Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2403
Views
0
Helpful
20
Replies

Site to Site VPN Issue

Go to solution
TXITGUY9000
Level 1
Level 1

‎07-06-2018 12:43 PM - edited ‎02-21-2020 07:57 AM

Hi Everyone,

I am having trouble getting my Site 2 Site VPN working. It shows the tunnel is initiated on both sides, but I cannot ping across to any of the subnets.

One is an ASA5510 (8.2) the other is an ASA5505 (8.2)

I am sure I'm missing something simple, but I just can't seem to figure it out.

Here is my code:

ASA5505 (OFFICE)

ASA5505# show crypto isakmp sa detail

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 50.0.0.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : MD5
    Auth    : preshared       Lifetime: 28800
    Lifetime Remaining: 28750
ASA5505# show run
: Saved
:
ASA Version 8.2(5)
!
hostname ASA5505
domain-name .LOCAL
enable password l6TfH6cW.FyTs0Rc encrypted
passwd zsGJHLUedCLLSkmz encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 description Connection to Switch
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 description Untangle Link
 shutdown
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 104.0.0.1 255.255.255.248
!
ftp mode passive
dns server-group DefaultDNS
 domain-name .LOCAL
object-group network -IP
 network-object host 64.40.115.156
 network-object host 64.40.115.157
 network-object host 64.40.115.158
 network-object host 64.40.115.155
object-group network VPN-INSIDE-IP
 network-object host 192.168.10.4
object-group network SOUTH-NETWORK
 network-object 192.168.11.0 255.255.255.0
 network-object 192.168.96.0 255.255.255.0
 network-object 192.168.97.0 255.255.255.0
 network-object 192.168.98.0 255.255.255.0
object-group network OFFICE-NETWORK
 network-object 192.168.99.0 255.255.255.0
 network-object 192.168.20.0 255.255.255.0
 network-object 192.168.10.0 255.255.255.0
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any host 104.0.0.1 eq 81
access-list inbound extended permit tcp any host 104.0.0.1 eq 5000
access-list inbound extended permit tcp any host 104.0.0.1 eq 85
access-list inbound extended permit tcp any host 104.0.0.1 eq 6690
access-list inbound extended permit tcp any host 104.0.0.1 eq 5222
access-list inbound extended permit tcp object-group IP host 104.0.0.1 eq 8351
access-list inbound extended permit tcp host 209.0.0.1 host 104.0.0.1 eq 3389
access-list inbound extended permit udp any host 104.0.0.2 eq 1194
access-list nonat extended permit ip 192.168.99.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip object-group OFFICE-NETWORK object-group SOUTH-NETWORK
access-list splittunnel standard permit 192.168.99.0 255.255.255.0
access-list splittunnel standard permit 192.168.20.0 255.255.255.0
access-list splittunnel standard permit 192.168.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group OFFICE-NETWORK object-group SOUTH-NETWORK
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnclientpool 192.168.5.1-192.168.5.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 104.0.0.2 netmask 255.255.255.248
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 81 192.168.99.253 81 netmask 255.255.255.255
static (inside,outside) tcp interface 5000 192.168.99.253 5000 netmask 255.255.255.255
static (inside,outside) tcp interface 85 192.168.99.252 85 netmask 255.255.255.255
static (inside,outside) tcp interface 6690 192.168.99.12 6690 netmask 255.255.255.255
static (inside,outside) tcp interface 8500 192.168.10.5 8500 netmask 255.255.255.255
static (inside,outside) tcp interface 8351 192.168.20.7 8351 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.20.7 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 5222 192.168.20.19 5222 netmask 255.255.255.255
static (inside,outside) udp 104.11.119.180 1194 192.168.10.5 1194 netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 104.0.0.10 1
route inside 192.168.20.0 255.255.255.0 192.168.10.2 1
route inside 192.168.99.0 255.255.255.0 192.168.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 192.168.20.16
 key *****
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.99.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
snmp-server group v3group v3 auth
snmp-server user v3user v3group v3 encrypted auth md5 8f:e2:21:74:8e:e0:e0:bf:e6:47:68:71:1e:3e:ed:d7
snmp-server host inside 192.168.20.10 community ***** version 2c
snmp-server host inside 192.168.99.2 community ***** version 2c
snmp-server location office
snmp-server contact 
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set des-sha esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map clienttunnel 10 set transform-set 3des-md5 3des-sha
crypto map vpntunnel 30 match address outside_1_cryptomap
crypto map vpntunnel 30 set pfs group1
crypto map vpntunnel 30 set peer 50.0.0.1
crypto map vpntunnel 30 set transform-set ESP-3DES-SHA
crypto map vpntunnel 65000 ipsec-isakmp dynamic clienttunnel
crypto map vpntunnel interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 40
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 28800
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.99.0 255.255.255.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 2
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpnclient internal
group-policy vpnclient attributes
 dns-server value 192.168.20.16
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel
 default-domain value airinnovationsllc.local
username admin password gKsOtAE6fzcD/7Hh encrypted privilege 15
username adminasa password APBxx13XKOB9uRKd encrypted
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
 address-pool vpnclientpool
 authentication-server-group vpn
 default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
 pre-shared-key *****
tunnel-group 50.0.0.1 type ipsec-l2l
tunnel-group 50.0.0.1 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect http
  inspect snmp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8b826892f526483687b2934e4cbab68c
: end

ASA5510 (SOUTH)

SOUTH-WAREHOUSE-ASA5510# show crypto isakmp sa detail

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 104.0.0.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : MD5
    Auth    : preshared       Lifetime: 28800
    Lifetime Remaining: 28666

SOUTH-WAREHOUSE-ASA5510# show run
: Saved
:
ASA Version 8.2(5)
!
hostname SOUTH-WAREHOUSE-ASA5510
domain-name .local
enable password l6TfH6cW.FyTs0Rc encrypted
passwd l6TfH6cW.FyTs0Rc encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 50.0.0.1 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name .local
object-group network OFFICE-NETWORK
 network-object 192.168.99.0 255.255.255.0
 network-object 192.168.20.0 255.255.255.0
 network-object 192.168.10.0 255.255.255.0
object-group network SOUTH-NETWORK
 network-object 192.168.11.0 255.255.255.0
 network-object 192.168.96.0 255.255.255.0
 network-object 192.168.97.0 255.255.255.0
 network-object 192.168.98.0 255.255.255.0
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any host 50.0.0.1 eq 81
access-list OUTSIDE_1_CRYPTOMAP extended permit ip object-group SOUTH-NETWORK object-group OFFICE-NETWORK
access-list NONAT extended permit ip object-group SOUTH-NETWORK object-group OFFICE-NETWORK
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 50.0.0.10 1
route inside 192.168.96.0 255.255.255.0 192.168.11.2 1
route inside 192.168.97.0 255.255.255.0 192.168.11.2 1
route inside 192.168.98.0 255.255.255.0 192.168.11.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.97.0 255.255.255.0 inside
http 192.168.98.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set des-sha esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map vpntunnel 30 match address OUTSIDE_1_CRYPTOMAP
crypto map vpntunnel 30 set pfs group1
crypto map vpntunnel 30 set peer 104.0.0.1
crypto map vpntunnel 30 set transform-set ESP-3DES-SHA
crypto map vpntunnel interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 40
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username adminasa password APBxx13XKOB9uRKd encrypted
tunnel-group 104.0.0.1 type ipsec-l2l
tunnel-group 104.0.0.1 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2799251874696d5e2bb2bf6c17f6699c
: end
Labels:
0 Helpful
20 Replies 20

Go to solution
mvsheik123
Level 7
Level 7
In response to TXITGUY9000

‎07-09-2018 05:41 PM

Hello,

From ASA5505 - you notice drop in Phase 10. Also in Phase:9 - host-limits. What is license on the ASA.

You can find from 'show ver' and 'show local-host'. Try reboot the unit and also update the code.

Thx

MS

0 Helpful

Go to solution
TXITGUY9000
Level 1
Level 1
In response to mvsheik123

‎07-10-2018 06:07 AM

I don't see the drop in Phase 10 or the other thing you are talking about in Phase 9. Not sure if you got mixed up or I am blind. I feel like updating the code might be the only solution at this point.

The ASA 5505 is on Base License

The ASA 5510 is on Security Plus

Here are the show vers for both.

ASA5510

AIR-ASA5505# show ver

Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

AIR-ASA5505 up 3 days 15 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

 0: Int: Internal-Data0/0    : address is f40f.1b21.b48a, irq 11
 1: Ext: Ethernet0/0         : address is f40f.1b21.b482, irq 255
 2: Ext: Ethernet0/1         : address is f40f.1b21.b483, irq 255
 3: Ext: Ethernet0/2         : address is f40f.1b21.b484, irq 255
 4: Ext: Ethernet0/3         : address is f40f.1b21.b485, irq 255
 5: Ext: Ethernet0/4         : address is f40f.1b21.b486, irq 255
 6: Ext: Ethernet0/5         : address is f40f.1b21.b487, irq 255
 7: Ext: Ethernet0/6         : address is f40f.1b21.b488, irq 255
 8: Ext: Ethernet0/7         : address is f40f.1b21.b489, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

ASA5510

OUTH-WAREHOUSE-ASA5510# show ver

Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

SOUTH-WAREHOUSE-ASA5510 up 16 hours 59 mins

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

 0: Ext: Ethernet0/0         : address is 0023.5e15.f86a, irq 9
 1: Ext: Ethernet0/1         : address is 0023.5e15.f86b, irq 9
 2: Ext: Ethernet0/2         : address is 0023.5e15.f86c, irq 9
 3: Ext: Ethernet0/3         : address is 0023.5e15.f86d, irq 9
 4: Ext: Management0/0       : address is 0023.5e15.f869, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 100
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 250
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5510 Security Plus license.

 

 

0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to TXITGUY9000

‎07-10-2018 06:41 PM

Hi,

 

One of the email I received (when you post an update) is as below..

 

_________________________________________

Sys OPT did not work. Added it to both.

 

Here is the packet tracer results. Says "ACTION: DROP" because of an ACL, but the ACLs are correct...

 

AIR-ASA5505# packet-tracer input inside icmp 192.168.99.16 0 0 192.168.97.1 de$ Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xc959bae8, priority=1, domain=permit, deny=false hits=4673798, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xc959e220, priority=0, domain=inspect-ip-options, deny=true hits=134502, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0xc9f90178, priority=70, domain=inspect-icmp, deny=false hits=7549, user_data=0xc9f8ff78, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xc959de98, priority=66, domain=inspect-icmp-error, deny=false hits=7549, user_data=0xc959dd80, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 6 Type: DEBUG-ICMP Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xca179f80, priority=12, domain=debug-icmp-trace, deny=false hits=6904, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 7 Type: NAT-EXEMPT Subtype: Result: ALLOW Config: match ip inside 192.168.99.0 255.255.255.0 outside 192.168.97.0 255.255.255.0 NAT exempt translate_hits = 5, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xca276cd0, priority=6, domain=nat-exempt, deny=false hits=1, user_data=0xca276c10, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=192.168.99.0, mask=255.255.255.0, port=0 dst ip=192.168.97.0, mask=255.255.255.0, port=0, dscp=0x0 Phase: 8 Type: NAT Subtype: Result: ALLOW Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any outside any dynamic translation to pool 1 (104.0.0.1 [Interface PAT]) translate_hits = 130712, untranslate_hits = 17676 Additional Information: Forward Flow based lookup yields rule: in id=0xc962c538, priority=1, domain=nat, deny=false hits=132140, user_data=0xc962c478, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 9 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xc962c088, priority=1, domain=host, deny=false hits=135185, user_data=0xc962bc70, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 10 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: out id=0xca23d8f8, priority=70, domain=encrypt, deny=false hits=1, user_data=0x0, cs_id=0xc9f14b48, reverse, flags=0x0, protocol=0 src ip=192.168.99.0, mask=255.255.255.0, port=0 dst ip=192.168.97.0, mask=255.255.255.0, port=0, dscp=0x0 Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule

______________________________________________

You can try by reboot and /or by upgrading the code.

Thx

MS

 

 

0 Helpful

Go to solution
TXITGUY9000
Level 1
Level 1
In response to mvsheik123

‎07-31-2018 12:34 PM

I've upgraded the code to 8.4(5). Took me a little while because I had to drive to the other location to add some memory to the ASA5510.

Both are still not working. Same stuff going on. Debug shows its getting across.

 

Here is the new packet tracer

 

AIR-ASA5505# packet-tracer input inside icmp 192.168.99.1 0 0 192.168.98.1

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static OFFICE-NETWORK OFFICE-NETWORK destination static SOUTH-NETWORK SOUTH-NETWORK
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.98.1/0 to 192.168.98.1/0

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static OFFICE-NETWORK OFFICE-NETWORK destination static SOUTH-NETWORK SOUTH-NETWORK
Additional Information:
Static translate 192.168.99.1/0 to 192.168.99.1/0

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static OFFICE-NETWORK OFFICE-NETWORK destination static SOUTH-NETWORK SOUTH-NETWORK
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 480877, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
0 Helpful

Go to solution
TXITGUY9000
Level 1
Level 1
In response to TXITGUY9000

‎08-01-2018 10:50 AM

I figured out the issue. It was a few things:

 

1. Code error with the crypto and nat translation on 8.2(5). I had a crypto_archive and I had to delete it per cisco's repair and reboot the asa.

2. AT&T had a sneaky option set hidden away in their modem that NAT'ed all traffic. I had to disable NAT on the AT&T modem.

3. Upgrade code to 8.4(5)

 

Thank you for all the help. I learned a lot through all this information.

0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to TXITGUY9000

‎08-02-2018 07:35 PM

Glad to hear that issue has been resolved. Good finding. Thanks for the rating.

MS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card