i have attach my ASA config site to site vpn with note for the remote site that i need to access

amralrazzaz · ‎01-25-2019

so i have problem with my config can any body help as my main purpose it to access application server (SAP systems)

and i cant so i dont know the problem from ports or from the setup it self , i need help

ill attach every thing in different post coz each post not more than 3 or 4 attach

so i need help to check the setup if its okay or not also the nat is correct or not coz i have 4 vlans but i have use the main ID network or main subnet , so i need to check why no reach ability to other side ?

by the way i have one server i cant reach but via remote desktop only from wifi office vlan but from wired vlan i cant (this server should SAP application but i cant access via the app gui but only remote desktop with no login fir sure its just show me that i cant reach via remote desktop)

thanks

amr alrazzaz

amralrazzaz · ‎01-25-2019

another attach for the setup

amr alrazzaz

amralrazzaz · ‎01-25-2019

remote site attach

amr alrazzaz

amralrazzaz · ‎01-26-2019

any update or any guidance to share with me ? :) need ur help all thanks

amr alrazzaz

ngkin2010 · ‎01-26-2019

Hi,

Are you using the ASA firmware or FTD firmware?

Could you issue "show crypto ikev2 sa" and "show crypto ipsec sa" to verify if the phase 1 & phase 2 SA has built successfully?

Any incoming packets being decrypted / any outgoing packets being encrypted in the result of "show crypto ipsec sa"?

Is your failed connection (the combination of source IP & destination IP) included in the VPN interesting traffic?

Please share us more information.

amralrazzaz · ‎01-28-2019

hi again can u help me to create nat for different vlans ( i have wifi office-printer -wired - guest vlans) i can access to remote using only wifi office vlan so how can i add more nat for different vlans and perform it on the configurations

please check the out put :

> show crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:67, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
230738657 192.168.1.73/4500 194.247.XX.XX/45 00 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/307 sec
Child sa: local selector 10.245.XXX.0/0 - 10.245.XXX.255/65535
remote selector 10.102.44.37/0 - 10.102.44.37/65535
ESP spi in/out: 0x35a5c411/0x94a164b0

show crypto ikev2 sa

IKEv2 SAs:

Session-id:67, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
230738657 192.168.1.73/4500 194.247.125.126/4500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/476 sec
Child sa: local selector 10.245.1XXX.0/0 - 10.245.XXX.255/65535
remote selector 10.102.44.37/0 - 10.102.44.37/65535
ESP spi in/out: 0x35a5c411/0x94a164b0
> show crypto ipsec sa
interface: outside
Crypto map tag: s2sCryptoMap, seq num: 1, local addr: 192.168.1.73

access-list |s2sAcl|ffdca9e5-034c-11e9-8ca8-f51c2173f055 extended permit ip 10.245.160.0 255.255. 224.0 host 10.102.XX.37
local ident (addr/mask/prot/port): (10.245.1XX.0/255.255.224.0/0/0)
remote ident (addr/mask/prot/port): (10.102.XX.37/255.255.255.255/0/0) the port should be 3610 to access the application not using only Remotedesktop
current_peer: 194.247.125.126

#pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 20, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.73/4500, remote crypto endpt.: 194.247.125.126/4500
path mtu 1500, ipsec overhead 86(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 94A164B0
current inbound spi : 35A5C411

inbound esp sas:
spi: 0x35A5C411 (900056081)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 14, IKEv2, }
slot: 0, conn_id: 1319, crypto-map: s2sCryptoMap
sa timing: remaining key lifetime (kB/sec): (4285439/28304)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000001FD
outbound esp sas:
spi: 0x94A164B0 (2493605040)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 14, IKEv2, }
slot: 0, conn_id: 1319, crypto-map: s2sCryptoMap
sa timing: remaining key lifetime (kB/sec): (4055039/28304)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

>

this is application ip ihave reach by remote desktop but using the application it self i cant ??? i believe that port is the problem ?

amr alrazzaz

MajidShirzadeh · ‎01-28-2019

Seems like your Phase 1 still pending (show crypto isakmp sa), let's make sure the proposal are same on both side first, after you fixed the phase 1, you need to verify Phase 2 (show crypto ipsec sa) then you need to configure NAT Exemption, here is an example:

nat (inside,outside) 1 source static <LOCAL> <LOCAL> destination static
<REMOTE> <REMOTE> no-proxy-arp route-lookup

amralrazzaz · ‎01-28-2019

how to add more that one nat and deploy .. as u know i have 3 vlans and when i deploy the vpn it ask me whic vlan u will apply like picture please check