cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
836
Views
0
Helpful
5
Replies

Site to Site Between IOS and ASA

SuperFastJames
Level 1
Level 1

Hi

I am trying to setup a site to site between a Cisco ASA and an IOS device

I have attached the IOS config, however the site to site does not appear to be coming up, I have attached below the entry for show crypto tech-support

Active ISAKMP SA's: 0
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 0

------------------ show crypto ipsec sa count ------------------

IPsec SA total: 0, active: 0, rekeying: 0, unused: 0, invalid: 0


------------------ show crypto isakmp sa detail ------------------


Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

IPv6 Crypto ISAKMP SA


------------------ show crypto ipsec sa detail ------------------

interface: Vlan200
Crypto map tag: SDM_CMAP_1, local addr 213.105.138.174

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.255/0/0)
current_peer 212.42.22.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identi
*Nov 4 22:25:42.209: No peer struct to get peer descriptionty (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 213.105.138.174, remote crypto endpt.: 212.42.22.4
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

------------------ show crypto session summary ------------------

------------------ show crypto session detail ------------------

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Vlan200
Session status: DOWN
Peer: 212.42.22.4 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.9.0/255.255.255.0 0.0.0.0/0.0.0.255
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0


------------------ show crypto isakmp peers ------------------

------------------ show crypto ruleset detail ------------------

Mtree:
199 VRF 0 11 213.105.138.174/500 ANY Forward, Forward
299 VRF 0 11 213.105.138.174/4500 ANY Forward, Forward
200000199 VRF 0 11 ANY/848 ANY Forward, Forward
200000299 VRF 0 11 ANY ANY/848 Forward, Forward
100000000000199 VRF 0 IP 192.168.9.0/24 192.168.10.0/2
*Nov 4 22:25:44.729: No peer struct to get peer description4 Discard/notify, Discard/notify


------------------ show processes memory 267 ------------------

Process ID: 267
Process Name: Crypto IKMP
Total Memory Held: 18944 bytes

Processor memory Holding = 18944 bytes
pc = 0x048C5D34, size = 12052, count = 1
pc = 0x0545A5EC, size = 3564, count = 1
pc = 0x0545A5B8, size = 1404, count = 1
pc = 0x0726518C, size = 868, count = 1
pc = 0x07261BD4, size = 240, count = 1
pc = 0x080E7CE4, size = 240, count = 1
pc = 0x076207B8, size = 192, count = 2
pc = 0x08075610, size = 160, count = 2
pc = 0x048BE1F0, size = 136, count = 1
pc = 0x05C55458, size = 88, count = 1

I/O memory Holding = 0 bytes


------------------ show processes 267 ------------------

Process ID 267 [Crypto IKMP], TTY 0
Memory usage [in bytes]
Holding: 18944, Maximum: 0, Allocated: 5888, Freed: 240
Getbufs: 0, Retbufs: 0, Stack: 11176/12000
CPU usage
PC: 80E19A4, Invoked: 3, Giveups: 1, uSec: 0
5Sec: 0.00%, 1Min: 0.00%, 5Min: 0.00%, Average: 0.00%
Age: 20731396 msec, Runtime: 0 msec
State: Waiting for Event, Priority: Normal


------------------ show crypto eli all ------------------


Hardware Encryption : ACTIVE
Number of crypto engines = 2

CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, GCM, GMAC, IPv6, GDOI, FAILCLOSE, HA

IPSec-Session : 0 active, 1000 max, 0 failed

CryptoEngine Software Crypto Engine details: state = Active
Capability : IPPCP, DES, 3DES, AES, SEAL, GCM, GMAC, RSA, IPv6, GDOI, FAILCLOSE, HA

IKE-Session : 0 active, 1100 max, 0 failed
IKEv2-Session : 0 active, 1100 max, 0 failed
DH : 4 active, 1050 max, 0 failed
IPSec-Session : 0 active, 1000 max, 0 failed


------------------ show cry engine accelerator statistic ------------------

Device: Onboard VPN
Location: Onboard: 0
:Statistics for encryption device since the last clear
of counters 20766 seconds ago
0 packets in 0 packets out
0 bytes in 0 bytes out
0 paks/sec in 0 paks/sec out
0 Kbits/sec in 0 Kbits/sec out
0 packets decrypted 0 packets encrypted
0 bytes before decrypt 0 bytes encrypted
0 bytes decrypted 0 bytes after encrypt
0 packets decompressed 0 packets compressed
0 bytes before decomp 0 bytes before comp
0 bytes after decomp 0 bytes after comp
0 packets bypass decompr 0 packets bypass compres
0 bytes bypass decompres 0 bytes bypass compressi
0 packets not decompress 0 packets not compressed
0 bytes not decompressed 0 bytes not compressed
1.0:1 compression ratio 1.0:1 overall
Last 5 minutes:
0 packets in 0 packets out
0 paks/sec in 0 paks/sec out
0 bits/sec in 0 bits/sec out
0 bytes decrypted 0 bytes encrypted
0 Kbits/sec decrypted 0 Kbits/sec encrypted
1.0:1 compression ratio 1.0:1 overall

Errors:

Total Number of Packet Drops = 0
Pad Error = 0
Data Error = 0
Packet Error = 0
Null IP Error = 0
Hardware Error = 0
CP Unavailable = 0
HP Unavailable = 0
AH Seq Failure = 0
Link Down Error = 0
ESP Seq Failure = 0
AH Auth Failure = 0
ESP Auth Failure = 0
Queue Full Error = 0
API Request Error = 0
Invalid Flow Error = 0
Buffer Unavailable = 0
QOS Queue Full Error = 0
Packet too Big Error = 0
AH Replay Check Failure = 0
Too Many Particles Error = 0
ESP Replay Check Failure = 0
Input Queue Full Error = 0
Output Queue Full Error = 0
Pre-batch Queue Full Error = 0
Post-batch Queue Full Error = 0

BATCHING Statistics:

Batching Allowed
Batching currently Inactive

No of times batching turned on = 0
No of times batching turned off = 0
No of Flush Done = 0
Flush Timer in Milli Seconds = 8
Disable Timer in Seconds = 20
Threshold Crypto Paks/Sec
to enable batching = 10000

POST-BATCHING Enabled
Post-batch count, max_count = 0, 16
Packets queued to post-batch queue = 0
Packets flushed from post-batch queue = 0

The Post-batch Queue Information
The Queuesize is = 512
The no entries currently being used = 0
The Read Index is = 0
The Write Index is = 0
The entries in use are between Read and Write Index

The entries in use are

SEC MFIFO Statistics:

Channel 0 allocated times = 996
Channel 1 allocated times = 0
Channel 2 allocated times = 0
Channel 3 allocated times = 0
Channel 0 freed times = 996
Channel 1 freed times = 0
Channel 2 freed times = 0
Channel 3 freed times = 0
Sec MFIFO flush count = 996
Sec MFIFO interrupt count = 996
Sec MFIFO put back count = 97
Sec MFIFO Timer flush count = 0
Sec MFIFO Timer put back count = 0
Sec alloc workq count = 0
Sec free workq count = 64


------------------ show cry isakmp diagnose error ------------------

Exit Path Table - status: enable, current entry 0, deleted 0, max allow 50

------------------ show cry isakmp diagnose error count ------------------

Exit Trace counters
8 - Failed to delete policy.


------------------ show crypto call admission statistics ------------------

---------------------------------------------------------------------
Crypto Call Admission Control Statistics
---------------------------------------------------------------------
System Resource Limit: 0 Max IKE SAs: 0 Max in nego: 1000
Total IKE SA Count: 0 active: 0 negotiating: 0
Incoming IKE Requests: 0 accepted: 0 rejected: 0
Outgoing IKE Requests: 0 accepted: 0 rejected: 0
Rejected IKE Requests: 0 rsrc low: 0 Active SA limit: 0
In-neg SA limit: 0
IKE packets dropped at dispatch: 0

Max IPSEC SAs: 0
Total IPSEC SA Count: 0 active: 0 negotiating: 0
Incoming IPSEC Requests: 0 accepted: 0 rejected: 0
Outgoing IPSEC Requests: 0 accepted: 0 rejected: 0

Phase1.5 SAs under negotiation: 0


TrintyPoint_Router#$

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Few things -

1) you need to get rid of this NAT statement -

"ip nat inside source list 99 interface Vlan200 overload"

and just have this one -

"ip nat inside source route-map nonat interface Vlan200 overload"

2) you need to modify the acl referenced in the route-map -

"access-list 110 permit ip 192.168.9.0 0.0.0.255 any"
"access-list 110 deny   ip 192.168.9.0 0.0.0.255 192.168.10.0 0.0.0.255"

the deny line needs to come before the permit line.

3) your remote proxy subnet ie. 192.168.10.0/24, are you sure they have configured their end correctly ?

Jon

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

Few things -

1) you need to get rid of this NAT statement -

"ip nat inside source list 99 interface Vlan200 overload"

and just have this one -

"ip nat inside source route-map nonat interface Vlan200 overload"

2) you need to modify the acl referenced in the route-map -

"access-list 110 permit ip 192.168.9.0 0.0.0.255 any"
"access-list 110 deny   ip 192.168.9.0 0.0.0.255 192.168.10.0 0.0.0.255"

the deny line needs to come before the permit line.

3) your remote proxy subnet ie. 192.168.10.0/24, are you sure they have configured their end correctly ?

Jon

That's brilliant thank you, I posted that it was a correct answer.

I am still having some issues, because the vpn tunnel is up. however i cannot ping in either direction. would this be the ASA end?

It could be.

Can you post -

1) "sh crypto ipsec sa detail"

2) the full config of the router

Jon

To be honest in the end, was a combination of wrong default gateways and windows firewalls :)

Thank you for your help, your initial answer was completely on the money.

Ps. Could I ask you one little question, I dont understand that deny command and why it had to go first, is it a simple answer or do I need to RTFM 

The reason is you didn't want to do NAT when your 192.168.9.x clients were going to any 192.168.10.x clients and acls are processed in line order from top to bottom which means as soon as a match is found the processing stops.

If you have the permit first that matches all traffic from 192.168.9.x to any IP, including 192.168.10.x so your IPs were being translated and then they would not match your crypto map acl for the VPN tunnel ie. it never gets to the deny line.

By putting the deny line first that says if the destination IP is a 192.168.10.x IP then don't NAT the 192.168.9.x IPs.

If the destination isn't a 192.168.10.x IP then the traffic matches the permit line and is translated ie. general internet traffic.

Glad you got it sorted.

Jon

Review Cisco Networking for a $25 gift card