Announcement

Collapse
No announcement yet.

DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 Router

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 Router

    Hi Guys,

    I'm in a mess, I have Cisco 877-K9 router which sits behind an ASA 5510 FW.
    The Design :

    Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
    ||
    ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
    ||
    Switch
    ||
    LAN

    Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.

    I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not able to ping any LAN IP at Spoke site nor am I able to ping my LAN from any Spoke site.

    I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.

    Any help in this regards is highly appreciated. I really need this to work.

    Thanks,
    Aj.

  • #2
    Re: DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 Router

    Without seeing your actual configurations, its hard to localize where the problem might be occuring. Most likely its a routing issue at the HUB and/or the ASA.

    I can think of a couple of things to check:

    1) On the HUB, is there a static route for the inside network behind the the ASA that points to the ASAs outside interface? Another option would be to enable a routing protocol like OSPF on the ASA so that it shares the LAN behing the ASA with the HUB. Then the HUB can redistribute this network to the SPOKES

    2) On the HUB, are you redistributing the static route in the first part of item 1 above so that the spokes learn the route?

    3) On the ASA, have you NAT excluded (no nat) LAN-2-SPOKE traffic?

    Comment


    • #3
      Re: DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 Router

      Thanks for the reply buddy, Ya I know without the configs it's not going to be easy.

      Here I attach the config files for my ASA, HUB & Spoke.

      I really hope I get out of this mess.

      Thanks in advance. And once again, any help is highly appreciated.
      Aj.
      Attached Files
      Last edited by ariyano; 13th November 2011, 23:55.

      Comment


      • #4
        Re: DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 Router

        Per my previous post, items 1 & 2 are missing from your configuration on the HUB. Plus I have no idea why you are NAT'ing on the HUB router. It looks like the HUB router used to be the firewall and internet EDGE, but now you have inserted the ASA and have not made the necessary configuration changes to the HUB. If I understand your goal... you want packets to travel across the tunnel with the same source and destination. i.e. 192.9.201.0/24 <--> 192.168.202.0/24. Unless I am missing something, I would remove all references to NAT'ing on the HUB router.

        Per Item 1 in my previous post...
        Code:
        ip route 192.9.201.0 255.255.255.0 111.111.222.2
        Per Item 2 in my previous post...
        Code:
        router ospf 1
        log-adjacency-changes
         network 10.10.0.0 0.0.0.255 area 0
         redistribute static subnets
        The above changes will 1) Configure the HUB so that network 192.9.201.0/24 can be reached via the outside interface of the ASA, and 2) via OSPF redistribute, announce the static route for network 192.9.201.0/24 to the SPOKE. Remember, this network is NOT attached to the HUB, its attached to the ASA. So adding it as a network statment in OSPF without the network actually being attached to the HUB (and in an up state) will not work. Thats why you would resitribute the static route.

        Also, on the ASA, you have NAT excluded (nonat) 192.9.201.0/24 to 192.168.202.0/24 (item 3). But does access-list 100 permit the necessary LAN-2-SPOKE traffic?

        Comment


        • #5
          Re: DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 Router

          Thank you for the assistance Scowles, You've been great help.

          After doing the changes you mentioned, I got the static routes on my spokes fine.

          But I'm still unable to ping my LAN behind my ASA from any clients behind the Spokes.

          Now on the HUB ospf reads :
          Code:
          router ospf 1
          log-adjacency-changes
          redistribute static subnets
          network 10.10.0.0 0.0.0.255 area 0
          And
          Code:
          ip nat inside source list nat-list interface dialer1 overload
          has been removed.

          Nor am I able to ping any Clients behind Spokes from my LAN behind the ASA.

          But I'm able to ping all the Tunnel IPs, in my case HUB-10.10.0.1 and Spokes-10.10.0.2-4.

          I'm real close, Thanks for the help again.

          Aj.
          Last edited by ariyano; 14th November 2011, 10:33.

          Comment


          • #6
            Re: DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 Router

            At this point, I would suggest trying to localize where the problem is occuring

            A couple of things I would try:

            1) enable "debug ip icmp" on the hub and spoke and verify packets are actually making it to each end. Make note of the source and destination. Should tell you if the ASA is permitting LAN->SPOKE traffic and NAT excluding correctly

            2) Use "show ip route" on the hub and spoke to verify the hub/spoke routes are learned via OSPF and point to the tunnel interface

            3) The ASA is stateful, meaning it automatically permits reply traffic for inside to outside. So traffic from LAN->SPOKE is permitted, but traffic from SPOKE -> LAN is not unless specifically permitted. ie. add the necessary "static" commands to permit SPOKE -> to LAN traffic. Also verify the ACL attached to the outside interface is permitting SPOKE->LAN traffic.

            4) Use the "show crypto ipsec sa" command to verify the tunnels are configured correctly. In particular, the encrypt/decrypt counters. If one counter is incrementing and the other is NOT, then verify NONAT and/or routing is working correctly across the tunnels.

            Comment


            • #7
              Re: DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 Router

              Hey, thanks again for the assistance,

              But I'm still stuck. According to your post, please see some details below, Maybe It'll help pin point something.

              1) enable "debug ip icmp" on the hub and spoke and verify packets are actually making it to each end. Make note of the source and destination. Should tell you if the ASA is permitting LAN->SPOKE traffic and NAT excluding correctly

              a) I enable "debug ip icmp" on the hub router and packets reach all the routers. Actually I'm able to ping between HUB and all Spokes, I'm also able to ping any clients behind any configured spokes, but not able to ping any client behind the HUB from any client behind the spoke or from the spoke router itself.

              2) Use "show ip route" on the hub and spoke to verify the hub/spoke routes are learned via OSPF and point to the tunnel interface

              a) Yes, the routes are proper on HUB & Spoke routers. I got proper routes on spokes after the "redistribute static subnets" command.

              3) The ASA is stateful, meaning it automatically permits reply traffic for inside to outside. So traffic from LAN->SPOKE is permitted, but traffic from SPOKE -> LAN is not unless specifically permitted. ie. add the necessary "static" commands to permit SPOKE -> to LAN traffic. Also verify the ACL attached to the outside interface is permitting SPOKE->LAN traffic.

              a) I've tried everything I could think of, can you give me some examples ?

              4) Use the "show crypto ipsec sa" command to verify the tunnels are configured correctly. In particular, the encrypt/decrypt counters. If one counter is incrementing and the other is NOT, then verify NONAT and/or routing is working correctly across the tunnels.

              a) I did check this, on the HUB & Spokes and they're all ok.

              I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.

              So I guess I'm stuck on the point that My Cisco HUB is unable to talk to my LAN, If I can get the HUB to talk to the internal LAN, I would be able to ping clients on LAN from any Spoke or clients behind Spokes.

              From HUB router I'm able to ping clients behind Spokes.

              Any Ideas ?

              Thanks,
              Aj.

              Comment


              • #8
                Re: DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 Router

                Another thing to add is, I'm able to ping Spoke's Tunnel IPs from my Local LAN behind the ASA.

                Aj.

                Comment


                • #9
                  Re: DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 Router

                  Well I got this working.

                  This is for someone else who is trying to do what I was.

                  I'm able to ping accross all spokes and vise versa.

                  The IPSEC L2L vpn that I already had configured on the ASA was troubling. I removed them and everything was ok.

                  But there is a new problem now, If I try to access any remote client,
                  say on, (\\192.168.14.101) I get an error :

                  "The Network Path Was Not Found" I'm unable to access any recources.

                  If I use "\\192.168.14.101\c$" then i get the credential box, and no matter what I enter, I can't get it.

                  Any Ideas ?
                  Aj.
                  Attached Files

                  Comment


                  • #10
                    Re: DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 Router

                    Glad to hear you are makng some headway on this.

                    Don't know why removing the ipsec portion of the config fixed part of the problem. The ipsec tunnels are configured in transport mode, so that should not make a difference. They are used to encrypt data since GRE does not.

                    FWIW: I created a DMVPN lab using GNS3. I had no problems pinging in either direction using hosts behind the hub or spoke, but that is probably due to the ASA being configured to accept ICMP on the outside interface. Plus ICMP is a different protocol. When I tried to connect to a host (using ssh) behind the hub to a host behind the spoke that worked too, but not from a host behind the spoke to a host behind the hub. I can only assume this is due to the ASA always blocking tcp/udp packets from a lower security-level interface to a higher security-level interface (outside/0->inside/100). By default, the ASA will always permit a higher security-level to a lower security-level and dynamically permit the reply traffic. This is not the case for spoke to hub traffic.

                    If I get some spare time, I will try to configure the ASA to permit spoke->hub traffic. I would think this type of configuration change is different from the usual permits and statics required for a "single" e-mail server behind the ASA. I would think this type of configuration would require permits for all spoke lans (/24) to the hub lans (/24) along with NONAT entires from outside->inside. Could require more though.

                    Just my two bits on this... If I was asked to implement this type of configuration, I would purchase another router and place it behind the ASA. Then configure the ASA to only permit and forward the GRE traffic from the spokes to the router behind the ASA. This type of implementation seems more secure as far as how many ports/ip's are open to the outside world on the inside network.

                    For reference, I attached config files from GNS3 lab. I can only attach 5 files, so spoke2 and soke3 are missing. Still need to work on ASA configuration to permit SPOKE->LAN traffic. These configs work as described above. HUB->SPOKE works fine. SPOKE->HUB ping works, but spoke to hub tcp/udp does not.

                    Hope this helps
                    Attached Files
                    Last edited by scowles; 17th November 2011, 13:08.

                    Comment


                    • #11
                      Re: DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 Router

                      Hey,

                      I didn't get any notification email about your post.

                      You lab looks pretty, thank you for taking time to troubleshoot in detail.

                      First of all thanks a heap for all the help you've provided. I'm almost done with this. Good news is, I've got 6 of my sites online as of now. yeaaaaa.

                      Thank you again for chatting & the help.

                      Now comes the bad part. I've got about 50 sites on 3G connections on dynamic IPs.

                      I'm attaching here the configuration of the router I've been playing around with.
                      The strange thing is, If I restart the router or the 3G modem, the connection comes up fine, but the VPN tunnel does not.

                      After a while I get this error:

                      %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.1 has no SA and is not an initialization offer

                      But If I go into the tunnel0 interface, shut it down manually & then no shut it, everything starts working just fine.

                      Strange ? any ideas ? BTW I'm using a Cisco 1711 router with (c1700-k9o3sy7-mz.123-7.XR6.bin)

                      Hope to hear from you,

                      Thanks in advance,
                      Aj.
                      Attached Files

                      Comment


                      • #12
                        Re: DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 Router

                        Don't know how much I can help on this. Sounds like your configuration is solid, but only after a bounce of the tunnel. You could try to enable isakmp keep-alives or dead peer detection (DPD). Maybe it will help since you are dealing with dynamically assigned IP addresses.

                        FWIW: We use 3G, but we provision each 3G device with a static IP or use Sprint DataLink.

                        Sorry, that's all I got.

                        Comment


                        • #13
                          Re: DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 Router [SOLVED]

                          Thank you for the quick reply, You've been a lot of help, both direct and in-direct.

                          A lot of seniors on around forums here and elsewhere think that as so called noobs need spoon feeding, but if they just point in the right direction it makes a lot of difference. And not everyone is a noob if asking a question.

                          Anyway, coming back to the point.

                          My 3G connection is on Dynamic IP. And Static LAN, I'm unable to get Static on my 3G.

                          I had couple of Cisco 877-K9 Security routers lying around, which has a DSL built-in modem with 4 FE ports.

                          I just had a wild idea and,
                          1. Shut down the ATM & Dialer interfaces
                          2. Created VLAN1 on F0 (This becomes my WAN port)
                          3. Created VLAN2 on F1-F3 (This becomes my LAN port)

                          Configured everything and boom everything works as I wanted it to.

                          Tests Done :

                          Test 1:
                          Rebooted the 3G modem and from the initial reboot, tunnel up, routes publish & start of ping, total time (2-5 minutes)

                          Test 2:
                          Rebooted the Router and from initial reboot,tunnel up, routes publish & start of ping, total time (the time it takes the router to be active)

                          So all together, I'm all done with total configuration, I'm happy with the Cisco 877-K9 cause If I get a DSL line, I can shift from 3G to DSL in a snap.

                          Attached is the configuration of Cisco 877-K9 latest working config.

                          Thanks again Scowles for chatting and all the hints.

                          Aj.
                          Attached Files
                          Last edited by ariyano; 27th November 2011, 21:40.

                          Comment

                          Working...
                          X