- Firewall --- Internet ---
    Firewall --- LAN kinds of configurations (with no routers involved),
    or sometimes with perimeter routers involved, but nothing like what I
    have, with a router inside the firewall on one end and no router on
    the other.

    Frankly, I'm stumped as to why, if the VPNs are configured the same on
    both the ASA and the PRO3060, why I can't just drop the ASA into place
    and everything work.

    Anyway, my ASA config looks like this (stripped of a bunch of
    unrelated stuff):


    !
    hostname CiscoASA5510
    domain-name domain.local
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 66.20.204.98 255.255.255.224
    ospf cost 10
    ospf authentication null
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.254.2 255.255.255.252
    ospf cost 10
    ospf authentication null
    !
    interface Ethernet0/2
    nameif dmz
    security-level 0
    ip address 172.16.0.1 255.255.255.252
    ospf cost 10
    ospf authentication null
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.15 255.255.255.0
    ospf cost 10
    management-only
    !


    access-list inside_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 192.168.5.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 192.168.6.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 192.168.8.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 192.168.9.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 192.168.10.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 192.168.13.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 192.168.4.0 255.255.255.0
    access-list outside_20_cryptomap extended permit ip 192.168.1.0
    255.255.255.0 192.168.4.0 255.255.255.0
    access-list outside_60_cryptomap extended permit ip 192.168.1.0
    255.255.255.0 192.168.5.0 255.255.255.0
    access-list outside_80_cryptomap extended permit ip 192.168.1.0
    255.255.255.0 192.168.6.0 255.255.255.0
    access-list outside_100_cryptomap extended permit ip 192.168.1.0
    255.255.255.0 192.168.8.0 255.255.255.0
    access-list outside_120_cryptomap extended permit ip 192.168.1.0
    255.255.255.0 192.168.9.0 255.255.255.0
    access-list outside_140_cryptomap extended permit ip 192.168.1.0
    255.255.255.0 192.168.10.0 255.255.255.0
    access-list outside_180_cryptomap extended permit ip 192.168.1.0
    255.255.255.0 192.168.13.0 255.255.255.0
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    mtu management 1500
    asdm image disk0:/asdm521.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    global (dmz) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (dmz,outside) --- Bunch of static NAT mappings
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group dmz_access_in in interface dmz
    route outside 0.0.0.0 0.0.0.0 66.20.204.97 255
    !
    router ospf 100
    network 172.16.0.0 255.255.255.252 area 172.16.0.0
    network 192.168.254.0 255.255.255.252 area 0
    log-adj-changes
    !
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server none
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
    password-storage disable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    default-domain none
    split-dns none
    intercept-dhcp 255.255.255.255 disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools none
    client-firewall none
    client-access-rule none
    webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain
    criteria have not been met or due to some specific group policy, you
    do not have permission to use any of the VPN features. Contact your IT
    administrator for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 inside
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 20 match address outside_20_cryptomap
    crypto map outside_map 20 set peer 65.115.188.10
    crypto map outside_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 40 match address outside_40_cryptomap
    crypto map outside_map 40 set peer 24.214.202.18
    crypto map outside_map 40 set transform-set ESP-3DES-SHA
    crypto map outside_map 60 match address outside_60_cryptomap
    crypto map outside_map 60 set peer 216.166.220.226
    crypto map outside_map 60 set transform-set ESP-3DES-SHA
    crypto map outside_map 80 match address outside_80_cryptomap
    crypto map outside_map 80 set peer 162.39.224.81
    crypto map outside_map 80 set transform-set ESP-3DES-SHA
    crypto map outside_map 100 match address outside_100_cryptomap
    crypto map outside_map 100 set peer 69.21.93.54
    crypto map outside_map 100 set transform-set ESP-3DES-SHA
    crypto map outside_map 120 match address outside_120_cryptomap
    crypto map outside_map 120 set peer 67.141.189.17
    crypto map outside_map 120 set transform-set ESP-3DES-SHA
    crypto map outside_map 140 match address outside_140_cryptomap
    crypto map outside_map 140 set peer 65.13.199.197
    crypto map outside_map 140 set transform-set ESP-3DES-SHA
    crypto map outside_map 160 match address outside_160_cryptomap
    crypto map outside_map 160 set peer 70.154.10.3
    crypto map outside_map 160 set transform-set ESP-3DES-SHA
    crypto map outside_map 180 match address outside_180_cryptomap
    crypto map outside_map 180 set peer 71.28.22.249
    crypto map outside_map 180 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    crypto isakmp disconnect-notify
    tunnel-group 65.115.188.10 type ipsec-l2l
    tunnel-group 65.115.188.10 ipsec-attributes
    pre-shared-key *
    tunnel-group 24.214.202.18 type ipsec-l2l
    tunnel-group 24.214.202.18 ipsec-attributes
    pre-shared-key *
    tunnel-group 216.166.220.226 type ipsec-l2l
    tunnel-group 216.166.220.226 ipsec-attributes
    pre-shared-key *
    tunnel-group 162.39.224.81 type ipsec-l2l
    tunnel-group 162.39.224.81 ipsec-attributes
    pre-shared-key *
    tunnel-group 69.21.93.54 type ipsec-l2l
    tunnel-group 69.21.93.54 ipsec-attributes
    pre-shared-key *
    tunnel-group 67.141.189.17 type ipsec-l2l
    tunnel-group 67.141.189.17 ipsec-attributes
    pre-shared-key *
    tunnel-group 65.13.199.197 type ipsec-l2l
    tunnel-group 65.13.199.197 ipsec-attributes
    pre-shared-key *
    tunnel-group 70.154.10.3 type ipsec-l2l
    tunnel-group 70.154.10.3 ipsec-attributes
    pre-shared-key *
    tunnel-group 71.28.22.249 type ipsec-l2l
    tunnel-group 71.28.22.249 ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    client-update enable
    prompt hostname context

    I'm really tearing my hair out on this one. Any help at all would be
    greatly appreciated. Thanks.
     
    , Sep 4, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Snguyen
    Replies:
    0
    Views:
    7,488
    Snguyen
    Oct 6, 2006
  2. andypatterson24
    Replies:
    2
    Views:
    2,930
    andypatterson24
    Apr 25, 2008
  3. Mag
    Replies:
    9
    Views:
    709
  4. Igor Mamuziæ aka Pseto
    Replies:
    0
    Views:
    1,138
    Igor Mamuziæ aka Pseto
    Jan 6, 2010
  5. Igor Mamuziæ aka Pseto
    Replies:
    0
    Views:
    1,146
    Igor Mamuziæ aka Pseto
    Jan 6, 2010
Loading...

Share This Page