Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA 5520 - Site-to-Site VPN Problem

Status
Not open for further replies.
mashadif

mashadif

IS-IT--Management
Jun 15, 2005
41
0
0
CA
Hi

We are experiencing packet loss on our site-to-site VPN with external company as peer.

The topology is:
1) We have Hub & Spoke network.
2) All traffic (including internet) from spoke has to mandatory pass thorugh hub site.
3) Site-to-Site VPN is set between hub site and external company.
4) There is no Site-to-Site VPN between spoke and external company.
5) Spoke site are connected to hub site Via MPLS circuits.

Since our hub and spoke is completely routable and all spoke can be reached from hub site; What is did is i added access-list to allow few IP addresses of spoke site for the existing site-to-site VPN setup.

Our problem is that external customer is complaining that connectivity to the spoke site is not stable and there are packet loss also connection to port 2401 on 172.24.1.232 is also not working.

Your help would be highly appreciated. Thanks in advance.

Config is given below (shorten):
================================================================
hostname ASAPrimary
names
name 172.1.1.231 PEEM_P6_550 description PEEM Servers
name 10.12.128.0 PEEM_KF_Control_Network description PEEM Servers Control Network inside KEELE network
name 10.110.20.0 Schaffer_Remote_LAN description Schaffer local LAN network
name 172.1.100.107 KFTRENDSVR-SDP
name 172.24.0.0 Burnaby5555 description New Burnaby deport after May 2011
name 10.12.129.0 PEEM_KF_Burnaby_Control_Network description PEEM Servers Control Network inside BURNABY network
name 172.24.1.231 Burnaby5555PEEM1 description Burnaby PEEM Server 1
name 172.24.1.232 Burnaby5555PEEM2 description Burnaby PEEM Server 2
name 172.24.1.230 Burnaby5555PEEM_Virtual description Burnaby PEEM Virtual
name 172.24.1.233 Burnaby5555PEEMAdapter1 description PEEM Burnaby 5555 AFRAME Adapter1
name 172.24.1.234 Burnaby5555PEEMAdapter2 description PEEM Burnaby 5555 AFRAME Adapter2
name 172.24.0.254 BurnabyGateway
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 7.14.6.9 255.255.255.224 standby 7.14.6.19
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.1.2.250 255.255.0.0 standby 172.1.2.253
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.1.254 255.255.255.0 standby 192.168.1.250
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
speed 100
duplex full
!
!
object-group service Blocked-Ports tcp
port-object range 2001 2120
port-object eq 1863
port-object eq 6801
port-object range 6891 6900
port-object eq 1214
port-object eq 4000
port-object eq 6901
object-group service VPN udp
port-object eq 4500
port-object eq isakmp
object-group network DM_INLINE_NETWORK_1
network-object host PEEM
network-object host PEEM_P6_550
network-object host KEELEPLC
network-object host KeeleLanGateway
network-object PEEM_KF_Control_Network 255.255.255.0
network-object host Burnaby5555PEEM_Virtual
network-object host Burnaby5555PEEM1
network-object host Burnaby5555PEEM2
network-object host Burnaby5555PEEMAdapter1
network-object host Burnaby5555PEEMAdapter2
access-list outside-in extended permit udp any any
access-list NONAT extended permit ip host KeeleLanGateway host 194.110.78.3
access-list NONAT extended permit ip PEEM_KF_Control_Network 255.255.255.0 Schaffer_Remote_LAN 255.255.255.0
access-list NONAT extended permit ip PEEM_KF_Control_Network 255.255.255.0 host 194.110.78.3
access-list NONAT extended permit ip host KeeleLanGateway Schaffer_Remote_LAN 255.255.255.0
access-list NONAT extended permit ip host 172.24.0.254 host 194.110.78.3
access-list NONAT extended permit ip host 172.24.0.254 Schaffer_Remote_LAN 255.255.255.0
access-list NONAT extended permit ip host PEEM_P6_550 Schaffer_Remote_LAN 255.255.255.0
access-list NONAT extended permit ip host PEEM_P6_550 host 194.110.78.3
access-list NONAT extended permit ip host DEV_SERVER 172.99.202.252 255.255.255.252
access-list NONAT extended permit ip host 172.1.100.140 172.99.99.64 255.255.255.192
access-list NONAT extended permit ip host DEV_SERVER 172.99.99.64 255.255.255.192
access-list NONAT extended permit ip host KFTRENDSVR-SDP 172.99.99.64 255.255.255.192
access-list NONAT extended permit ip Burnaby5555 255.255.0.0 172.99.99.0 255.255.255.240
access-list NONAT extended permit ip host Burnaby5555TeklogixController1 172.99.99.48 255.255.255.240
access-list NONAT extended permit ip host Burnaby5555TeklogixController2 172.99.99.48 255.255.255.240
access-list NONAT extended permit ip host BurnabyMITELPBX_VOICE 172.99.99.252 255.255.255.252
access-list NONAT extended permit ip host BurnabyMITELPBX_LAN 172.99.99.252 255.255.255.252
access-list NONAT extended permit ip host Burnaby5555PEEM1 host 194.110.78.3
access-list NONAT extended permit ip host Burnaby5555PEEM1 Schaffer_Remote_LAN 255.255.255.0
access-list NONAT extended permit ip host Burnaby5555PEEMAdapter1 host 194.110.78.3
access-list NONAT extended permit ip host Burnaby5555PEEMAdapter2 host 194.110.78.3
access-list NONAT extended permit ip host Burnaby5555PEEMAdapter1 Schaffer_Remote_LAN 255.255.255.0
access-list NONAT extended permit ip host Burnaby5555PEEMAdapter2 Schaffer_Remote_LAN 255.255.255.0
access-list NONAT extended permit ip host Burnaby5555PEEM_Virtual Schaffer_Remote_LAN 255.255.255.0
access-list NONAT extended permit ip host Burnaby5555PEEM_Virtual host 194.110.78.3
access-list NONAT extended permit ip host Burnaby5555PEEM2 Schaffer_Remote_LAN 255.255.255.0
access-list NONAT extended permit ip host Burnaby5555PEEM2 host 194.110.78.3
access-list NONAT extended permit ip host 172.24.0.254 host 194.110.78.3
access-list NONAT extended permit ip host 172.24.0.254 Schaffer_Remote_LAN 255.255.255.0
access-list outside_in extended permit icmp any any
access-list outside_in extended permit ip Schaffer_Remote_LAN 255.255.255.0 host Burnaby5555PEEM2
access-list outside_in extended permit ip Schaffer_Remote_LAN 255.255.255.0 host Burnaby5555PEEM1
access-list outside_in extended permit ip Schaffer_Remote_LAN 255.255.255.0 host Burnaby5555PEEM_Virtual
access-list outside_in extended permit ip Schaffer_Remote_LAN 255.255.255.0 host Burnaby5555PEEMAdapter1
access-list outside_in extended permit ip Schaffer_Remote_LAN 255.255.255.0 host Burnaby5555PEEMAdapter2
access-list inside_access_in extended deny tcp any any eq netbios-ssn
access-list inside_access_in extended deny tcp any any eq 445
access-list inside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 host 194.110.78.3
!
tcp-map tmap
exceed-mss allow
!
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface ASAFAILOVER GigabitEthernet0/3
failover polltime unit msec 500 holdtime 3
failover key
failover link ASAFAILOVER GigabitEthernet0/3
failover interface ip ASAFAILOVER 192.168.254.1 255.255.255.0 standby 192.168.254.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any router-solicitation outside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any information-reply inside
icmp permit any inside
icmp permit any echo-reply dmz
icmp permit any echo dmz
icmp permit any dmz
arp timeout 60
global (outside) 666 interface
global (dmz) 666 interface
nat (inside) 0 access-list NONAT
nat (inside) 666 PEEM_KF_Control_Network 255.255.255.0
nat (inside) 666 Keele_Network 255.255.0.0
nat (inside) 666 Burnaby5555 255.255.0.0
static (inside,dmz) Keele_Network Keele_Network netmask 255.255.0.0
access-group outside_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 7.14.60.7 1
route inside PEEM_KF_Control_Network 255.255.255.0 KeeleLanGateway 1
route inside PEEM_KF_Burnaby_Control_Network 255.255.255.0 KeeleLanGateway 1
route inside Burnaby5555 255.255.0.0 KeeleLanGateway 1
route inside 192.168.24.0 255.255.255.0 KeeleLanGateway 1
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute
timeout xlate 0:01:00
http server enable
http Keele_Network 255.255.0.0 inside
http 192.168.200.0 255.255.255.0 management
snmp-server location Concord
snmp-server community KF5520ASA
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 140 match address outside_cryptomap
crypto map outside_map 140 set peer 194.110.78.3
crypto map outside_map 140 set transform-set ESP-3DES-MD5 ESP-DES-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 15
ssh Keele_Network 255.255.0.0 inside
ssh timeout 50
console timeout 0
management-access inside
dhcpd address 192.168.200.11-192.168.200.20 management
!
threat-detection basic-threat
threat-detection statistics
ntp server 209.167.68.100 source outside
tftp-server inside KFS1-2k3 /
webvpn
character-encoding windows-1252
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
internal-password enable
group-policy ASAPolicy1 internal
group-policy ASAPolicy1 attributes
banner value Welcome!
banner value You have successfully connected to Kohl & Frisch Limited
banner value Click Continue to access the network or Disconnect to logout.
dns-server value 172.1.100.120
vpn-simultaneous-logins 1
vpn-idle-timeout 15
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

class-map MSS
match port tcp range ftp-data telnet
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect ils
inspect ftp
inspect icmp
inspect icmp error
class MSS
set connection advanced-options tmap
!
service-policy global_policy global

 
Sort by date Sort by votes
Hi

Sorry, forgot to mention the networks:
============================================================
HUB site: 172.1.0.0 /16 Gateway: 172.1.2.254
Spoke Site: 172.24.0.0 /16 Gateway: 172.24.0.254

External Customer: Peer IP: 194.110.78.3
External Cusotmer LAN: 10.110.20.0 / 24
============================================================
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
146
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
150
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
53
WhosYourDiffie
WhosYourDiffie
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
161
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
127
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top