Solved: ASA site to site vpn cannot work in more than one zones

Mansur · ‎03-01-2017

I have a site to site VPN connection up and running between a Cisco ASA 5525X and a Cisco 2911 router .

The ASA has three interfaces (inside , inside10 , inside14), both the three zones have a same security-level 100.

The tunnel comes up OK.

I use 192.168.0.0/16 and 10.0.0.0/8 as interesting traffic on both sides
But only the traffic which from remote router to asa inside zone can be passed.
192.168.0.0/16 cannot communicate with 10.10.10.0/24 and 10.1.4.0/24 (insde10 & inside14)

Both three inside zone can communicate with each other , and servers works fine.

I don't have a ton of experience with ASA firewalls, I suspect that the ASA blocked packets ,but I've searched everywhere and I can't seem to find a solution to this.

than you for Karsten Iwen :

i use capture , show crypto ipsec sa on ASA and tcpdump command on servers ,then i find this :

The traffic which from remote router to asa inside zone can be passed

when 192.168.0.0/16 ping 10.10.10.0/24 or 10.1.4.0/24,

I can see the counter of "pkts decaps" increasing in ASA ipsec sa,but no packets be reveiced on server ; The captue command cannot get anyting at inside10 interface. so i think the traffic from OFFICE PC to inside10 or inside14 be blocked by ASA.

The tcpdump command on the server which located on the OFFICE see that the traffic from inside10 or inside14 can pass ASA,

Thanks a lot.

Mansur

Karsten Iwen · ‎03-02-2017

Your NAT-config can be problematic ("any any" has side effects ...). Change it the following way:

object network LOCAL-NET
 subnet 10.0.0.0 255.0.0.0
!
nat (any,outside) source static LOCAL-NET LOCAL-NET destination static vpn vpn no-proxy-arp route-lookup
!
no nat (inside,outside) source static any any destination static vpn vpn
no nat (inside10,outside) source static inside10 inside10 destination static vpn vpn
no nat (inside14,outside) source static any any destination static vpn vpn

View solution in original post

Karsten Iwen · ‎03-01-2017

Double-check the definition of the interesting traffic and also look at the IPsec SAs to see if the SAs are really for 192.168.0.0/16 to 10.0.0.0/8. (show crypto ipsec sa)
Check if the traffic for all networks is exempted from NAT
When looking at the counters of the IPsec SA on the router. Do they increment when pinging to inside10 and inside14?

Mansur · ‎03-01-2017

yes , i try it.

I updated some of the above things.

thank you

Mansur · ‎03-01-2017

I updated some of the above things.

Karsten Iwen · ‎03-01-2017

Have you configured a VPN-filter on the ASA?

Mansur · ‎03-02-2017

no，

the configurtion of ASA is here:

!

interface GigabitEthernet0

nameif outside

security-level 0

ip address 42.XX.XX.2 255.255.255.0

!

interface GigabitEthernet1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface GigabitEthernet2

nameif inside10

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface GigabitEthernet3

nameif inside14

security-level 100

ip address 10.1.4.1 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network my-inside-net

subnet 10.1.1.0 255.255.255.0

object network inside10

subnet 10.10.10.0 255.255.255.0

object network inside14

subnet 10.1.4.0 255.255.255.0

object network inside10-net

subnet 10.10.10.0 255.255.255.0

object-group network vpn

network-object 192.168.0.0 255.255.0.0

access-list in-nat-out extended permit icmp any any

access-list idc-bjzb extended permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0

nat (inside,outside) source static any any destination static vpn vpn

nat (inside10,outside) source static inside10 inside10 destination static vpn vpn

nat (inside14,outside) source static any any destination static vpn vpn

!

object network my-inside-net

nat (inside,outside) dynamic interface

object network inside10-net

nat (inside10,outside) dynamic interface

object network inside14

nat (inside14,outside) dynamic interface

access-group in-nat-out in interface outside

route outside 0.0.0.0 0.0.0.0 42.XX.XX.1 1

crypto ipsec ikev1 transform-set VPNset esp-3des esp-md5-hmac

crypto ipsec security-association pmtu-aging infinite

crypto map VPNmap 1 match address idc-bjzb

crypto map VPNmap 1 set peer 42.XX.XX.1

crypto map VPNmap 1 set ikev1 transform-set VPNset

crypto map VPNmap interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 42.XX.XX.1 type ipsec-l2l

tunnel-group 42.XX.XX.1 ipsec-attributes

ikev1 pre-shared-key VPNKEY

Karsten Iwen · ‎03-02-2017

inside14 has a different NAT-config than inside and inside10. Is that done intentionally?

No, there is no inside14 config on that device ...? Is that the actual config?

Mansur · ‎03-02-2017

I accidentally deleted some information at the time of copying，And it is fixed now

Karsten Iwen · ‎03-02-2017

Your NAT-config can be problematic ("any any" has side effects ...). Change it the following way:

object network LOCAL-NET
 subnet 10.0.0.0 255.0.0.0
!
nat (any,outside) source static LOCAL-NET LOCAL-NET destination static vpn vpn no-proxy-arp route-lookup
!
no nat (inside,outside) source static any any destination static vpn vpn
no nat (inside10,outside) source static inside10 inside10 destination static vpn vpn
no nat (inside14,outside) source static any any destination static vpn vpn

Mansur · ‎03-02-2017

nice!

I've searched everywhere and I can't seem to find a solution to this except you.

thank you!!!!