cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3384
Views
0
Helpful
28
Replies

1811 Router site-to-site to ASA - Up but no traffic passing

dslewitzke
Level 1
Level 1

Hello everyone, I've been rackin my brain on this one and cant seem to figure it out. I am setting up a site to site tunnel between an 1811 router and a 5505 ASA. I currently have several tunnels on the ASA but to other security appliances such as ASA's or sonicwalls. I have gotten the tunnel up, Phase 1 and Phase 2 both complete successfully. However I can not pass traffic across the tunnel. I see on the ASA Bytes Tx increases with attempts but Bytes Rx never moves. Same thing on the router, #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0    -   #pkts decaps: 453, #pkts decrypt: 453, #pkts verify: 453

Im sure it is somethin on the router end but cant figure it out. here is the config I have used:

1811 Router:

crypto isakmp policy 2

encr 3des

authentication pre-share

crypto isakmp key Abc123!@ address XXX.XXX.XXX.XXX

crypto ipsec transform-set Denver esp-3des esp-sha-hmac

crypto map SMD_CMAP_1 1 ipsec-isakmp

set peer XXX.XXX.XXX.XXX

set transform-set Denver

match address 120

interface FastEthernet1

ip address XXX.XXX.XXX.XX 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SMD_CMAP_1

ip nat inside source route-map nonat interface FastEthernet1 overload

access-list 115 deny   ip 10.9.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 115 permit ip 10.9.1.0 0.0.0.255 any

access-list 120 permit ip 10.9.1.0 0.0.0.255 10.1.1.0 0.0.0.255

route-map nonat permit 10

match ip address 115

ASA 5510:

object network OKL

subnet 10.9.1.0 255.255.255.0

access-list Outside_cryptomap_6 extended permit ip 10.1.1.0 255.255.255.0 object OKL

nat (inside,any) source static obj-10.1.1.0 obj-10.1.1.0 destination static OKL OKL

crypto ipsec transform-set OKL esp-3des esp-sha-hmac

crypto map IPSECMAP 7 set peer XXX.XXX.XXX.XXX

crypto map IPSECMAP 7 set transform-set OKL

crypto map IPSECMAP 7 set reverse-route

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime none

tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l

tunnel-group XXX.XXX.XXX.XXX general-attributes

default-group-policy VPNGrpPolicy

tunnel-group XXX.XXX.XXX.XXX ipsec-attributes

pre-shared-key *****

Please help me figure this one out!!!!

Any help is much appreciated.

28 Replies 28

The router-config looks fine.

1) Is the traffic for 10.1.1.0/24 really routed to this 1811?
2) Any Access-Control on the way from 10.9.1.0 to 10.1.1.0?
3) Is 10.1.1.0 really routet out of Fa1 on the 1811?


Sent from Cisco Technical Support iPad App

Karsten,

Thanks for the reply.

1.Yes it is routed correctly. a trace route from a client machine in 10.9.1.0 shows that the first Hop is 10.9.1.1 (1811 BVI1 Interface)

2.No. there are switches in between the router and end user but there is no access control on them.

3. Yes. the default route on this router is then next hop from the Fa1 interface >>

ip address XXX.XX.1.36 255.255.255.248

ip route 0.0.0.0 0.0.0.0 XXX.XXX.1.33

Just in case, I added route:

ip route 10.1.1.0 255.255.255.0 fastEthernet 1

Any other suggestions?

not many suggestions any more ...

Is the nat-config from your first post the only nat-rule on the router? If not please check that no translation is build for your traffic that should go into the VPN and post your complete nat-Config.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

the NAT config is pretty straight forward:

ip nat inside source list 10 interface FastEthernet1 overload

ip nat inside source route-map nonat interface FastEthernet1 overload

ip nat inside source static tcp 10.9.1.13 3021 XXX.XXX.XXX.36 3021 extendable

ip nat inside source static tcp 10.9.1.16 3022 XXX.XXX.XXX.36 3022 extendable

access-list 10 permit 10.9.1.0 0.0.0.255

Dustin,

let us know the ASA version and the Router Ios version

1811 =

Cisco IOS Software, C181X Software (C181X-ADVENTERPRISEK9-M), Version 12.4(24)T1,

ASA =

Cisco Adaptive Security Appliance Software Version 8.3(2)

please remove the following line:

ip nat inside source list 10 interface FastEthernet1 overload


Sent from Cisco Technical Support iPad App

I tried removing this but still no luck

shine pothen
Level 3
Level 3

i think we need to do a packet trace from the asa  and see where is the drop.

command to use  "packet-tracer input inside icmp 10.9.1.2 0 8 10.1.1.2"

inside--> what name you have mentioned for your inside interface.

you can use a valid lan ip for ASA instead of 10.9.1.2

and from the router side use an vlaid LAN ip 10.1.1.2

and please paste the result here

here's the trace:

pri/act/dscasa001# packet-tracer input inside icmp 10.9.1.20 0 8 10.1.1.14

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,any) source static obj-10.1.1.0 obj-10.1.1.0 destination static OKL OKL

Additional Information:

NAT divert to egress interface inside

Untranslate 10.1.1.14/0 to 10.1.1.14/0

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,any) source static obj-10.1.1.0 obj-10.1.1.0 destination static OKL OKL

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 12352828, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

looks like there is no DROP at all . every thing is showing as ALLOW.

now try to ping (lan interface name) destiantion ip address

eg: ping inside 10.1.1.14

now can you show is the output for

sh cry ipsec sa and see if there is decrypt happening.

here is the resuls from the asa. it is a ping from to the internal network. not to the remote...

pri/act/dscasa001# ping 10.1.1.14

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.14, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

pri/act/dscasa001# sh crypto ipsec sa peer XXX.XXX.XXX.36

peer address: XXX.XXX.XXX.36

    Crypto map tag: IPSECMAP, seq num: 7, local addr: XXX.XXX.XXX68

      access-list Outside_cryptomap_6 extended permit ip 10.1.1.0 255.255.255.0 10.9.1.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.9.1.0/255.255.255.0/0/0)

      current_peer: XXX.XXX.XXX.36

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: XXX.XXX.XXX.68/0, remote crypto endpt.: XXX.XXX.XXX.36/0

      path mtu 1478, ipsec overhead 58, media mtu 1500

      current outbound spi: C2E09BFB

      current inbound spi : 792C3ECA

    inbound esp sas:

      spi: 0x792C3ECA (2032942794)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 31178752, crypto-map: IPSECMAP

         sa timing: remaining key lifetime (kB/sec): (4374000/3580)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0xC2E09BFB (3269499899)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 31178752, crypto-map: IPSECMAP

         sa timing: remaining key lifetime (kB/sec): (4373999/3580)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

ping using  this command.

ping inside 10.1.1.14 and let us know the output.

pri/act/dscasa001# ping inside 10.1.1.14

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.14, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: