09-03-2013 07:59 AM - edited 03-11-2019 07:33 PM
Hello everyone,
Last week I created a new discussion for NEW site-to-site VPN, worked with Jouni Forss to configure the ASA 5505 running-config for 8.4 for connecting to a remote company using public IP addresses for our site-to-site VPN.
Both ASA’s are online and able to ping each other’s Public IP address, not able to bring the tunnel online.
Thank you
Solved! Go to Solution.
09-03-2013 08:31 AM
Hi,
The outputs would seem to indicate that the L2L VPN is working. If it wasnt you would see a DROP in VPN Phase.
Next you could try to issue either of those "packet-tracer" command again and take the following outputs from that same ASA unit.
show vpn-sessiondb l2l
show crypto ipsec sa
Also one important thing to confirm. Since you say that this is not wokring. Are you sure that you are using hosts with the IP addresses that have the Static NAT configured?
So on the other end you should be using the host with IP address 10.10.10.10 to connect to the IP address of 70.61.194.182 and on the other end you have to be testing on the host with IP 172.16.5.50 and connect to IP address 209.177.212.104.
As you can see from the L2L VPN configurations the only traffic that will bring up the L2L VPN is traffic between these 2 hosts as no other hosts/networks are defined in the L2L VPN configurations.
How have you tested the connectivity so far and how has it failed?
- Jouni
09-03-2013 08:36 AM
Hi,
Please dont change the crypto map as the correct ones are already applied to the correct interfaces.
If you change the crypto map configuration then the configuration wont match the requiments anymore.
As the above "packet-tracer" output already showed, the L2L VPN goes up as a result of the command issued and that tells us that the L2L VPN configurations themselves are already correct.
The current configurations in use are
crypto map cryptomap 1 match address EARLY-WARNING-L2LVPN
crypto map cryptomap 1 set peer 70.61.194.178
crypto map cryptomap 1 set ikev1 transform-set EARLY-WARNING-TS
crypto map cryptomap 1 set security-association lifetime seconds 3600
crypto map cryptomap interface outside
crypto map cryptomap 1 match address EARLY-WARNING-L2LVPN
crypto map cryptomap 1 set peer 209.177.212.103
crypto map cryptomap 1 set ikev1 transform-set EARLY-WARNING-TS
crypto map cryptomap 1 set security-association lifetime seconds 3600
crypto map cryptomap interface outside
- Jouni
09-03-2013 08:50 AM
09-03-2013 09:02 AM
Hi,
The problem might have been using wrong target IP addresses or perhaps something related to the translations on the ASA.
All the traffic between hosts on the L2L VPN will be using the public IP address to which the hosts are Static NATed to on their ASA firewalls.
So when using the PC 10.10.10.10 it should be able to connect to the IP address 70.61.194.182
When using the PC 172.16.5.50 it should be able to connect to the IP address 209.177.212.104
So both hosts should be connecting to the remote ends public NAT IP address and not the real/local IP address
I would try ICMP from both hosts and monitor the counters in "show crypto ipsec sa" output. This should tell if traffic is flowing both directions.
You should also consider that when using ICMP or something else to test connectivity that the actual hosts might be blocking this traffic and therefore it might seem that the VPN is not working.
- Jouni
09-03-2013 09:28 AM
Hi,
No problem at all Stephen,
Without finding the specific documents and having no prior knowledge of the situation at hand I would imagine it would be really hard to find the correct commands to troubleshoot a situation or implement a configuration that you need.
I am also here to learn. Trying to troubleshoot here on the forums and test setups that people are asking about is a great way to learn something new and also make it easier to troubleshoot situations in my actual work.
Dont hesitate to post here if you have some problems or want to double check something.
Please do remember to mark a reply as the correct answer if it answered your question and/or rate helpfull answers
- Jouni
09-03-2013 08:13 AM
Hi,
Can you take "packet-tracer" outputs from both units?
ASA names taken from the configurations
Take both output twice and then paste the second output from each command here.
ASAFW-A
packet-tracer input inside tcp 10.10.10.10 12345 70.61.194.182 80
PCS-EW-VPN
packet-tracer input EWVPN tcp 172.16.5.50 12345 209.177.212.104 80
On a quick glance I didnt find a problem.
- Jouni
09-03-2013 08:25 AM
Hello Jouni
Thanks for that – about on first glance didn’t see a problem, makes me think I’m learning this ASA
ASAFW-A
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network LAN-SERVER
nat (inside,outside) static 209.177.212.104
Additional Information:
Static translate 10.10.10.10/12345 to 209.177.212.104/12345
Phase: 4
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3947, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
PCS-EW-VPN
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network LAN-SERVER
nat (EWVPN,outside) static 70.61.194.182
Additional Information:
Static translate 172.16.5.50/12345 to 70.61.194.182/12345
Phase: 4
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (EWVPN,outside) after-auto source dynamic any interface
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7742, packet dispatched to next module
Result:
input-interface: EWVPN
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Thank you
09-03-2013 08:31 AM
Hi,
The outputs would seem to indicate that the L2L VPN is working. If it wasnt you would see a DROP in VPN Phase.
Next you could try to issue either of those "packet-tracer" command again and take the following outputs from that same ASA unit.
show vpn-sessiondb l2l
show crypto ipsec sa
Also one important thing to confirm. Since you say that this is not wokring. Are you sure that you are using hosts with the IP addresses that have the Static NAT configured?
So on the other end you should be using the host with IP address 10.10.10.10 to connect to the IP address of 70.61.194.182 and on the other end you have to be testing on the host with IP 172.16.5.50 and connect to IP address 209.177.212.104.
As you can see from the L2L VPN configurations the only traffic that will bring up the L2L VPN is traffic between these 2 hosts as no other hosts/networks are defined in the L2L VPN configurations.
How have you tested the connectivity so far and how has it failed?
- Jouni
09-03-2013 08:55 AM
Thanks
09-03-2013 09:02 AM
Hi,
The problem might have been using wrong target IP addresses or perhaps something related to the translations on the ASA.
All the traffic between hosts on the L2L VPN will be using the public IP address to which the hosts are Static NATed to on their ASA firewalls.
So when using the PC 10.10.10.10 it should be able to connect to the IP address 70.61.194.182
When using the PC 172.16.5.50 it should be able to connect to the IP address 209.177.212.104
So both hosts should be connecting to the remote ends public NAT IP address and not the real/local IP address
I would try ICMP from both hosts and monitor the counters in "show crypto ipsec sa" output. This should tell if traffic is flowing both directions.
You should also consider that when using ICMP or something else to test connectivity that the actual hosts might be blocking this traffic and therefore it might seem that the VPN is not working.
- Jouni
09-03-2013 08:33 AM
Hi,
Jouni will nail it down in min or two ;), but can you try by applying 'outside_map' to interface outside on both end ASA?
no crypto map cryptomap interface outside
crypto map outside_map interface outside
Thx
MS
09-03-2013 08:36 AM
Hi,
Please dont change the crypto map as the correct ones are already applied to the correct interfaces.
If you change the crypto map configuration then the configuration wont match the requiments anymore.
As the above "packet-tracer" output already showed, the L2L VPN goes up as a result of the command issued and that tells us that the L2L VPN configurations themselves are already correct.
The current configurations in use are
crypto map cryptomap 1 match address EARLY-WARNING-L2LVPN
crypto map cryptomap 1 set peer 70.61.194.178
crypto map cryptomap 1 set ikev1 transform-set EARLY-WARNING-TS
crypto map cryptomap 1 set security-association lifetime seconds 3600
crypto map cryptomap interface outside
crypto map cryptomap 1 match address EARLY-WARNING-L2LVPN
crypto map cryptomap 1 set peer 209.177.212.103
crypto map cryptomap 1 set ikev1 transform-set EARLY-WARNING-TS
crypto map cryptomap 1 set security-association lifetime seconds 3600
crypto map cryptomap interface outside
- Jouni
09-03-2013 08:50 AM
Got it. Thanks Jouni.
Thx
MS
09-03-2013 09:00 AM
Hi,
Packet-trace showing the same results on both, like you mentioned they show the VPN tunnel online.
After running both commands
show vpn-sessiondb l2l
show crypto ipsec sa
They show the tunnel is online for both sides.
Commands I'm using for testing show crypto isakmp sa - before I opened this ticket with you this command showing no results.
Command two Show crypto IPsec sa - before I opened this ticket with you this command showing no results.
Now I'm seeing results.
The only thing I can think of - maybe I should have cleared the Xlate after the configs are saved to each ASA.
I'm not sure about the Public IP's you mentioned - we have one ASA 10.10.10.10 Natted to 209.177.212.104, should be able to ping this address from 172.16.5.50? Right
We also have 172.16.5.50 Natted to 70.61.194.182, we should be able to ping 10.10.10.10 from 172.16.5.50? Right
With the Early Warning project they will have a server assigned a Public IP address, so I believe - can be natted, think they are using Public addresses. Now for PCS we have a virtual PC with private IP address 172.16.5.50 natted to 209.177.212.104.
Thanks
09-03-2013 09:19 AM
Jouni,
I’m very sorry for wasting your time with this post – as you have shown the VPN tunnel is online, we also confirm we can ping the public address for each side, confirm each location has access to the other. I’m also able to access files at each location from the other.
I can’t say it was a total waste for me – you continue to show how awesome you are, complete understanding for Cisco equipment and firewalls. Teaching me that right way to deploy any VPN site-to-site connection, from LAN to Lan or using public IP’s, showing how to work through connections issues with packet-tracer – show crypto ipsec sa, show vpn-sessiondb l2l commands.
Thanks for the help Jouni, as always I really appreciate your guidance and patience as we work through the problem, for showing me the right way for doing this.
Thank you my friend
09-03-2013 09:28 AM
Hi,
No problem at all Stephen,
Without finding the specific documents and having no prior knowledge of the situation at hand I would imagine it would be really hard to find the correct commands to troubleshoot a situation or implement a configuration that you need.
I am also here to learn. Trying to troubleshoot here on the forums and test setups that people are asking about is a great way to learn something new and also make it easier to troubleshoot situations in my actual work.
Dont hesitate to post here if you have some problems or want to double check something.
Please do remember to mark a reply as the correct answer if it answered your question and/or rate helpfull answers
- Jouni
09-03-2013 09:31 AM
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide