topic Re: isakmp in Network Security

isakmp

suthomas1 — Mon, 11 Mar 2019 18:50:16 GMT

Gurus,

we are testing site-to-site vpn from asa and router. our end can ping the other host from inside the asa, but from our host we are not.

when the ping is started from host behind asa, the state is nothing in crypto isakmp sa.

thanks in advance for suggestions.

Re: isakmp

Rudresh Veerappaji — Tue, 05 Oct 2010 11:09:09 GMT

Hi,

I think you are missing NAT exemption on either ASA or Router or both. you ideally need to exempt the vpn traffic from Natting.

For NAT emsmption on ASA: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#NEX1

For NAT exemption on Router:

example:

ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any

wherein 192.168.1.0 is an example network behind ASA and 10.0.0.0 is behind router.

192.168.1.0/24----------ASA=====================router----------------10.0.0.0/24

Let me know if this helps,

Cheers,

Rudresh V

Re: isakmp

suthomas1 — Tue, 05 Oct 2010 11:14:14 GMT

thanks rudresh. that exists on the devices.

Re: isakmp

Rudresh Veerappaji — Tue, 05 Oct 2010 11:43:02 GMT

Hi,

ok, then if we have nat exempt correct, and we can ping remote network from inside interface of ASA (correct me if i understood wrong here), you need to check if the packets from the host is reaching the ASA when you ping (routing issue).

If routing is correct, then check the access-lists on the inside interface of ASA to see if we are blocking vpn traffic.

If access-lists are ok, then i suggest you run a packet tracer on the ASA as mentioned below, and share the output here:

example topology:

10.0.0.0/24-------ASA==========================router------------192.168.0.0/24

packet-tracer input inside icmp 10.0.0.10 8 0 192.168.0.10 detailed ---------------->packet from inside to outside of ASA, make sure yuo do not use inside interface ip address of ASA for packet-tracer, it fails. You can use any random ip address

packet-tracer input outside icmp 192.168.0.10 8 0 10.0.0.10 detailed ------------------>packet from outside to inside.

Cheers,

Rudresh V

Re: isakmp

mirober2 — Tue, 05 Oct 2010 12:18:25 GMT

Hello,

If you're not seeing a phase 1 SA come up, try enabling 'debug crypto isakmp' and starting the ping again. You might also check the syslogs that are generated at the same time. This should give you some indication of why the tunnel is not coming up correctly.

Hope that helps.

-Mike

Re: isakmp

suthomas1 — Tue, 05 Oct 2010 15:54:16 GMT

Thanks Rudresh & Mike,

i will get asa site personnel to try the trace, may take couple of days before they get this. meanwhile, a question, if asa has lan as 192.168.100.1 /27 and router 1841 has lan as 172.16.1.4 /24. and the list on both of the allow as below for vpn,

asa - acl extended permit ip 192.168.100.0 255.255.255.224 to 172.16.1.112 255.255.255.224

1841- acl extended permit ip 172.16.1.112 255.255.255.224 192.168.100.0 255.255.255.224

will these hamper the described ping or vpn problem. or should the interface ip of router be also included.

Thanks in advance!

Re: isakmp

suthomas1 — Wed, 06 Oct 2010 01:39:21 GMT

since the remote device is a router 1841, my thinking says that esp/ah/nat-t, isakmp specific access lists are not required on the router.

please suggest if this is right or pls correct the statement.

Thanks in advance.

Re: isakmp

suthomas1 — Fri, 08 Oct 2010 08:15:40 GMT

Thanks all here.

this topic was fixed. the connection was established, there was some firewall devices at remote end, unknown to those personnel ( strange though ).

It would help me if someone can throw some light on ways to reduce latency or improve performance over vpn. the is used for sort of animation drawing transfers and i am told , those are quite heavy images.

thanks.