topic Re: VPN between ASA and router in Network Security

VPN between ASA and router

georges.merhej — Mon, 11 Mar 2019 13:43:23 GMT

Hello,

I had a working vpn configuration between a local and a remote router; the remote router is not under my administration.

Now I moved the vpn termination from my side to an ASA5540 software version 8.0(3). The tunnel is up but there is no reachability. The "show crypto ipsec sa" on the ASA shows encapsulated packets but NO decapsulated packets! Routing and no_nat are properly configured.

Any idea?

Many thanks.

Re: VPN between ASA and router

joe19366 — Thu, 11 Sep 2008 18:09:28 GMT

without seeing the other side, i suspect a routing issue there.

does "not under my administration" mean no one there can get on the phone and work the issue with you?

Thanks,

Joe

Re: VPN between ASA and router

georges.merhej — Thu, 11 Sep 2008 18:21:35 GMT

Hi Joe,

They didn't change anything from there side! It was fully working exactly before I've migrated to the ASA!

Re: VPN between ASA and router

joe19366 — Thu, 11 Sep 2008 18:34:04 GMT

Have you used the packet tracer feature in the ASDM?

I would run a packet from source to destination using your adsm and see if it is fully going out as planned.

I suspect a stale xlate on the firewall, perhaps the other side that didnt change is hearing a different source that it wants?

Another option to consider is since the other side is using IOS (right?) they may be using GRE/IPSEC of some type and need to re-config to work with the ASA.

-Joe

Re: VPN between ASA and router

georges.merhej — Thu, 11 Sep 2008 18:54:44 GMT

I've attached the old router configuration.

Using the packet tracer:

inside-outside -> everything is fine

outside-inside -> ipsec-spoof detected! it's a normal behavior right?

Re: VPN between ASA and router

joe19366 — Thu, 11 Sep 2008 18:57:11 GMT

on the asa do you have the command...

sysop connection permit-ipsec

Re: VPN between ASA and router

georges.merhej — Thu, 11 Sep 2008 19:03:44 GMT

yeah: sysopt connection permit-vpn ( there is no permit-ipsec)

Re: VPN between ASA and router

francisco_1 — Thu, 11 Sep 2008 19:12:38 GMT

For traffic that enters the security appliance through a VPN tunnel and is then decrypted, the sysopt connection permit-vpn command in global configuration mode to allow the traffic to bypass interface access lists.

can you do some debug on the ASA.

debug crypto ipsec and debug crypto isakmp and send us the output

francisco

Re: VPN between ASA and router

joe19366 — Thu, 11 Sep 2008 19:14:22 GMT

my next educated guess;

turn off nat-t on the ASA the other side may not support it, not have it configured or UDP 4500 may filtered somewhere in the path

no crypto isakmp nat-traversal

now clear ipsec sa on the sa, and continue testing... send interesting traffic to bring the tunnel back up

Re: VPN between ASA and router

francisco_1 — Thu, 11 Sep 2008 19:18:30 GMT

try "no crypto isakmp nat-traversal"

francisco

Re: VPN between ASA and router

georges.merhej — Thu, 11 Sep 2008 19:21:53 GMT

I've configured no crypto isakmp nat-traversal and still no packets are received on the outside. the debug crypto log is attached!

Re: VPN between ASA and router

francisco_1 — Thu, 11 Sep 2008 19:27:54 GMT

try from global"clear crypto ipsec sa" and "clear xlate". Also get them to do the same on the other side.

do a continous ping to the other side

Re: VPN between ASA and router

joe19366 — Thu, 11 Sep 2008 19:30:17 GMT

going back over the notes your provided;

see the issue now?

DE-DC-INT-FW01# show crypto ipsec sa

Crypto map tag: IPSec-VPN, seq num: 40, local addr: 213.184.187.98

and now...

interface GigabitEthernet0/1

description $ES_WAN$$FW_OUTSIDE$

bandwidth 1000

ip address 213.184.187.98 255.255.255.240

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1200

crypto map VPN

so, my question,

what is in front of the asa, and does it arp reach the ASA to get to 213.184.187.98?

where does the ASA has this addr config'd?

-Joe

Re: VPN between ASA and router

georges.merhej — Thu, 11 Sep 2008 19:33:29 GMT

the 213.184.187.98 was the ip address of the outside interface of the router, now the router is removed and the same ip is configured on the outside interface of the ASA.

Re: VPN between ASA and router

francisco_1 — Thu, 11 Sep 2008 19:36:00 GMT

I noticed you dont have crypto isakmp enable [Inside Interface]

Re: VPN between ASA and router

georges.merhej — Thu, 11 Sep 2008 19:37:22 GMT

the vpn is terminated on the outside interface, so there is no need for isakmp on the inside, right?

Re: VPN between ASA and router

francisco_1 — Thu, 11 Sep 2008 19:47:53 GMT

mmm yeah. i checked on my lab ASA 5520 on a working tunnel and i have it enable on the inside/outside as well.

Re: VPN between ASA and router

georges.merhej — Thu, 11 Sep 2008 19:54:49 GMT

I have tunnels configured and the same interface and working perfectly

Re: VPN between ASA and router

francisco_1 — Thu, 11 Sep 2008 19:57:34 GMT

you mean you have other tunnels active on the ASA?

Re: VPN between ASA and router

joe19366 — Thu, 11 Sep 2008 19:57:47 GMT

right, so the router is gone, but

what device is in front of the ASA?

What interface is the 213. address on? outside?