Re: Unable to send packet from PC to Server via IPSec Tunnel - Page 2

heymastreo · ‎10-18-2023

I am trying to create a network comprising of two routers, one ASA 5505 firewall, one computer and one web server.

I have created a VPN tunnel in between Router4 and ASA5505 firewall. I have also configured both the routers and the ASA5505 firewall.

Also i read on the internet that i have to initiate interesting traffic for VPN to initialize. But I don't really understand what it means.

Below are the configuration of the router4:

Router(config)#exit

Router#

%SYS-5-CONFIG_I: Configured from console by console

show run

Building configuration...

Current configuration : 1226 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

ip cef

no ipv6 cef

!

license udi pid CISCO1941/K9 sn FTX15247V2V-

license boot module c1900 technology-package securityk9

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

lifetime 28800

!

crypto isakmp key 12345 address 192.168.2.1

!

crypto ipsec transform-set R1->ASA esp-aes esp-sha-hmac

!

crypto map IPSEC-MAP 10 ipsec-isakmp

! Incomplete

set peer 192.168.2.1

set transform-set R1->ASA

match address VPN-TRAFFIC

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

ip address 192.168.4.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.3.2 255.255.255.0

duplex auto

speed auto

crypto map IPSEC-MAP

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.3.1

!

ip flow-export version 9

!

ip access-list extended VPN-TRAFFIC

access-list 100 permit ip host 192.168.4.2 host 192.168.1.2

access-list 100 permit ip host 192.168.1.2 host 192.168.4.2

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

Router#

And ASA5505 firewall configuration are as follows:

ciscoasa#show run

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.2.1 255.255.255.0

!

object network local-network

!

route outside 0.0.0.0 0.0.0.0 192.168.2.2 1

!

access-list VPN-TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list VPN-TRAFFIC extended permit icmp 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

!

telnet timeout 5

ssh timeout 5

!

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd enable inside

!

crypto ipsec ikev1 transform-set ASA->R1 esp-aes esp-sha-hmac

!

crypto map IPSEC-MAP 10 match address VPN-TRAFFIC

crypto map IPSEC-MAP 10 set peer 192.168.3.2

crypto map IPSEC-MAP 10 set ikev1 transform-set ASA->R1

crypto map IPSEC-MAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

encr aes

authentication pre-share

group 5

lifetime 28800

!

tunnel-group 192.168.3.2 type ipsec-l2l

tunnel-group 192.168.3.2 ipsec-attributes

ikev1 pre-shared-key 12345

!

ciscoasa#

MHM Cisco World · ‎10-19-2023

Sorry you can ping now from pc to server?

heymastreo · ‎10-19-2023

I still can't it says request timed out.

Do I have to do the NAT translation for this on the ASA? And Do i have to add access-list for icmp to allow traffic beyond asa to the firewall?

MHM Cisco World · ‎10-19-2023

Can you share last config of asa and router

heymastreo · ‎10-19-2023

ciscoasa(config)#show run

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.2.1 255.255.255.0

!

object network local-network

!

route outside 0.0.0.0 0.0.0.0 192.168.2.2 1

!

access-list VPN-TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

policy-map global-policy

class inspection_default

inspect icmp

!

service-policy global_policy global

!

telnet timeout 5

ssh timeout 5

!

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd enable inside

!

crypto ipsec ikev1 transform-set ASA->R1 esp-aes esp-sha-hmac

!

crypto map IPSEC-MAP 10 match address VPN-TRAFFIC

crypto map IPSEC-MAP 10 set peer 192.168.3.2

crypto map IPSEC-MAP 10 set ikev1 transform-set ASA->R1

crypto map IPSEC-MAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

encr aes

authentication pre-share

group 5

lifetime 28800

!

tunnel-group 192.168.3.2 type ipsec-l2l

tunnel-group 192.168.3.2 ipsec-attributes

ikev1 pre-shared-key 12345

!

ciscoasa(config)#

MHM Cisco World · ‎10-19-2023

This config is perfect'

Can i see config of router

heymastreo · ‎10-19-2023

Router#show run

Building configuration...

Current configuration : 1267 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

ip cef

no ipv6 cef

!

license udi pid CISCO1941/K9 sn FTX15247V2V-

license boot module c1900 technology-package securityk9

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

lifetime 28800

!

crypto isakmp key 12345 address 192.168.2.1

!

crypto ipsec transform-set R1->ASA esp-aes esp-sha-hmac

!

crypto map IPSEC-MAP 10 ipsec-isakmp

set peer 192.168.2.1

set transform-set R1->ASA

match address VPN-TRAFFIC

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

ip address 192.168.4.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.3.2 255.255.255.0

duplex auto

speed auto

crypto map IPSEC-MAP

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.3.1

!

ip flow-export version 9

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip host 192.168.4.2 host 192.168.1.2

access-list 100 permit ip host 192.168.1.2 host 192.168.4.2

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

Router#

MHM Cisco World · ‎10-19-2023

Remove this a

ccess-list 100 permit ip host 192.168.1.2 host 192.168.4.2

Clear crypto sa

Clear crypto isakmp

And check again

heymastreo · ‎10-19-2023

Does `clear crypto sa` and `clear ctypto isakmp` remove all the configuration? Do you want me to remove all the crypto configuration and configure it again and then try to ping from PC to server?

MHM Cisco World · ‎10-19-2023

no clear crypto not clear config it clear SA of ipsec

Do clear not remove config and check ping.

heymastreo · ‎10-19-2023

still it gives request timed out when ping from pc to server or server to pc

MHM Cisco World · ‎10-19-2023

Share packet tracer file I will check from my side

heymastreo · ‎10-19-2023

https://drive.google.com/file/d/1M6wm9b-01WBnOxIdqQLIX1GUlleX1MNk/view?usp=sharing

I have uploaded the packet tracer file to the google drive

heymastreo · ‎10-23-2023

I can now ping to server from the PC over VPN Tunnel. But I am unable to ping to the outside interface of firewall

balaji.bandi · ‎10-19-2023

1. bare in mind the ACL not match same both the side you have only host entry 1 router side and other side subnet

ip access-list extended VPN-TRAFFIC

access-list 100 permit ip host 192.168.4.2 host 192.168.1.2

access-list 100 permit ip host 192.168.1.2 host 192.168.4.2

2. is the Trunnel up and running- check with show crypto commands.

3. Initiate the traffic mean, ping one side to other side allowed traffic subnet. (so you see encryption and decryption take place).

below guide help you :

https://www.networkstraining.com/site-to-site-vpn-between-cisco-asa-and-router/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

heymastreo · ‎10-19-2023

This is what i see when i run `show crpto isakmp sa` on router

Router#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

192.168.2.1 192.168.3.2 QM_IDLE 1087 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

Router#

and this is what i see when i run `show crypto isakmp sa` on ASA5505 firewall

ciscoasa#show crypto isakmp sa

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 192.168.3.2

Type : L2L Role : Initiator

Rekey : no State : QM_IDLE

There are no IKEv2 SAs

ciscoasa#