01-18-2012 11:57 AM - edited 03-11-2019 03:16 PM
Site A ASA5550 with vlan1, vlan2, and vlan3 <~~ Headquarter
Site B ASA5510 with vlan1
Site C ASA5505 with vlan1
Site A is a HQ and we have Site-to-Site VPN set for all sites with IPsec IKEv1 IPsec
Site A <--> Site B
Site A <--> Site C
Problem is on Site A HQ to Site B. For some reason VPN tunnel only establishes in one direction Site B to Site A but not Site A to Site B. When I logout the Site-to-Site VPN for Site A <-> Site B, there is no way for Site A to ping or connect to any server to Site B unless Site B ping or establish connections to Site A first, then Site A can ping or connect to Site B afterwards. The get around right now is I will need to ask someone from SIte B to ping Site A vlan1, vlan2, and vlan3 so that I can connect from Site A to Site B. All ASA is on the latest 8.4(3) version.
Site A <~> Site C works perfect fine without any probelm!! When I logout the Site-to-Site VPN for Site A <~> SIte C, the VPN tunnel established right away from either Site A to Site C or Site C to Site A.
Any suggestion on what should I look for before posting any configurations?
Thank you in advance. =)
01-18-2012 12:10 PM
First, please check whether you have a static route pushing site B traffic toward to default gateway on Site "A " ASA5550.
if that does not help, please copy your config on the forum for easy of trouble shooting from ASA5550.
Thanks
Rizwan Rafeek
01-18-2012 01:14 PM
Thanks for your quick reply rizwanr74! Yes we do have static routes setup on Site A ASA5550 and both Site B and Site C outside interface are there with Site A Gateway IP on it.
01-18-2012 12:13 PM
Hello,
Can you check the crypto ACL configuration on both sides and paste it in here so we can take a look at it?
Regards,
Julio
01-18-2012 01:27 PM
Thanks for your reply Julio. What command should I type in to show just the cryptop ACL configuration? I'm doing my best to show just the information you guys are looking for instead of the whole configuration file.
01-18-2012 01:30 PM
Hello,
Under the crypto maps, you will see a match x.x.x.x ( where the x.x.x is the ACL that we are looking for)
We need both sites ACL (Branch and Site C)
Regards,
Julio
01-18-2012 02:32 PM
Is that what you are looking for? THANKS!!!
Site A HQ ASA
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer (Site B ISP IP)
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set reverse-route
crypto map outside_map 5 match address outside_cryptomap_3
crypto map outside_map 5 set peer (Site C ISP IP)
crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
Site B Branch ASA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer (Site A ISP IP)
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set reverse-route
crypto map outside_map 3 match address outside_cryptomap
crypto map outside_map 3 set peer (Site C ISP IP)
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set reverse-route
Site C Branch ASA
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer (Site A ISP IP)
crypto map outside_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 1 set reverse-route
crypto map outside_map0 2 match address outside_cryptomap_1
crypto map outside_map0 2 set peer (Site B ISP IP)
crypto map outside_map0 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 2 set reverse-route
01-18-2012 03:06 PM
Hello,
Now on the ASA on Site A, please get the following
show run access-list outside_cryptomap_2
Now on the ASA on Site B, please get the following
show run access-list address outside_1_cryptomap
Regards,
01-18-2012 03:24 PM
Site A HQ ASA
show run access-list outside_cryptomap_2
access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_12
Site B Branch ASA
show run access-list outside_1_cryptomap
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object-group SiteA-Network
Thank You!!
01-18-2012 03:57 PM
Hello IT,
ASA HQ Site A
On the Site A HQ ASA
Can you look for the configuration of this Object group DM_INLINE_NETWORK_12, Is this the network on the other site ( Site B) ?
Regards,
Julio
01-18-2012 04:22 PM
Julio,
DM_INLINE_NETWORK_12 is only exited on Site A HQ ASA under outside_cryptomap_2
Source: Site A vlan1, Site A vlan2, Site A vlan3
Destination: Site B Network
Service: IP
I don't see any DM_INLINE_NETWORK_12 under Site B ASA. I believed DM_INLINE_NETWORK_12 was created automatically by using the ASDM wizard (some one else created long ago)
Thanks!
01-18-2012 04:51 PM
Hello,
On Site A:
Please do the following:
packet-tracer input inside tcp x.x.x.x (Host ip on vlan A site A) 1025 x.x.x.x (Host on other site of the tunnel-SiteB) 80
Regards,
Julio
01-18-2012 05:06 PM
Site A HQ ASA:
packet-tracer input inside tcp x.x.x.x (VLAN1 IP on Site A) 1025 x.x.x.x (Host IP on Site B) 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in SiteB-network 255.255.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: FILTER
Subtype: filter-ftp
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FILTER
Subtype: filter-url
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8 destination static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10
Additional Information:
Static translate x.x.x.x (VLAN1 IP Address)/1025 to x.x.x.x (VLAN1 IP Address)/1025
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 644050669, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
01-18-2012 06:25 PM
Hello,
On the packet tracer we can see is hitting a static rule, thing that should not happen!
Can we see the show run static, show run nat, sh run global.. And the ACLs for the nat 0( you will see a nat statement with an ID of 0 holding an ACL, I would like to see that acl-Show run acl xxxx (name)
Regards,
01-19-2012 09:55 AM
Julio,
I tired show run-config static and show run-config global but both doesn't work... not sure why... I did not see any NAT 0 on my configure file or what exact command do I need to type in to find out? Please see below for everything I found related to NAT and ACL
Thanks again for all of your help!
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Site A ASA show run nat
nat (inside,outside) source static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8 destination static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10
!
object network inside-network
nat (inside,outside) dynamic outside-defaultnat
!
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_3
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_10
access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_12
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: