10-14-2017 11:16 AM - edited 11-20-2019 07:12 AM
Hi All,
I have a Cisco ASA 5515-X in a datacenter that is configured and working well for 7 other VPNs (mostly L2L and one client VPN), and a remote office that has an ISR-2921 that has an established VPN IPsec tunnel to the ASA-5515-X but they can't ping IPs on each others respective LAN segments.
Cabled like this:
Datacenter (10.32.0.0/16) [Company-wide 10.0.0.0/8 is accessible] | 5515-X | ---------- ISP/WAN --------- | ISR-2921 | -----(Port-Channel)----- | Catalyst 2960-X Stack | Remote Office LAN (10.47.0.0/16)
Remote Office ISR-2921
USNYHUB-ISR01#sh run Building configuration... Current configuration : 4519 bytes ! ! Last configuration change at 02:40:24 UTC Sat Oct 14 2017 by admin ! version 15.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname USNYHUB-ISR01 ! boot-start-marker boot system flash0:c2900-universalk9-mz.SPA.154-3.M8.bin boot system flash0:c2900-universalk9-mz.SPA.154-3.M2.bin boot-end-marker ! ! ! card type command needed for slot/vwic-slot 0/0 ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local aaa authorization network default local ! ! ! ! ! aaa session-id common ! ! ! ! ! ! ! ! ! ! ! ! ! ! no ip domain lookup ip domain name hub.us.dc.[companyname].com ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! ! cts logging verbose ! ! voice-card 0 ! ! ! ! ! ! ! ! license udi pid CISCO2921/K9 sn [omitted] hw-module pvdm 0/0 ! hw-module sm 1 ! ! ! ! redundancy ! ! ! ! ! ! crypto isakmp key [omitted] address [ASA 5515-X in Datacenter public IP] 255.255.255.224 ! ! crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac mode tunnel ! ! ! crypto map SDM_CMAP_1 1 ipsec-isakmp set peer [ASA 5515-X in Datacenter public IP] set transform-set ASA-IPSEC match address 120 ! ! ! ! ! interface Port-channel1 no ip address ip nat inside ip virtual-reassembly in ! interface Port-channel1.1 encapsulation dot1Q 1 native ip address 10.47.1.250 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Port-channel1.3 description ** Server INT VLAN ** encapsulation dot1Q 3 ip address 10.47.3.250 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Port-channel1.65 description ** Met VLAN ** encapsulation dot1Q 65 ip address 10.47.65.250 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Port-channel1.68 description ** Information Technology VLAN ** encapsulation dot1Q 68 ip address 10.47.68.250 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Port-channel1.1000 description ** Management VLAN ** encapsulation dot1Q 1000 ip address 10.47.0.250 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address [router public IP] 255.255.255.240 ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map SDM_CMAP_1 ! interface GigabitEthernet0/1 no ip address duplex auto speed auto channel-group 1 ! interface GigabitEthernet0/2 no ip address duplex auto speed auto channel-group 1 ! interface ucse1/0 no ip address shutdown ! interface ucse1/1 no ip address ! interface Vlan1 no ip address ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat inside source list 100 interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 [next hop for remote office router] 2 ! ip access-list standard ssh-access [omitted] ! ! route-map nonat permit 10 match ip address 130 ! ! access-list 100 remark ** [Control NAT Service] ** access-list 100 permit ip 10.47.0.0 0.0.255.255 any access-list 110 permit icmp any any echo access-list 110 permit icmp any any echo-reply access-list 120 remark SDM_ACL Category=4 access-list 120 remark IPSec Rule access-list 120 permit ip 10.47.0.0 0.0.255.255 10.0.0.0 0.255.255.255 access-list 130 deny ip 10.47.0.0 0.0.255.255 10.0.0.0 0.255.255.255 access-list 130 permit ip 10.47.0.0 0.0.255.255 any ! ! ! control-plane ! ! ! ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default
USNYHUB-ISR01#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status [remote office public IP] [datacenter 5515-X public IP] QM_IDLE 1317 ACTIVE USNYHUB-ISR01#sh crypto ipsec sa interface: GigabitEthernet0/0 Crypto map tag: SDM_CMAP_1, local addr [remote office public IP] protected vrf: (none) local ident (addr/mask/prot/port): (10.47.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.32.0.0/255.248.0.0/0/0) current_peer [datacenter 5515-X public IP] port 500 PERMIT, flags={} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 238, #pkts decrypt: 238, #pkts verify: 238 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: [remote office public IP], remote crypto endpt.: [datacenter ASA 5515-X public IP] plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 current outbound spi: 0xCB7BD220(3413889568) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xED8A2444(3985253444) transform: esp-des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2297, flow_id: Onboard VPN:297, sibling_flags 80000040, crypto map: SDM_CMAP_1 sa timing: remaining key lifetime (k/sec): (4177751/1994) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xCB7BD220(3413889568) transform: esp-des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2298, flow_id: Onboard VPN:298, sibling_flags 80000040, crypto map: SDM_CMAP_1 sa timing: remaining key lifetime (k/sec): (4177783/1994) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.47.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.0.0.0/255.240.0.0/0/0) current_peer [datacenter 5515-X public IP] port 500 PERMIT, flags={} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 99, #pkts decrypt: 99, #pkts verify: 99 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: [remote office public IP], remote crypto endpt.: [datacenter ASA 5515-X public IP] plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 current outbound spi: 0x390A651(59811409) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x506674B9(1348891833) transform: esp-des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2301, flow_id: Onboard VPN:301, sibling_flags 80000040, crypto map: SDM_CMAP_1 sa timing: remaining key lifetime (k/sec): (4206780/3410) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x390A651(59811409) transform: esp-des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2302, flow_id: Onboard VPN:302, sibling_flags 80000040, crypto map: SDM_CMAP_1 sa timing: remaining key lifetime (k/sec): (4206792/3410) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.47.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0) current_peer [datacenter 5515-X public IP] port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: [remote office public IP], remote crypto endpt.: [datacenter ASA 5515-X public IP] plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.47.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.16.0.0/255.240.0.0/0/0) current_peer [datacenter 5515-X public IP] port 500 PERMIT, flags={} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: [remote office public IP], remote crypto endpt.: [datacenter ASA 5515-X public IP] plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 current outbound spi: 0x920C0D67(2450263399) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x406BF6B7(1080817335) transform: esp-des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2305, flow_id: Onboard VPN:305, sibling_flags 80000040, crypto map: SDM_CMAP_1 sa timing: remaining key lifetime (k/sec): (4309021/3568) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x920C0D67(2450263399) transform: esp-des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2306, flow_id: Onboard VPN:306, sibling_flags 80000040, crypto map: SDM_CMAP_1 sa timing: remaining key lifetime (k/sec): (4309021/3568) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas:
Datacenter 5515-X:
USNJDC1-C0VPN01/pri/act# sh crypto isakmp IKEv1 SAs: Active SA: 5 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 5 1 IKE Peer: [remote office public IP] Type : L2L Role : initiator Rekey : no State : MM_ACTIVE USNJDC1-C0VPN01/pri/act# sh crypto ipsec sa interface: VPN-FRONTED Crypto map tag: Remote-Site, seq num: 8, local addr: [datacenter 5515-X public IP] access-list VPN-FRONTED_cryptomap_2 extended permit ip 10.0.0.0 255.240.0.0 10.47.0.0 255.255.0.0 local ident (addr/mask/prot/port): (ATVIEDC1/255.240.0.0/0/0) remote ident (addr/mask/prot/port): (10.47.0.0/255.255.0.0/0/0) current_peer: [remote office public IP] #pkts encaps: 1456, #pkts encrypt: 1456, #pkts digest: 1456 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 1456, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: [datacenter ASA-5515-X public IP], remote crypto endpt.: [remote office public IP] path mtu 1500, ipsec overhead 58(36), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 506674B9 current inbound spi : 0390A651 inbound esp sas: spi: 0x0390A651 (59811409) transform: esp-des esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 14102528, crypto-map: Remote-Site sa timing: remaining key lifetime (kB/sec): (4374000/638) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0x506674B9 (1348891833) transform: esp-des esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 14102528, crypto-map: Remote-Site sa timing: remaining key lifetime (kB/sec): (4373891/638) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: Remote-Site, seq num: 8, local addr: [Datacenter ASA-5515X public IP] access-list VPN-FRONTED_cryptomap_2 extended permit ip 10.16.0.0 255.240.0.0 10.47.0.0 255.255.0.0 local ident (addr/mask/prot/port): (10.16.0.0/255.240.0.0/0/0) remote ident (addr/mask/prot/port): (10.47.0.0/255.255.0.0/0/0) current_peer: [remote office public IP] #pkts encaps: 529, #pkts encrypt: 529, #pkts digest: 529 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 529, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: [datacenter ASA-5515-X public IP], remote crypto endpt.: [remote office public IP] path mtu 1500, ipsec overhead 58(36), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 406BF6B7 current inbound spi : 920C0D67 inbound esp sas: spi: 0x920C0D67 (2450263399) transform: esp-des esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 14102528, crypto-map: Remote-Site sa timing: remaining key lifetime (kB/sec): (4374000/787) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0x406BF6B7 (1080817335) transform: esp-des esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 14102528, crypto-map: Remote-Site sa timing: remaining key lifetime (kB/sec): (4373964/787) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: Remote-Site, seq num: 8, local addr: [datacenter 5515-X public IP] access-list VPN-FRONTED_cryptomap_2 extended permit ip 10.32.0.0 255.248.0.0 10.47.0.0 255.255.0.0 local ident (addr/mask/prot/port): (10.32.0.0/255.248.0.0/0/0) remote ident (addr/mask/prot/port): (10.47.0.0/255.255.0.0/0/0) current_peer: [remote office public IP] #pkts encaps: 118, #pkts encrypt: 118, #pkts digest: 118 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 118, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: [datacenter ASA-5515-X public IP], remote crypto endpt.: [remote office public IP] path mtu 1500, ipsec overhead 58(36), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: EDBBB168 current inbound spi : 0B74566C inbound esp sas: spi: 0x0B74566C (192173676) transform: esp-des esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 14102528, crypto-map: Remote-Site sa timing: remaining key lifetime (kB/sec): (4374000/2809) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0xEDBBB168 (3988500840) transform: esp-des esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 14102528, crypto-map: Remote-Site sa timing: remaining key lifetime (kB/sec): (4373990/2809) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001
I noticed from the show crypto commands that the datacenter ASA 5515-X is encrypting and sending packets, and the ISR-2921 is recieving and decrypting them... but the ISR-2921 is not encrypting and sending packets to the ASA 5515-X. Do I need to add a static route to the ISR-2921 Gi0/0?
Thanks in advance for your time and any help you may be able to provide.
Solved! Go to Solution.
10-14-2017 01:08 PM
Hello,
at first glance, it looks like you are missing the deny statement in your NAT access list for the IPSec traffic. Try and add the line below (in bold):
access-list 100 deny ip 10.47.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.47.0.0 0.0.255.255 any
10-14-2017 01:08 PM
Hello,
at first glance, it looks like you are missing the deny statement in your NAT access list for the IPSec traffic. Try and add the line below (in bold):
access-list 100 deny ip 10.47.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.47.0.0 0.0.255.255 any
10-14-2017 01:11 PM
The output on both devices is quite clear that you have one way traffic through the VPN. One thing that causes this symptom is an issue with address translation. Here is the access list on the router to control address translation:
access-list 100 remark ** [Control NAT Service] **
access-list 100 permit ip 10.47.0.0 0.0.255.255 any
and this says that any traffic from 10.47.anything to anything should be translated. I believe that you should deny traffic going through the VPN and then permit everything else.
HTH
Rick
10-18-2017 09:33 AM - edited 10-18-2017 09:35 AM
Hi Georg Pauwen and Richard Burts,
Thank you very much for your time and help. That worked! The tunnel is fully working now and I can ping/ssh/navigate to all of our internal resources as if I were on the network exactly as I expected!
One thing my superiors noticed/commented on was the the tunnel is using DES encryption instead of AES, they mentioned that DES is insecure. How do I change the tunnel to use AES (preferably by configuring the ISR-2921 side only).
Thanks again for your time, you were both very helpful!
10-18-2017 10:26 AM
Hello,
the short answer is: if you want to change the encryption from DES to AES, you need to do it on both sides, otherwise the link won't be established.
Check the crypto policies on both sides and replace des with aes ('encryption aes' command)...
10-20-2017 09:48 AM
10-23-2017 03:26 PM
I am glad that you have worked out the solution and that the VPN is now working as you expect. This output confirms that you are now using AES 256 and this does provide a better level of security that the DES that you were using before.
inbound esp sas:
spi: 0xDECA8E91(3737816721)
transform: esp-256-aes esp-sha-hmac ,
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: