cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
727
Views
0
Helpful
3
Replies

Allow LAN traffic - site 2 site vpn - Urgent

hyperdrive
Level 1
Level 1

ISSUE:

I have a site 2 site vpn tunnel but LAN traffic is not passing: e.g. ping, rdp.

 

1. on restarting the asa firewall I cannot see the tunnel coming up in ADSM:

   Monitoring --> VPN --> Sessions - before I could see the tunnel up, do I need to send a ping to other    side of VPN Lan to bring it up ?  e.g. Lan --> VPN -->Lan

 

packet-tracer input inside icmp 192.168.33.51 8 8 10.221.31.67
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static inside inside destination static nco-vpn-remote nco-vpn-remote
Additional Information:
NAT divert to egress interface outside
Untranslate 10.221.31.67/0 to 10.221.31.67/0
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.33.0    255.255.255.0   inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended deny ip any any log
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
 
============
 
access-list cached ACL log flows: total 63, denied 63 (deny-flow-max 4096) alert-interval 300
access-list outside_access_in; 2 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit ip object-group vpn-remote object inside log informational interval 300 (hitcnt=0) 0x715de0ee
access-list outside_access_in line 1 extended permit ip 10.221.31.0 255.255.255.0 192.168.33.0 255.255.255.0 log informational interval 300 (hitcnt=0) 0x1785c769
access-list outside_access_in line 2 extended deny ip any any (hitcnt=0) 0x2c1c6a65
access-list inside_access_in; 2 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 remark Remote Desktop Services
access-list inside_access_in line 2 extended permit object RDP object inside object-group    vpn-remote (hitcnt=0) 0x90ab3bee
access-list inside_access_in line 2 extended permit tcp 192.168.33.0 255.255.255.0 eq 3389   10.221.31.0 255.255.255.0 eq 3389 (hitcnt=0) 0x2a74e5fb
access-list inside_access_in line 3 extended deny ip any any log informational interval 300 itcnt=8221) 0xbe9efe96
access-list outside_cryptomap; 1 elements; name hash: 0x39bea18f
access-list outside_cryptomap line 1 extended permit ip object inside object-group vpn-remote (hitcnt=12) 0xaa67a4f9
access-list outside_cryptomap line 1 extended permit ip 192.168.33.0 255.255.255.0 10.221.31.0 255.255.255.0 (hitcnt=12) 0xaa99fc57
 

Many Thanks in adance.

 

 

 

 

3 Replies 3

Ajay Saini
Level 7
Level 7

Yes, you should initiate some real traffic to bring up the vpn tunnel. Once you initiate the traffic, like ping, rdp etc, the tunnel will form.

 

A side note, in packet tracer, you should use icmp code 8 0 for ping request

 

packet-tracer input inside icmp 192.168.33.51 8 0 10.221.31.67
 
If the tunnel does not come up, check for following commands:
 
show crypto ikev1 sa  (assuming its ikev1 based tunnel)
 
show crypto ipsec sa
 
HTH
AJ

DR-WARR-FW01(config)# sh run
: Saved
:
ASA Version 9.0(1)
!
hostname W01
domain-name fw01.local
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 switchport access vlan 103
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan2
 nameif outside
 security-level 0
 dhcp client update dns server none
 ip address *.*.*.* 255.255.255.248
!
interface Vlan103
 nameif inside
 security-level 100
 ip address 192.168.33.1 255.255.255.0
!
banner motd # ***AUTHORIZED USERS ONLY***#
banner motd # ***AUTHORIZED USERS ONLY***#
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name nco.sunguard.local
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object service RDP
 service tcp source eq 3389 destination eq 3389
 description RDP
object network inside
 subnet 192.168.33.0 255.255.255.0
object-group network vpn-remote
 network-object 10.221.31.0 255.255.255.0
access-list outside_access_in extended permit ip object-group vpn-remote object inside log
access-list outside_access_in extended deny ip any any
access-list inside_access_in remark Remote Desktop Services
access-list inside_access_in extended permit object RDP object inside object-group vpn-remote
access-list inside_access_in extended deny ip any any log
access-list outside_cryptomap extended permit ip object inside object-group vpn-remote
pager lines 24
logging enable
logging timestamp
logging buffer-size 128000
logging monitor warnings
logging buffered warnings
logging trap informational
logging asdm informational
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside inside destination static vpn-remote nco-vpn-remote
nat (inside,outside) source dynamic inside interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
user-identity ad-agent active-user-database full-download
aaa authentication ssh console LOCAL
http server enable
http 192.168.33.0 255.255.255.0 inside
http *.*.*.* 255.255.255.255 outside
http *.*.*.* 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 109.108.159.148
crypto map outside_map 1 set ikev2 ipsec-proposal AES256
crypto map outside_map 1 set security-association lifetime kilobytes 2147483647
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha512
 group 5
 prf sha512
 lifetime seconds 86400
crypto ikev2 enable outside
telnet *.*.*.* 255.255.255.252 outside
telnet 0.0.0.0 0.0.0.0 outside
telnet 192.168.33.0 255.255.255.0 inside
telnet 10.221.0.0 255.255.255.0 inside
telnet timeout 30
ssh *.*.*.* 255.255.255.248 outside
ssh *.*.*.* 255.255.255.248 outside
ssh *.*.*.* 255.255.255.255 outside
ssh 192.168.33.0 255.255.255.252 inside
ssh timeout 30
console timeout 0
dhcpd dns 10.221.2.50 10.221.2.51
dhcpd lease 604800
dhcpd domain fw01.local
!
dhcpd address 192.168.33.50-192.168.33.200 inside
dhcpd update dns both interface inside
dhcpd enable inside
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 178.238.135.68
ntp server 81.168.77.149 prefer
group-policy GroupPolicy_*.*.*.* internal
group-policy GroupPolicy_*.*.*.* attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol ikev2
username pnetadmin password OnvkH2z0rDXp5vFF encrypted
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* general-attributes
 default-group-policy GroupPolicy_*.*.*.*
tunnel-group *.*.*.* ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
class-map outside-class
 description VPN-Traffic
 match flow ip destination-address
 match tunnel-group *.*.*.*
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
policy-map outside-policy
 description VPN-Policing Policy
 class outside-class
  police output 7000000 1000000
!
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:89f1e3a1bdb10ffe39f0291d1b26771b
: end
FW01(config)#

gbekmezi-DD
Level 5
Level 5
Will you please share “show run tunnel-group” “show run crypto” and “show run group-policy” ? (or the complete configuration)


Thanks

George
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: