07-31-2013 12:32 PM - edited 03-11-2019 07:19 PM
Hello everyone,
We need some with site to site vpn from our current location to another customer’s site
we configured both sites ASA firewalls and see traffic in the logs, not able to connect - maybe we missed something, we need your help
Sending both ASA config files created during setup
I also set the route outside 0 0 to default gateway on both ASA's, able to ping each other
Thank you
Solved! Go to Solution.
07-31-2013 12:37 PM
Hi,
Is this from some Lab setup or is it a live environment?
Are both devices used as the edge device between LAN and WAN on the sites?
Can you provide the output of the following command from both units
show run crypto ikev1
- Jouni
07-31-2013 12:40 PM
Also,
Have you configured any NAT configurations for this L2L VPN connection?
You can view the configurations with
show run nat
- Jouni
07-31-2013 01:09 PM
Hi,
Seems the ASA named PCS-lab-EW-VPN might have a problem related to NAT configuration
Change this
nat (inside,any) after-auto source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp
To this
nat (inside,any) source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp
And then try again. We just removed the "after-auto" parameter.
The reason is that the original NAT configuration is configured very low priority because of "after-auto" parameter. So if you have some Dynamic PAT rule for Internet traffic on that ASA then the traffic that is supposed to go to the L2L VPN Connection might now be getting NATed by the rule meant for Internet traffic.
If this doesnt help we will need to look at other configurations and do some testing.
- Jouni
08-01-2013 06:32 AM
Are you pinging from PCs connected to each ASA or are you pinging from one ASA to an interface on the other?
08-01-2013 06:37 AM
Have you run the packet tracer to test the connection on both ASAs? It could help in pinpointing where the problem is.
Also could you post the full configuration of both ASAs?
08-01-2013 06:47 AM
Without seeing your configurations it is difficult to say what is missing.
But what you need is:
- The ASAs must be able to reach eachother
- Phase 1 parameters (encryption, DH, authentication method, hash)
- Phase 2 parameters (PFS (optional), transform-set, crypto ACL)
- NAT Exempt
08-01-2013 07:03 AM
Hi,
The ASA with PCS-EW-VPN name has the wrong ACL atleast
access-list outside_cryptomap extended permit ip object Network-NET-Local object Network-NET-Local
It mentions the local network as the source and destination
Do the following changesa and test again
access-list outside_cryptomap extended permit ip object Network-NET-Local object Network-NET-Remote
no access-list outside_cryptomap extended permit ip object Network-NET-Local object Network-NET-Local
- Jouni
08-01-2013 07:51 AM
Hi,
I am not sure what Video is in question. I probably have not seen it. If I would have to guess then I think the Video probably presumes that you got a working network setup with the ASA or Router and then want to add the L2L VPN Connection and therefore doesnt provide the basic configurations like interface, ACL and routing.
The ACL I mentioned in your configuration above basically tells the ASA what traffic it should send through the L2L VPN connection. So you want to tunnel traffic between these 2 LAN network so naturally you configure them as source and destination depending on which side ASA you are doing configuration one.
The important thing to notice with NAT is that its done before any VPN negotiation takes place. So the hosts connecting through the ASA that want to connect to a remote network behind a L2L VPN must have a NAT rule that matches the L2L VPN ACL I mentioned earlier. In other words we need to tell the ASA that you should NOT do any NAT when the source and destination network are these network defined in the L2L VPN ACL.
The NAT0 / NAT Exempt type configuration is usually needed to tell the ASA that dont NAT the traffic between these 2 LAN network. The only exception is I guess a situation where you use an ASA purely as VPN device and not user traffic to Internet flow through it. In such a setup you can actually leave an ASA without any NAT configurations.
I am not sure if I made any sense in the above. I guess the easier way to explain would be to have specific questions about some aspects of the configurations.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
- Jouni
07-31-2013 12:37 PM
Hi,
Is this from some Lab setup or is it a live environment?
Are both devices used as the edge device between LAN and WAN on the sites?
Can you provide the output of the following command from both units
show run crypto ikev1
- Jouni
07-31-2013 12:40 PM
Also,
Have you configured any NAT configurations for this L2L VPN connection?
You can view the configurations with
show run nat
- Jouni
07-31-2013 12:51 PM
I'm working them in the lab to confirm this works before we install to production, with this failing it proves my point for this lab, the need for Cisco
see out put from each ASA
ASA1
PCS-EW-VPN(config)# show run crypto ikev1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PCS-EW-VPN(config)# show run nat
nat (inside,outside) source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp
PCS-lab-EW-VPN(config)# show run crypto ikev1
crypto ikev1 enable outside
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PCS-lab-EW-VPN(config)# show run nat
!
nat (inside,any) after-auto source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp
PCS-EW-VPN(config)# show run crypto ikev1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ASA1
PCS-EW-VPN(config)# show run nat
nat (inside,outside) source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp
ASA2
PCS-lab-EW-VPN(config)# show run crypto ikev1
crypto ikev1 enable outside
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ASA2
PCS-lab-EW-VPN(config)# show run nat
!
nat (inside,any) after-auto source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp
Thank you
07-31-2013 01:09 PM
Hi,
Seems the ASA named PCS-lab-EW-VPN might have a problem related to NAT configuration
Change this
nat (inside,any) after-auto source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp
To this
nat (inside,any) source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp
And then try again. We just removed the "after-auto" parameter.
The reason is that the original NAT configuration is configured very low priority because of "after-auto" parameter. So if you have some Dynamic PAT rule for Internet traffic on that ASA then the traffic that is supposed to go to the L2L VPN Connection might now be getting NATed by the rule meant for Internet traffic.
If this doesnt help we will need to look at other configurations and do some testing.
- Jouni
07-31-2013 03:57 PM
I had to leave early and will try first thing in the morning
Thanks Jouni
08-01-2013 05:04 AM
Good morning Jouni,
I removed the NAT for PCS-lab-EW-VPN then applied the new NAT you sent
nat (inside,any) source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp
We still have the same issue - no ping to local network, seeing some error messages in the Log file.
Should I remove the NAT on PCS-EW-VPN, then apply the NAT you sent me?
Thank you
08-01-2013 06:32 AM
Are you pinging from PCs connected to each ASA or are you pinging from one ASA to an interface on the other?
08-01-2013 06:34 AM
Hi there
I have one laptop setup on each LAN and doing the ping from the laptops
08-01-2013 06:37 AM
Have you run the packet tracer to test the connection on both ASAs? It could help in pinpointing where the problem is.
Also could you post the full configuration of both ASAs?
08-01-2013 06:37 AM
Hi
I watched the Cisco video Configuring Site to Site VPN between Cisco ASA and Cisco Router - showing step-by-step on doing this, but I see no rout outside in this video or anything for the NAT, can there be something else left out that we really need to make this work.
Thank you
08-01-2013 06:47 AM
Without seeing your configurations it is difficult to say what is missing.
But what you need is:
- The ASAs must be able to reach eachother
- Phase 1 parameters (encryption, DH, authentication method, hash)
- Phase 2 parameters (PFS (optional), transform-set, crypto ACL)
- NAT Exempt
08-01-2013 06:52 AM
Hi
I have used the tracroute on both ASA's with PCS-Lab-EW-VPN failing at VPN, on the other ASA PCS-EW-VPN the traceroute completes with all check marks green, looks like we have a problem on PCS-Lab-EW-VPN.
I'm sending you both configs
Thank you
08-01-2013 07:03 AM
Hi,
The ASA with PCS-EW-VPN name has the wrong ACL atleast
access-list outside_cryptomap extended permit ip object Network-NET-Local object Network-NET-Local
It mentions the local network as the source and destination
Do the following changesa and test again
access-list outside_cryptomap extended permit ip object Network-NET-Local object Network-NET-Remote
no access-list outside_cryptomap extended permit ip object Network-NET-Local object Network-NET-Local
- Jouni
08-01-2013 07:09 AM
Hi,
May I say the tracerout worked on that one ok - should i do this on PCS-EW-VPN ASA? or PCS-Lab-EW-VPN ASA?
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide