09-02-2011 11:04 AM - edited 03-11-2019 02:20 PM
Hello,
I'm looking for some guidance on how to get a Cisco 2801, that sits behind a Cisco ASA5510 firewall, setup for ipsec tunneling capabilities to an Amazon VPC\VPN. The basic network flow is external to internal ciscoasa5510-->cisco6509-->cisco2801. I'm having issues getting the BGP peering to establish properly which is stopping the ipsec tunnel from coming up.
I have verified that on the 2801 that the bgp summary is showing as active and I have enabled debugging which is producing the following messages:
*Sep 2 18:01:34.099: BGP: 169.254.255.5 open active, local address 169.254.255.6
*Sep 2 18:01:36.047: BGP: 169.254.255.1 open active, local address 169.254.255.2
*Sep 2 18:02:04.099: BGP: 169.254.255.5 read request no-op
*Sep 2 18:02:04.099: BGP: 169.254.255.5 open failed: Connection timed out; remote host not responding, open active delayed 23394ms (35000ms max, 60% jitter)
*Sep 2 18:02:06.047: BGP: 169.254.255.1 read request no-op
*Sep 2 18:02:06.047: BGP: 169.254.255.1 open failed: Connection timed out; remote host not responding, open active delayed 18005ms (35000ms max, 60% jitter)
I then checked the ASA's syslogs and I'm getting the the following messages:
3 | Sep 02 2011 | 13:01:16 | 305006 | 72.21.209.225 | regular translation creation failed for protocol 50 src inside:10.12.45.254 dst outside:72.21.209.225 |
3 | Sep 02 2011 | 13:01:07 | 305006 | 72.21.209.193 | regular translation creation failed for protocol 50 src inside:10.12.45.254 dst outside:72.21.209.193 |
Can someone please shed some light on what could potentially be wrong?
Thanks,
Brad
09-02-2011 11:33 AM
Hi Brad,
Could you please verify if nat-t is enabled on the router and ASA?
Please post the output of "sh run" from the ASA here.
Regards,
Anu
09-02-2011 12:04 PM
Anu,
it appears that nat-t is not enabled on the ASA. My understanding is that enabeling it is global right? Since I have a L2L currently setup to between the ASA and another remote ASA will enabling Nat-T have any affect on that established tunnel?
Here is the current running config:
ASA Version 8.4(1)
!
!
interface Ethernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.12.35.2 255.255.255.0 standby 10.12.35.3
!
interface Ethernet0/1
speed 100
duplex full
nameif outside
security-level 0
ip address 66.191.64.126 255.255.255.240 standby 66.191.64.125
!
interface Ethernet0/2
description LAN Failover Interface
!
interface Ethernet0/3
description STATE Failover Interface
!
interface Management0/0
shutdown
no nameif
security-level 100
no ip address
!
boot system disk0:/asa841-k8.bin
boot system disk0:/asa832-k8.bin
boot system disk0:/asa821-k8.bin
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.12.34.11
name-server 10.12.34.12
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.10.0.0
subnet 10.10.0.0 255.255.0.0
object network obj-10.15.0.0
subnet 10.15.0.0 255.255.0.0
object network obj-10.12.0.0
subnet 10.12.0.0 255.255.0.0
object network obj-10.12.12.0
subnet 10.12.12.0 255.255.255.128
object network obj-10.12.30.15
host 10.12.30.15
object network obj-66.191.64.115
host 66.191.64.115
object network obj-66.191.64.124
host 66.191.64.124
object network obj-10.12.45.254
host 10.12.45.254
object network obj-10.12.45.254-01
host 10.12.45.254
object-group network DM_INLINE_NETWORK_1
network-object host 10.15.45.254
network-object host 66.191.64.124
object-group network DM_INLINE_NETWORK_2
network-object host 72.21.209.193
network-object host 72.21.209.225
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object udp destination eq isakmp
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object udp destination eq isakmp
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object udp destination eq isakmp
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object udp destination eq isakmp
access-list AllLocal standard permit host 216.113.190.154
access-list AllLocal standard permit 10.12.0.0 255.255.0.0
access-list AllLocal standard permit host 216.113.190.149
access-list AllLocal standard permit 10.15.0.0 255.255.0.0
access-list VPN_Client_Local_Lan standard permit any
access-list private_nat0_outbound extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list outside_cryptomap extended permit ip 10.12.0.0 255.255.0.0 10.15.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 10.10.0.0 255.255.0.0 10.15.0.0 255.255.0.0
access-list global_mpc extended permit tcp any any
access-list nat_exempt extended permit ip 10.10.0.0 255.255.0.0 10.15.0.0 255.255.0.0
access-list nat_exempt extended permit ip 10.12.0.0 255.255.0.0 10.15.0.0 255.255.0.0
access-list nat_exempt extended permit ip any 10.12.12.0 255.255.255.128
access-list nat_overload extended permit ip 10.10.0.0 255.255.0.0 any
access-list nat_overload extended permit ip 10.12.0.0 255.255.0.0 any
access-list capi extended permit tcp host 10.12.30.15 host 10.12.35.252 eq ssh
access-list capi extended permit tcp host 10.15.100.252 eq ssh host 10.12.30.15
access-list capo extended permit tcp host 10.12.30.15 host 10.12.35.252 eq ssh
access-list capo extended permit tcp host 10.15.100.252 eq ssh host 10.12.30.15
access-list capO extended permit ip host 66.77.96.250 host 66.191.64.126
access-list capO extended permit ip host 66.191.64.126 host 66.77.96.250
access-list global_mpc_1 extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host 72.21.209.193 host 66.191.64.124
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 host 72.21.209.225 host 66.191.64.124
access-list outside_access_in extended permit esp host 72.21.209.193 host 66.191.64.124
access-list outside_access_in extended permit esp host 72.21.209.225 host 66.191.64.124
access-list outside_access_in extended permit esp host 72.21.209.193 host 10.12.45.254
access-list outside_access_in extended permit esp host 72.21.209.225 host 10.12.45.254
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 host 72.21.209.193 host 10.12.45.254
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 host 72.21.209.225 host 10.12.45.254
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq ssh
access-list outside_access_in extended deny ip any any
access-list inside_access_out_1 extended permit ip any object-group DM_INLINE_NETWORK_2
!
tcp-map AllowProbes
reserved-bits clear
tcp-options range 76 78 allow
!
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging trap informational
logging asdm informational
logging mail debugging
logging facility 23
logging host inside 10.15.0.249
no logging message 106015
no logging message 106007
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 305012
no logging message 305011
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 10.15.0.249 2055
flow-export template timeout-rate 10
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface HA_Failover_INT Ethernet0/2
failover key
failover replication http
failover link HA_State_INT Ethernet0/3
failover interface ip HA_Failover_INT 10.12.36.2 255.255.255.0 standby 10.12.36.3
failover interface ip HA_State_INT 10.12.37.2 255.255.255.0 standby 10.12.37.3
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 10.15.0.249 echo-reply inside
icmp permit any inside
icmp permit host 10.15.0.1 echo-reply inside
icmp permit any time-exceeded inside
icmp permit any outside
icmp permit any time-exceeded outside
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-10.10.0.0 obj-10.10.0.0 destination static obj-10.15.0.0 obj-10.15.0.0
nat (inside,any) source static obj-10.12.0.0 obj-10.12.0.0 destination static obj-10.15.0.0 obj-10.15.0.0
nat (inside,any) source static any any destination static obj-10.12.12.0 obj-10.12.12.0
nat (inside,outside) source static obj-10.12.30.15 obj-66.191.64.115
nat (inside,outside) source dynamic obj-10.10.0.0 interface
nat (inside,outside) source dynamic obj-10.12.0.0 interface
!
object network obj-10.12.45.254-01
nat (inside,outside) static 66.191.64.124
access-group inside_access_out_1 out interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.191.64.113 1
route inside 10.12.0.0 255.255.0.0 10.12.35.1 1
route inside 10.20.0.0 255.255.0.0 10.12.45.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DCRADIUS protocol radius
reactivation-mode depletion deadtime 1
aaa-server DCRADIUS (inside) host 10.12.34.11
retry-interval 3
key
authentication-port 1812
accounting-port 1813
radius-common-pw
aaa-server DCRADIUS (inside) host 10.12.34.12
retry-interval 3
key
authentication-port 1812
accounting-port 1813
radius-common-pw
aaa authentication ssh console DCRADIUS LOCAL
aaa authentication http console DCRADIUS LOCAL
aaa authentication serial console DCRADIUS LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
http 10.12.0.0 255.255.0.0 inside
service resetoutside
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set Secure esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Public_map 9 match address outside_cryptomap
crypto map Public_map 9 set pfs
crypto map Public_map 9 set peer 66.77.96.250
crypto map Public_map 9 set ikev1 transform-set Secure
crypto map Public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Public_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
no crypto isakmp nat-traversal
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 15
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.0.0.0 255.0.0.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.12.34.11 source inside prefer
ntp server 10.12.34.12 source inside
tftp-server inside 10.12.30.19 asdm-635.bin
webvpn
enable outside
anyconnect image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1
anyconnect enable
!
class-map global-class
match access-list global_mpc_1
class-map inspection_default
match default-inspection-traffic
class-map Riverbed
match access-list global_mpc
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class Riverbed
set connection advanced-options AllowProbes
class global-class
flow-export event-type all destination 10.15.0.249
!
service-policy global_policy global
smtp-server 10.15.20.84
prompt hostname context
hpm topN enable
Thanks,
Brad
09-03-2011 04:30 AM
Hi Brad,
Enabling NAT-T should not affect the VPN tunnels that are already up. Make sure it is enabled at both the VPN end points. Here is a guide:
http://secret-epedemiology-statistic.org.ua/1587052091/ch15lev1sec3.html#ch15lev2sec13
Let me know if you have more queries.
Regards,
Anu
09-06-2011 07:07 AM
Anu,
I have enabled it on the ASA5510 and from what I can tell and have read its enabled by default on the 2801 as its running a IOS later than 12.2(13)T or later.
After making the change I'm still seeing the same regular translation creation failed for protocol 50 src inside:10.12.45.254 dst outside:72.21.209.225 messages in my syslogs.
Please advise.
thanks,
Brad
09-06-2011 12:10 PM
Hi Brad,
Who is 10.12.45.254 and who is 72.21.209.225? Clearly there are some ESP packets passing through the ASA between these two addresses, this is why you are getting the drops.
You mention BGP and VPN... so I am kind of confused. What type of VPN is it? Which are the IP addresses involved?
Once I have this info, I think I will be able to provide you a better explanation of what is going on.
Mike
09-06-2011 01:08 PM
Mike,
10.12.45.254 is the inside interface of our 2801 and the 72.21.209.225 is the Gateway device on Amazon's end.
Amazon's VPC setup requires BGP peering and creates a IPSEC tunnel for the VPN.
After doing much troubleshooting and digging I discovered that Amazon doesn't allow the customer gateway device ( in our case the 2801) to sit behind a NAT. I had to create a public interface on the 2801 and bypassed the ASA and the peering and tunnel came up and I'm now passing traffic.
Thanks for your input in this.
-Brad
09-06-2011 01:04 PM
Anu,
I have figured out what the hang up is. It appears that Amazon VPC doesn't support a customer Gatway device setup behind a NAT as they don't support NAT-T.
I have moved the ISR outside of our firewall and gave it a public IP on a outside interface. Once I did that the BGP peering came up and the Tunnel was established. I'm now passing traffic through the tunnel.
Thanks for you help in this.
-Brad
09-06-2011 02:15 PM
Brad,
That was the other option, if the gateway does not support Nat traversal, the only option you had is to create a 1 to 1 translation and permit ESP towards the public IP of the inside device that is going to participate into the VPN.
I am glad that everything worked.
Mike
12-05-2011 10:04 PM
Is this the right thing to do? Isnt it a faulty configuration and hence you neede to do this?
12-06-2011 09:09 AM
Nope, Not really. Is just a matter of understanding how IPsec tunnels work across NAT devices. I mean, if you are running PAT (port address translation) thats where the problem kicks in. Since GRE AH and ESP does not have ports, you cannot create a translation for them.
What NAT-Traversal do, is just to put a UDP header with port 4500 so it can create a proper translation on the NAT device (not only the ASA)
Hope this makes sense.
Mike
09-06-2011 11:40 PM
Hi Brad,
Glad to hear that it works now!
Regards,
Anu
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: