11-29-2016 07:11 PM - edited 03-12-2019 01:36 AM
Hi all,
Please help me to out this issues, Network topology in attachment file.
- Config in FW 5525
object-group network R_SUBNET1
network-object 172.16.41.0 255.255.255.0
object-group network R_SUBNET2
network-object 172.16.42.0 255.255.255.0
object-group network L_SUBNET1
network-object 172.16.0.0 255.255.0.0
object-group network REMOTE
group-object R_SUBNET1
group-object R_SUBNET2
object-group network LOCAL
group-object L_SUBNET1
access-list VPN extended permit ip object-group LOCAL object-group REMOTE
crypto map VPN_map 1 match address VPN
crypto map VPN_map 1 set peer 2.2.2.2
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup
- Config in FW 5506
object-group network L_SUBNET1
network-object 172.16.41.0 255.255.255.0
object-group network L_SUBNET2
network-object 172.16.42.0 255.255.255.0
object-group network R_SUBNET1
network-object 172.16.0.0 255.255.0.0
object-group network LOCAL
group-object L_SUBNET1
group-object L_SUBNET2
object-group network REMOTE
group-object R_SUBNET1
access-list vpn extended permit ip object-group LOCAL object-group REMOTE
crypto map VPN_map 1 match address VPN
crypto map VPN_map 1 set peer 1.1.1.1
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup
route inside 172.16.42.254 255.255.255.0 172.16.41.254 1
After config, i can ping from 172.16.0.0/16 to 172.16.41.0/24. But can't ping from 172.16.0.0/16 to 172.16.42.0/24 and opposite
I try to debug this,
- On FW5525, do show crypto ipsec sa peer 2.2.2.2
access-list VPN extended permit ip 172.16.0.0 255.0.0.0 172.16.41.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.41.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 194641, #pkts encrypt: 194641, #pkts digest: 194641
#pkts decaps: 201335, #pkts decrypt: 201335, #pkts verify: 201335
access-list VPN extended permit ip 172.16.0.0 255.0.0.0 172.16.42.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.42.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 4105, #pkts encrypt: 4105, #pkts digest: 4105
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
- On FW5506, do show crypto ipsec sa peer 1.1.1.1
access-list VPN extended permit ip 172.16.41.0 255.255.255.0 172.16.0.0 255.0.0.0
local ident (addr/mask/prot/port): (172.16.41.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.0.0.0/0/0)
current_peer: 1.1.1.1.1
#pkts encaps: 201335, #pkts encrypt: 201335, #pkts digest: 201335
#pkts decaps: 194641, #pkts decrypt: 194641, #pkts verify: 194641
access-list VPN extended permit ip 172.16.42.0 255.255.255.0 172.16.0.0 255.0.0.0
local ident (addr/mask/prot/port): (172.16.42.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.0.0.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4105, #pkts decrypt: 4105, #pkts verify: 4105
=> It's means, VPN Tunnel working fine. But,
+ With 172.16.41.0/24 network, everything ok
+ With 172.16.42.0/24 network, packet go from 172.16.0.0/24 to 172.16.42.0.0/24, but 172.16.42.0/24 can't respone.
- When i using command capture, i can see many packet from 172.16.42.0/24 network go outsite, so I try to do packet follow on FW 5506 with command packet tracer, result like below
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
Phase 6
Phase 7
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup
Additional Information:
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 13540782, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
=> All result allow.
End of debug section, everything seem be ok. But i don't know why 172.16.42.0/24 network can't communicate with 172.16.0.0/16
12-01-2016 12:24 AM
Hi -
A few questions about the switch hosting 172.16.42.0/24
PSC
12-01-2016 12:54 AM
Hi Paul,
1/ Yes, 172.16.42.0/24 interface is up
2/ Yes, in local ASA, i can ping IP 172.16.42.254
3 + 4/ In switch, i have two routes
- route to 172.16.41.0/24 with next-hop ip is Lan's interface Firewall (remote FW)
- route to 172.16.42.0/24 with next-hop ip is Lan's interface Firewall (remote FW)
But switch only can ping to 172.16.41.0/24
12-01-2016 07:41 AM
Hi -
A peer of mine recently complained about having problems with tunnels when using object-groups for the ACLs, but I haven't had a chance to circle back and check. Below is a sample replacement for the 5525 side. The sample uses objects instead of object-groups. (Note that object-groups work fine for the NAT) Do a similar change on the 5506.
! ## 5525 SIDE ##
object network R_SUBNET1
subnet 172.16.41.0 255.255.255.0
!
object network R_SUBNET2
subnet 172.16.42.0 255.255.255.0
!
object network L_SUBNET1
subnet 172.16.0.0 255.255.0.0
!
object-group network REMOTE
network-object object R_SUBNET1
network-object object R_SUBNET2
!
object-group network LOCAL
network-object object L_SUBNET1
!
access-list VPN extended permit ip object L_SUBNET1 object-group R_SUBNET1
access-list VPN extended permit ip object L_SUBNET1 object-group R_SUBNET2
!
crypto map VPN_map 1 match address VPN
crypto map VPN_map 1 set peer 2.2.2.2
!
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup
PSC
12-04-2016 06:43 AM
Hi Paul,
Thank for you advise.
Because this's a urgent case => i try to reboot firewall 5506 and it's working well without any change.
I thinks, there's a bug here.
I'll try to reconfig with your suggest and continue monitoring.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide