Solved: Okay I did as you said, no - Page 2

RobertJLake · ‎05-08-2015

Hello,

I am currently trying to configure a Site-to-Site VPN tunnel and have seemed to stumbled into a problem. I appear to only be able to communicate in 1 direction, my 10.1.1.x clients are able to ping clients on the 192.168.135.x network; however, the 192.168.135.x clients are not able to ping clients on the 10.1.1.x network.

Topology

10.1.1.x/24 inside(ASA1)outside ===VPN===outside(ASA2)inside 192.168.135.x/24

I'm not sure which all outputs will be valuable to you to assist so let me know if I'm missing anything.

ASA1

ciscoasa(config)# sh run nat
nat (inside,outside) source static local-nets local-nets destination static vpn-nets vpn-nets no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface

ciscoasa# sh run route
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

crypto ipsec ikev1 transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set triplesha esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set aes256sha esp-aes-256 esp-sha-hmac
crypto map vpnmap 120 match address outbound
crypto map vpnmap 120 set peer X.X.X.X
crypto map vpnmap 120 set ikev1 transform-set triplesha
crypto map vpnmap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

ASA2

PT-Hold-ASA5505# sh run nat
nat (inside,outside) source static local-nets local-nets destination static vpn-nets vpn-nets no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface

PT-Hold-ASA5505# sh run route
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

crypto map vpnmap 120 match address robASA
crypto map vpnmap 120 set peer X.X.X.X
crypto map vpnmap 120 set ikev1 transform-set aes256sha triplesha
crypto map vpnmap 255 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside

crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

Thank you for any help you have to offer, I'm not very familiar with ASA's

RobertJLake · ‎05-11-2015

So I'm in the office today and I went ahead and attempted pinging from behind the ASA2 to a device behind ASA1 and visa versa, I have attached them as images below.

ROHIT SHARMA · ‎05-11-2015

Please follow this now:

1. clear crypto ikev1 sa <peer_address> on both ASA.

2. clear crypto ipsec sa peer <peer address> on both ASA

3. initiate a ping from pc (192.168.135.60) to pc (10.1.1.5). let it complete for 5 requests.

4. show crypto isakmp sa on ASA2 and ASA1 and paste output here.

5. show crypto ipsec sa on ASA2 and ASA1 paste output here.

It'll be gud if you paste output to a txt file and attach.

RobertJLake · ‎05-11-2015

Alright I have done this, the pings still come out the same way, here is the output.

ROHIT SHARMA · ‎05-11-2015

Looks good from both ASA's . I hope you didn't ping from ASA1 to ASA2 after clearing sa. Do not initiate ping from ASA1 side.

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

Just to make sure, please repeat steps 1 & 2 above and ping again from pc (192.168.135.60) to pc (10.1.1.5). let it complete for exactly 10 requests.

repeat steps 4 and 5 above.

Also please check if pc (10.1.1.5). has local firewall blocking the ping.

RobertJLake · ‎05-11-2015

Okay I did as you said, no pings from ASA1 or anything behind ASA1. After clearing both ASA's of ikev1 and ipsec I went on the 10.1.1.5 PC and initiated ping 192.168.135.60 -n 10. Here are the results of the show after that.

I'm completely at a loss, I hope something makes sense to you! Also I have disabled all firewalls on the 10.1.1.5 Pc.

ROHIT SHARMA · ‎05-11-2015

ok, so from this output, it looks like packets go from ASA2 to ASA1 but reply is not coming back.

there could be 2 reasons:

1. pc is not sending ping-reply back.

2. ASA1 is not able to send ping -reply to ASA2.

Follow this:

On ASA1:

capture cap1 interface inside match ip host 10.1.1.5 host 192.168.135.60

now initiate ping from pc (192.168.135.60) to pc (10.1.1.5).

on ASA1:

show capture cap1

this way we can find out if ping-reply is coming back to ASA1 from pc or not.

ROHIT SHARMA · ‎05-11-2015

Use this instead:

On ASA1:

access-list cap-acl permit icmp host 10.1.1.5 host 192.168.135.60
access-list cap-acl permit icmp host 192.168.135.60 host 10.1.1.5

capture cap1 interface inside access-list cap-acl

now initiate ping from pc (192.168.135.60) to pc (10.1.1.5).

on ASA1:

show capture cap1

This is better.

RobertJLake · ‎05-11-2015

Uhh it just started working, I think maybe turning the firewall off completely on the PC fixed it but I pinged too soon after? Here is the output from the sh capture

ciscoasa(config)# sh capture cap1

18 packets captured

1: 06:04:57.685602 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
2: 06:04:57.686274 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
3: 06:04:58.683360 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
4: 06:04:58.683665 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
5: 06:04:59.681620 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
6: 06:04:59.682124 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
7: 06:05:00.681559 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
8: 06:05:00.682169 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
9: 06:05:01.679789 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
10: 06:05:01.680430 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
11: 06:05:02.677790 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
12: 06:05:02.678248 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
13: 06:05:03.677104 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
14: 06:05:03.677714 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
15: 06:05:04.674144 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
16: 06:05:04.674785 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
17: 06:05:05.672618 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
18: 06:05:05.673228 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
18 packets shown
ciscoasa(config)#

I think you nailed it my friend!

ROHIT SHARMA · ‎05-11-2015

windows firewall does it always.

Anyways, glad that it worked now.

:)

RobertJLake · ‎05-11-2015

Rohit,

Is there a way to send a private message, I was curious if I could pick your brain about something but isn't directly related to this exact thread topic.

Thanks again for helping me fix this!

ROHIT SHARMA · ‎05-11-2015

Sure.

ASA 8.4 IPSec-L2L VPN 1-Way communication