Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
4
Replies

Problem with IPSec VPN between ASA 5525 and 5506

EZ17
Level 1
Level 1

‎11-29-2016 07:11 PM - edited ‎03-12-2019 01:36 AM

Hi all,

Please help  me to out this issues, Network topology in attachment file.

- Config in FW 5525

object-group network R_SUBNET1
network-object 172.16.41.0 255.255.255.0
object-group network R_SUBNET2
network-object 172.16.42.0 255.255.255.0
object-group network L_SUBNET1
network-object 172.16.0.0 255.255.0.0
object-group network REMOTE
group-object R_SUBNET1
group-object R_SUBNET2
object-group network LOCAL
group-object L_SUBNET1

access-list VPN extended permit ip object-group LOCAL object-group REMOTE
crypto map VPN_map 1 match address VPN
crypto map VPN_map 1 set peer 2.2.2.2
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup

- Config in FW 5506

object-group network L_SUBNET1
network-object 172.16.41.0 255.255.255.0
object-group network L_SUBNET2
network-object 172.16.42.0 255.255.255.0
object-group network R_SUBNET1
network-object 172.16.0.0 255.255.0.0
object-group network LOCAL
group-object L_SUBNET1
group-object L_SUBNET2
object-group network REMOTE
group-object R_SUBNET1

access-list vpn extended permit ip object-group LOCAL object-group REMOTE
crypto map VPN_map 1 match address VPN
crypto map VPN_map 1 set peer 1.1.1.1
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup

route inside 172.16.42.254 255.255.255.0 172.16.41.254 1

After config, i can ping from 172.16.0.0/16 to 172.16.41.0/24. But can't ping from 172.16.0.0/16 to 172.16.42.0/24 and opposite

I try to debug this,

- On FW5525, do  show crypto ipsec sa peer 2.2.2.2

access-list VPN extended permit ip 172.16.0.0 255.0.0.0 172.16.41.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.41.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 194641, #pkts encrypt: 194641, #pkts digest: 194641
#pkts decaps: 201335, #pkts decrypt: 201335, #pkts verify: 201335

access-list VPN extended permit ip 172.16.0.0 255.0.0.0 172.16.42.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.42.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 4105, #pkts encrypt: 4105, #pkts digest: 4105
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

- On FW5506, do  show crypto ipsec sa peer 1.1.1.1

access-list VPN extended permit ip 172.16.41.0 255.255.255.0 172.16.0.0 255.0.0.0 
local ident (addr/mask/prot/port): (172.16.41.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.0.0.0/0/0)
current_peer: 1.1.1.1.1
#pkts encaps: 201335, #pkts encrypt: 201335, #pkts digest: 201335
#pkts decaps: 194641, #pkts decrypt: 194641, #pkts verify: 194641

access-list VPN extended permit ip 172.16.42.0 255.255.255.0 172.16.0.0 255.0.0.0 
local ident (addr/mask/prot/port): (172.16.42.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.0.0.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4105, #pkts decrypt: 4105, #pkts verify: 4105

=> It's means, VPN Tunnel working fine. But,

+ With 172.16.41.0/24 network, everything ok

+ With 172.16.42.0/24 network, packet go from 172.16.0.0/24 to 172.16.42.0.0/24, but 172.16.42.0/24 can't respone.

- When i using command capture, i can see many packet from 172.16.42.0/24 network go outsite, so I try to do packet follow on FW 5506 with command packet tracer, result like below

Phase 1
Phase 2
Phase 3

Phase 4
Phase 5
Phase 6

Phase 7

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup

Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 13540782, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

=> All result allow.

End of debug section, everything seem be ok. But i don't know why 172.16.42.0/24 network can't communicate with 172.16.0.0/16

Labels:
Preview file
1136 KB
0 Helpful
4 Replies 4

Paul Chapman
Level 4
Level 4

‎12-01-2016 12:24 AM

Hi -

A few questions about the switch hosting 172.16.42.0/24

  1. Is the 172.16.42.0/24 interface up/up?
  2. Is the target ip in 172.16.42.0/24 reachable from the local ASA (172.16.41.250)?
  3. Does the switch have a route to 172.16.0.0/16 which does not point to 172.16.41.250?
  4. If 172.16.0.0/16 does not exist in the routing table, then does 0.0.0.0/0 point to 172.16.41.250 as the next hop router?

PSC

0 Helpful

EZ17
Level 1
Level 1
In response to Paul Chapman

‎12-01-2016 12:54 AM

Hi Paul,

1/ Yes, 172.16.42.0/24 interface is up

2/ Yes, in local ASA, i can ping IP 172.16.42.254

3 + 4/ In switch, i have two routes

- route to 172.16.41.0/24 with next-hop ip is Lan's interface Firewall (remote FW)

- route to 172.16.42.0/24 with next-hop ip is Lan's interface Firewall (remote FW)

But switch only can ping to 172.16.41.0/24

0 Helpful

Paul Chapman
Level 4
Level 4
In response to EZ17

‎12-01-2016 07:41 AM

Hi -

A peer of mine recently complained about having problems with tunnels when using object-groups for the ACLs, but I haven't had a chance to circle back and check.  Below is a sample replacement for the 5525 side.  The sample uses objects instead of object-groups.  (Note that object-groups work fine for the NAT) Do a similar change on the 5506.

! ## 5525 SIDE ##
object network R_SUBNET1
 subnet 172.16.41.0 255.255.255.0
!
object network R_SUBNET2
 subnet 172.16.42.0 255.255.255.0
!
object network L_SUBNET1
 subnet 172.16.0.0 255.255.0.0
!
object-group network REMOTE
 network-object object R_SUBNET1
 network-object object R_SUBNET2
!
object-group network LOCAL
 network-object object L_SUBNET1
!
access-list VPN extended permit ip object L_SUBNET1 object-group R_SUBNET1
access-list VPN extended permit ip object L_SUBNET1 object-group R_SUBNET2
!
crypto map VPN_map 1 match address VPN
crypto map VPN_map 1 set peer 2.2.2.2
!
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup

PSC

0 Helpful

EZ17
Level 1
Level 1
In response to Paul Chapman

‎12-04-2016 06:43 AM

Hi Paul,

Thank for you advise. 
Because this's a urgent case => i try to reboot firewall 5506 and it's working well without any change.

I thinks, there's a bug here.

I'll try to reconfig with your suggest and continue monitoring.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card