Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
656
Views
5
Helpful
5
Replies

question in asa site-site vpn about "ident" ??

Dr.X
Level 2
Level 2

‎03-07-2014 03:00 AM - edited ‎03-07-2019 06:35 PM

hi all ,

i have a topology as

(192.168.0.0/24)LAN1----------------asa1---------------internet-----------------------asa2------------------LAN2(192.168.2.0/24)

now , lan 1 can reach lan 2 by site to site vpn

but i have a question :

when i have

#sh crypto ipsec sa

====================================================================

interface: outside

    Crypto map tag: Azure_IPSecCryptoMap, seq num: 2, local addr: xxxx

      access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 any

      local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

      current_peer: xxxxx

      #pkts encaps: 294823, #pkts encrypt: 294823, #pkts digest: 294823

      #pkts decaps: 208795, #pkts decrypt: 208795, #pkts verify: 208795

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 294823, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: xxxxxxxxxx/0, remote crypto endpt.: xxxxxxxx/0

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 81F3ABF6

      current inbound spi : FAE91312

    inbound esp sas:

      spi: 0xFAE91312 (4209578770)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 10670080, crypto-map: Azure_IPSecCryptoMap

         sa timing: remaining key lifetime (kB/sec): (4373327/621)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x81F3ABF6 (2180230134)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 10670080, crypto-map: Azure_IPSecCryptoMap

         sa timing: remaining key lifetime (kB/sec): (4370375/621)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

================================================================================

my problem is ,

that my asa1 lan1  only reach asa2 if its destination was to subnet 192.168.2.0/24 , i mean if  requested internet i cant reach it !!!

note that the crypto_map acl says destination "any" will go to asa2 , but why  when i requested the destioantion of lan2 it responce , and if i requested 8.8.8.8 it dont reach asa2 ??

i used packet tracer to investigate  , it seems as a stuck !!!

how to change the remote idnet as in the red line above ??? i think it is the issue that preventing mefrom reaching internet by asa2

agian ,

what issue in the asa has relation to the remote idnet and how i can change it ?

any help ?

regards

Labels:
0 Helpful
5 Replies 5

JohnTylerPearce
Level 7
Level 7

‎03-07-2014 03:58 AM

CSCO,

The lines below, match the interesting traffic for this VPN. You will not see a specific host address unless, you configure that within you crypto ACL. Basically you have some host in network 192.168.0.0/24(LOCAL) going to 192.168.2.0/24(REMOTE). The REMOTE IDENT is the remote network where the remote host relies, which matches your interesting traffic.

So lon story short, you have some local host in the 192.168.1.0/24 range going to some host in the 192.168.2.0/24 range.

This ACL has to do with the address you map to the match address line of you crypto map.

      access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 any

      local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

Dr.X
Level 2
Level 2
In response to JohnTylerPearce

‎03-07-2014 05:12 AM

hi john ,

sorry i didnt understand !

wt u mean with configure within my crypto ??!!!

======================================

agian , wt i need  so that i let LAN1 go  to ASA2 if it need Lan2 or if it need the intenet ?

what i need to modify ? the crypto ?

agian , the cypto has " any " for destination , but the ident is only for  192.168.2.0/24 why ???!!! wt i forgot ?

how change 192.168.2.0/24 to any ??

this is my clear question

how change

192.168.2.0/24 to any

in the remote idnet ???

regards

0 Helpful

Dr.X
Level 2
Level 2
In response to Dr.X

‎03-07-2014 05:52 AM

John  , have u understood my question ?

0 Helpful

Dr.X
Level 2
Level 2
In response to Dr.X

‎03-07-2014 06:45 AM

could the far asa (asa2) play role is estimating the remote ident in asa1 ???

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

not sure form that ?

0 Helpful

Dr.X
Level 2
Level 2
In response to Dr.X

‎03-07-2014 11:51 PM

؟؟

0 Helpful
Customers Also Viewed These Support Documents