Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Help with VPN Dropping traffic

Help with VPN Dropping traffic 5 years 9 months ago #36468

  • JamieP
  • JamieP's Avatar
  • Offline
  • Frequent Member
  • Posts: 60
  • Karma: 0
Hi Guys,

i hope someone can help me here as im running out of ideas.

Our setup for site to site VPNS is we have a pair of ASA's at our main site, and then each remote site has a 1801 router.

The remote sites have an ACL to permit traffic to the UK.

Initally the remote routers all had different ACL's, and i wanted to standardize them, so i created the following ACL

[code:1]ip access-list extended VPN_PERMIT_UK
permit ip any 10.0.0.0 0.255.255.255
end[/code:1]

The theory being all of our internal networks fall within 10.0.0.0/8 - However some remote sites cannot access certain subnets within that 10.0.0.0/8, so im really not sure why that is, but i created more specific rules;

[code:1]ip access-list extended VPN_PERMIT_UK
1 permit ip any 10.20.0.0 0.0.255.255
2 permit ip any 10.21.0.0 0.0.255.255
3 permit ip any 10.22.0.0 0.0.255.255
4 permit ip any 10.25.0.0 0.0.255.255
5 permit ip any 10.60.0.0 0.0.0.255
6 permit ip any 10.61.0.0 0.0.0.255
7 permit ip any 10.99.1.0 0.0.0.255
8 permit ip any 10.250.0.0 0.0.255.255
9 permit ip any 10.32.0.0 0.0.0.255
10 permit ip any 10.0.0.0 0.255.255.255[/code:1]

and still some subnets dont work, so i finally appented the original ACL rules to the end of my new ones to get the following;

[code:1]Extended IP access list VPN_PERMIT_UK
1 permit ip any 10.20.0.0 0.0.255.255
2 permit ip any 10.21.0.0 0.0.255.255 (22 matches)
3 permit ip any 10.22.0.0 0.0.255.255
4 permit ip any 10.25.0.0 0.0.255.255 (19 matches)
5 permit ip any 10.60.0.0 0.0.0.255
6 permit ip any 10.61.0.0 0.0.0.255
7 permit ip any 10.99.1.0 0.0.0.255
8 permit ip any 10.250.0.0 0.0.255.255 (6 matches)
9 permit ip any 10.32.0.0 0.0.0.255
10 permit ip any 10.0.0.0 0.255.255.255
100 permit ip 10.36.0.0 0.0.0.255 10.0.0.0 0.255.255.255
110 permit ip 10.36.0.0 0.0.0.255 10.20.0.0 0.0.255.255
120 permit ip 10.36.0.0 0.0.0.255 10.21.0.0 0.0.255.255
130 permit ip 10.36.0.0 0.0.0.255 10.22.0.0 0.0.255.255 (583 matches)
140 permit ip 10.36.0.0 0.0.0.255 10.25.0.0 0.0.255.255
150 permit ip 10.36.0.0 0.0.0.255 10.60.0.0 0.0.0.255
160 permit ip 10.36.0.0 0.0.0.255 10.61.0.0 0.0.0.255
170 permit ip 10.36.0.0 0.0.0.255 10.99.1.0 0.0.0.255
180 permit ip 10.36.0.0 0.0.0.255 10.250.0.0 0.0.255.255
190 permit ip 10.36.0.0 0.0.0.255 10.250.11.0 0.0.0.255
200 permit ip 10.36.0.0 0.0.0.255 10.32.0.0 0.0.0.255
210 permit icmp 10.36.0.0 0.0.0.255 10.0.0.0 0.255.255.255[/code:1]

I've reset the counters with the above rules, so you can see which ones are getting triggered
can anyone explain why rules 130 would get triggered rather than 3? and can anyone explain why 130 would be triggered rather than 100???

Any Help would be greatly appreciated
Jamie Parks
Network Engineer, UK
The administrator has disabled public write access.

Re: Help with VPN Dropping traffic 5 years 9 months ago #36478

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
JamieP,

It sounds like a subnetting issue, however it would greatly help if we could have a rough network diagram and the configuration (without the sensitive information) of your HQ ASA/Router and one remote site where the problem exists. This will allow everyone to have a much better idea about your setup and problems your experiencing.

Thanks,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.
Time to create page: 0.085 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup