1. Home
  2. Cisco Systems
  3. VPN tunnel problems with Cisco ASA 5510... really need help on this one

VPN tunnel problems with Cisco ASA 5510... really need help on this one

Here's my situation... I have a central office with a SonicWALL PRO3060 and seven remote offices connected via VPN tunnels over DSL; each remote office has a SonicWALL TZ170. The network layout looks like this:

(192.168.1.0/24) --- Cisco 3825 router --- (192.168.254.0/30) --- SonicWALL PRO 3060 --- Internet --- SonicWALL TZ170 --- (192.168.X.

0/24).

where 192.168.1.0/24 is my central office's internal network,

192.168.254.0/30 is a subnet with a Cisco 3825 router and the SonicWALL PRO only, and 192.168.X.0/24 is one of the seven remote offices.

Currently, the VPN tunnels are terminated between 192.168.1.0/24 and

192.168.X.0/24. This setup has worked for over a year.

Now, I'm trying to replace the PRO3060 with a Cisco ASA 5510. I've basically configured the Cisco's VPNs exactly the same as the PRO3060's. The tunnels come up, but they often drop, and sometimes I can ping through the VPN, but users on the other side cannot access the central office. I've looked through all sorts of documentation, and ninty percent of it deals with LAN --- Firewall --- Internet --- Firewall --- LAN kinds of configurations (with no routers involved), or sometimes with perimeter routers involved, but nothing like what I have, with a router inside the firewall on one end and no router on the other.

Frankly, I'm stumped as to why, if the VPNs are configured the same on both the ASA and the PRO3060, why I can't just drop the ASA into place and everything work.

Anyway, my ASA config looks like this (stripped of a bunch of unrelated stuff):

! hostname CiscoASA5510 domain-name domain.local ! interface Ethernet0/0 nameif outside security-level 0 ip address 66.20.204.98 255.255.255.224 ospf cost 10 ospf authentication null ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.254.2 255.255.255.252 ospf cost 10 ospf authentication null ! interface Ethernet0/2 nameif dmz security-level 0 ip address 172.16.0.1 255.255.255.252 ospf cost 10 ospf authentication null ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.15 255.255.255.0 ospf cost 10 management-only !

access-list inside_nat0_outbound extended permit ip 192.168.1.0

255.255.255.0 192.168.5.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.13.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list outside_60_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list outside_80_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list outside_100_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0 access-list outside_120_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list outside_140_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list outside_180_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.13.0 255.255.255.0 mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu management 1500 asdm image disk0:/asdm521.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface global (dmz) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (dmz,outside) --- Bunch of static NAT mappings access-group outside_access_in in interface outside access-group inside_access_in in interface inside access-group dmz_access_in in interface dmz route outside 0.0.0.0 0.0.0.0 66.20.204.97 255 ! router ospf 100 network 172.16.0.0 255.255.255.252 area 172.16.0.0 network 192.168.254.0 255.255.255.252 area 0 log-adj-changes ! group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none client-firewall none client-access-rule none webvpn functions url-entry html-content-filter none homepage none keep-alive-ignore 4 http-comp gzip filter none url-list none customization value DfltCustomization port-forward none port-forward-name value Application Access sso-server none deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information svc none svc keep-installer installed svc keepalive none svc rekey time none svc rekey method none svc dpd-interval client none svc dpd-interval gateway none svc compression deflate http server enable http 192.168.1.0 255.255.255.0 management http 192.168.1.0 255.255.255.0 inside crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set peer 65.115.188.10 crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 40 match address outside_40_cryptomap crypto map outside_map 40 set peer 24.214.202.18 crypto map outside_map 40 set transform-set ESP-3DES-SHA crypto map outside_map 60 match address outside_60_cryptomap crypto map outside_map 60 set peer 216.166.220.226 crypto map outside_map 60 set transform-set ESP-3DES-SHA crypto map outside_map 80 match address outside_80_cryptomap crypto map outside_map 80 set peer 162.39.224.81 crypto map outside_map 80 set transform-set ESP-3DES-SHA crypto map outside_map 100 match address outside_100_cryptomap crypto map outside_map 100 set peer 69.21.93.54 crypto map outside_map 100 set transform-set ESP-3DES-SHA crypto map outside_map 120 match address outside_120_cryptomap crypto map outside_map 120 set peer 67.141.189.17 crypto map outside_map 120 set transform-set ESP-3DES-SHA crypto map outside_map 140 match address outside_140_cryptomap crypto map outside_map 140 set peer 65.13.199.197 crypto map outside_map 140 set transform-set ESP-3DES-SHA crypto map outside_map 160 match address outside_160_cryptomap crypto map outside_map 160 set peer 70.154.10.3 crypto map outside_map 160 set transform-set ESP-3DES-SHA crypto map outside_map 180 match address outside_180_cryptomap crypto map outside_map 180 set peer 71.28.22.249 crypto map outside_map 180 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 crypto isakmp disconnect-notify tunnel-group 65.115.188.10 type ipsec-l2l tunnel-group 65.115.188.10 ipsec-attributes pre-shared-key * tunnel-group 24.214.202.18 type ipsec-l2l tunnel-group 24.214.202.18 ipsec-attributes pre-shared-key * tunnel-group 216.166.220.226 type ipsec-l2l tunnel-group 216.166.220.226 ipsec-attributes pre-shared-key * tunnel-group 162.39.224.81 type ipsec-l2l tunnel-group 162.39.224.81 ipsec-attributes pre-shared-key * tunnel-group 69.21.93.54 type ipsec-l2l tunnel-group 69.21.93.54 ipsec-attributes pre-shared-key * tunnel-group 67.141.189.17 type ipsec-l2l tunnel-group 67.141.189.17 ipsec-attributes pre-shared-key * tunnel-group 65.13.199.197 type ipsec-l2l tunnel-group 65.13.199.197 ipsec-attributes pre-shared-key * tunnel-group 70.154.10.3 type ipsec-l2l tunnel-group 70.154.10.3 ipsec-attributes pre-shared-key * tunnel-group 71.28.22.249 type ipsec-l2l tunnel-group 71.28.22.249 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global client-update enable prompt hostname context

I'm really tearing my hair out on this one. Any help at all would be greatly appreciated. Thanks.

Reply to
ttripp
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.