Solved: ASA IPSEC site-to-site with NAT issue - Page 2

brunellej · ‎12-10-2012

Hi,

I have what I thought was a simple configuration, but I having issues and could use a second set of eyes.

I have a site-to-site between two locations:

Site A is 192.168.0.0/24

Site B is 192.168.4.0/24

I have been asked to NAT all communications between these sites to 10.57.4.0/24 and for a single host 192.168.0.112 to static NAT to 10.57.4.50.

Tunnel is up and running, and I can ping across the link to to the far end host at 192.168.4.20; no issues. But I am having an application problem where it will not established communications. I suspect its the reverse NAT, but I have reviewed the configure several times. All connections to the NAT'd addres of 10.57.4.50 should forwarded to 192.168.0.112, no restrictions. All connections to 192.168.4.20, should be NAT'd to 10.57.4.50 to tranverse the tunnel.

The site B system can also ping 10.57.4.50.

Here's the running configuration:

ASA Version 8.3(2)

!

hostname fw1

domain-name <removed>

enable password <removed> encrypted

passwd <removed> encrypted

names

!

interface Vlan1

description Town Internal Network

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

interface Vlan2

description Public Internet

nameif outside

security-level 0

ip address 173.166.117.186 255.255.255.248

!

interface Vlan3

description DMZ (CaTV)

nameif dmz

security-level 50

ip address 192.168.2.1 255.255.255.0

!

interface Vlan5

description PD Network

nameif PDNet

security-level 95

ip address 192.168.0.1 255.255.255.0

!

interface Vlan10

description Infrastructure Network

nameif InfraNet

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan13

description Guest Wireless

nameif Wireless-Guest

security-level 25

ip address 192.168.1.1 255.255.255.0

!

interface Vlan23

nameif StateNet

security-level 75

ip address 10.63.198.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport trunk allowed vlan 1,5,10,13

switchport trunk native vlan 1

switchport mode trunk

speed 100

duplex full

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport trunk allowed vlan 1,10,13

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/5

switchport access vlan 23

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

switchport trunk allowed vlan 1

switchport trunk native vlan 1

switchport mode trunk

shutdown

!

banner exec Access Restricted

banner login Access Restricted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name <removed>

same-security-traffic permit inter-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object service IMAPoverSSL

service tcp destination eq 993

description IMAP over SSL

object service POPoverSSL

service tcp destination eq 995

description POP3 over SSL

object service SMTPwTLS

service tcp destination eq 465

description SMTP with TLS

object network obj-192.168.9.20

host 192.168.9.20

object network obj-claggett-https

host 192.168.9.20

object network obj-claggett-imap4

host 192.168.9.20

object network obj-claggett-pop3

host 192.168.9.20

object network obj-claggett-smtp

host 192.168.9.20

object network obj-claggett-imapoverssl

host 192.168.9.20

object network obj-claggett-popoverssl

host 192.168.9.20

object network obj-claggett-smtpwTLS

host 192.168.9.20

object network obj-192.168.9.120

host 192.168.9.120

object network obj-192.168.9.119

host 192.168.9.119

object network obj-192.168.9.121

host 192.168.9.121

object network obj-wirelessnet

subnet 192.168.1.0 255.255.255.0

object network WirelessClients

subnet 192.168.1.0 255.255.255.0

object network obj-dmznetwork

subnet 192.168.2.0 255.255.255.0

object network FD_Firewall

host 74.94.142.229

object network FD_Net

subnet 192.168.6.0 255.255.255.0

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object network obj-TownHallNet

subnet 192.168.9.0 255.255.255.0

object network obj_InfraNet

subnet 192.168.10.0 255.255.255.0

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network NHDOS_Firewall

host 72.95.124.69

object network NHDOS_SpotsHub

host 192.168.4.20

object network IMCMOBILE

host 192.168.0.112

object network NHDOS_Net

subnet 192.168.4.0 255.255.255.0

object network NHSPOTS_Net

subnet 10.57.4.0 255.255.255.0

object network IMCMobile_NAT_IP

host 10.57.4.50

object-group service EmailServices

description Normal Email/Exchange Services

service-object object IMAPoverSSL

service-object object POPoverSSL

service-object object SMTPwTLS

service-object tcp destination eq https

service-object tcp destination eq imap4

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_1

service-object object IMAPoverSSL

service-object object POPoverSSL

service-object object SMTPwTLS

service-object tcp destination eq pop3

service-object tcp destination eq https

service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_2

service-object object IMAPoverSSL

service-object object POPoverSSL

service-object object SMTPwTLS

service-object tcp destination eq https

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group network obj_clerkpc

description Clerk's PCs

network-object object obj-192.168.9.119

network-object object obj-192.168.9.120

network-object object obj-192.168.9.121

object-group network TownHall_Nets

network-object 192.168.10.0 255.255.255.0

network-object object obj-TownHallNet

object-group network DM_INLINE_NETWORK_1

network-object 192.168.10.0 255.255.255.0

network-object 192.168.9.0 255.255.255.0

object-group network DOS_Networks

network-object 10.56.0.0 255.255.0.0

network-object object NHDOS_Net

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20

access-list StateNet_access_in extended permit ip object-group obj_clerkpc any

access-list PDNet_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list PDNet_access_in extended permit ip object IMCMobile_NAT_IP object-group DOS_Networks log debugging

access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks

access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net

access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object-group DOS_Networks

pager lines 24

logging enable

logging list Test1 level debugging class vpn

logging asdm debugging

logging mail errors

logging from-address <removed>

logging recipient-address <removed> level errors

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu Wireless-Guest 1500

mtu StateNet 1500

mtu InfraNet 1500

mtu PDNet 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net

nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net

nat (any,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static DOS_Networks DOS_Networks

!

object network obj_any

nat (inside,outside) static interface

object network obj-claggett-https

nat (inside,outside) static interface service tcp https https

object network obj-claggett-imap4

nat (inside,outside) static interface service tcp imap4 imap4

object network obj-claggett-pop3

nat (inside,outside) static interface service tcp pop3 pop3

object network obj-claggett-smtp

nat (inside,outside) static interface service tcp smtp smtp

object network obj-claggett-imapoverssl

nat (inside,outside) static interface service tcp 993 993

object network obj-claggett-popoverssl

nat (inside,outside) static interface service tcp 995 995

object network obj-claggett-smtpwTLS

nat (inside,outside) static interface service tcp 465 465

object network obj-192.168.9.120

nat (inside,StateNet) static 10.63.198.12

object network obj-192.168.9.119

nat (any,StateNet) static 10.63.198.10

object network obj-192.168.9.121

nat (any,StateNet) static 10.63.198.11

object network obj-wirelessnet

nat (Wireless-Guest,outside) static interface

object network obj-dmznetwork

nat (any,outside) static interface

object network obj_InfraNet

nat (InfraNet,outside) static interface

access-group outside_access_in in interface outside

access-group StateNet_access_in in interface StateNet

access-group PDNet_access_in in interface PDNet

route outside 0.0.0.0 0.0.0.0 173.x.x.x 1

route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable 5443

http 192.x.x.x 255.255.255.0 inside

http 7.x.x.x 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 72.x.x.x

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 173.x.x.x

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 192.168.9.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.9.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd dns 208.67.222.222 208.67.220.220

dhcpd lease 10800

dhcpd auto_config outside

!

dhcpd address 192.168.2.100-192.168.2.254 dmz

dhcpd dns 8.8.8.8 8.8.4.4 interface dmz

dhcpd enable dmz

!

dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest

dhcpd enable Wireless-Guest

!

threat-detection basic-threat

threat-detection statistics host number-of-rate 2

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 63.240.161.99 source outside prefer

ntp server 207.171.30.106 source outside prefer

ntp server 70.86.250.6 source outside prefer

webvpn

group-policy DfltGrpPolicy attributes

group-policy FDIPSECTunnel internal

group-policy FDIPSECTunnel attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec

username support password <removed> encrypted privilege 15

tunnel-group 72.x.x.x type ipsec-l2l

tunnel-group 72.x.x.x ipsec-attributes

pre-shared-key *****

tunnel-group 173.x.x.x type ipsec-l2l

tunnel-group 173.x.x.x general-attributes

default-group-policy FDIPSECTunnel

tunnel-group 173.x.x.x ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 1024

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

smtp-server 192.168.9.20

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76

: end

ALIAOF_ · ‎12-11-2012

Did you ever fix the ACL?

brunellej · ‎12-11-2012

I must have missed that, which ACL and what was the suggested fix?

ALIAOF_ · ‎12-11-2012

ACL for the VPN:

access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object-group DOS_Networks

*** Your source is right but the destination DOS_Networks has 10.56.0.0/16 where did that come from? If you need to go from 192.168.0.112 -- NAT --> 10.57.4.50 --> 192.168.4.0/24 then your destination should include only that network. And the other end will need to also match your side so something like this:

access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net 192.168.4.0 255.255.255.0

or

access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object NSDOS_Net

brunellej · ‎12-11-2012

Yes, I have changed it to access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object NHDOS_Net.

Did anyone see any issues with the packet captures?

anujsharma85 · ‎12-12-2012

I have checked the capture files. In the captures, it seems that only packet from 192.168.0.112 to 192.168.4.20 is visible however the reply packet is not invisible. Thus, either the reply packet is not coming back or ASA is dropping it or traffic is not captured properly.

Can you please share the ACL that you have used for capturing this traffic.It should be like:

access-list captured permit ip host 192.168.0.112 host 192.168.4.20

access-list captured permit ip host 192.168.4.20 host 192.168.0.112

If access-list is correct then try capturing traffic with ACL mentioned below:

access-list captured permit ip host 192.168.0.112 host 192.168.4.20

access-list captured permit ip host 192.168.4.20 host 192.168.0.112

access-list captured permit ip host 10.57.4.50 host 192.168.4.20

access-list captured permit ip host 192.168.4.20 host 10.57.4.50

For applying capture you can use command:

capture cap access-list captured interface PDNet buffer 2000000 circular

Also, try passing traffic and grab the output of following command by taking the output several times while executing tests:

show asp drop | inc 10.57.4.50

show asp drop | inc 192.168.0.112

Along with this grab the output of following command as well after executing test:

show crypto ipsec sa

[If possible, reset tunnel once before doing this test]

Regards,

Anuj

brunellej · ‎12-12-2012

Anuj,

Thank you for the continued assistance.

Here's the output of the capture:

33 packets captured

1: 16:27:05.392969 802.1Q vlan#5 P0 192.168.0.112.2792 > 192.168.4.20.6800: S 946526132:946526132(0) win 65535

2: 16:27:08.345807 802.1Q vlan#5 P0 192.168.0.112.2792 > 192.168.4.20.6800: S 946526132:946526132(0) win 65535

3: 16:27:14.361599 802.1Q vlan#5 P0 192.168.0.112.2792 > 192.168.4.20.6800: S 946526132:946526132(0) win 65535

4: 16:27:45.392313 802.1Q vlan#5 P0 192.168.0.112.2796 > 192.168.4.20.6800: S 903808292:903808292(0) win 65535

5: 16:27:48.308577 802.1Q vlan#5 P0 192.168.0.112.2796 > 192.168.4.20.6800: S 903808292:903808292(0) win 65535

6: 16:27:54.243059 802.1Q vlan#5 P0 192.168.0.112.2796 > 192.168.4.20.6800: S 903808292:903808292(0) win 65535

7: 16:28:07.063015 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request

8: 16:28:07.103693 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply

9: 16:28:08.066097 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request

10: 16:28:08.104898 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply

11: 16:28:09.069011 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request

12: 16:28:09.107523 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply

13: 16:28:10.071941 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request

14: 16:28:10.111047 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply

15: 16:28:19.881836 802.1Q vlan#5 P0 192.168.0.112.2817 > 192.168.4.20.6800: S 2273411373:2273411373(0) win 65535

16: 16:28:22.808979 802.1Q vlan#5 P0 192.168.0.112.2817 > 192.168.4.20.6800: S 2273411373:2273411373(0) win 65535

17: 16:28:25.376552 802.1Q vlan#5 P0 192.168.0.112.2818 > 192.168.4.20.6800: S 1361468755:1361468755(0) win 65535

18: 16:28:28.341168 802.1Q vlan#5 P0 192.168.0.112.2818 > 192.168.4.20.6800: S 1361468755:1361468755(0) win 65535

19: 16:28:28.743461 802.1Q vlan#5 P0 192.168.0.112.2817 > 192.168.4.20.6800: S 2273411373:2273411373(0) win 65535

20: 16:30:41.384242 802.1Q vlan#5 P0 192.168.0.112.2823 > 192.168.4.20.6800: S 3911555739:3911555739(0) win 65535

21: 16:30:44.230655 802.1Q vlan#5 P0 192.168.0.112.2823 > 192.168.4.20.6800: S 3911555739:3911555739(0) win 65535

22: 16:30:50.265718 802.1Q vlan#5 P0 192.168.0.112.2823 > 192.168.4.20.6800: S 3911555739:3911555739(0) win 65535

23: 16:34:26.434120 802.1Q vlan#5 P0 192.168.0.112.2826 > 192.168.4.20.6800: S 1638122493:1638122493(0) win 65535

24: 16:34:29.443946 802.1Q vlan#5 P0 192.168.0.112.2826 > 192.168.4.20.6800: S 1638122493:1638122493(0) win 65535

25: 16:34:35.475103 802.1Q vlan#5 P0 192.168.0.112.2826 > 192.168.4.20.6800: S 1638122493:1638122493(0) win 65535

26: 16:34:56.796192 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request

27: 16:34:56.837481 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply

28: 16:34:57.799961 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request

29: 16:34:57.838839 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply

30: 16:34:58.801899 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request

31: 16:34:58.841020 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply

32: 16:34:59.804798 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request

33: 16:34:59.843538 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply

33 packets shown

Here;s the captured access-list used:

access-list captured; 4 elements; name hash: 0x64472634

access-list captured line 1 extended permit ip host 192.168.0.112 host 192.168.4.20 (hitcnt=35) 0x70841416

access-list captured line 2 extended permit ip host 192.168.4.20 host 192.168.0.112 (hitcnt=12) 0x2902a719

access-list captured line 3 extended permit ip host 10.57.4.50 host 192.168.4.20 (hitcnt=0) 0xb5044bca

access-list captured line 4 extended permit ip host 192.168.4.20 host 10.57.4.20 (hitcnt=0) 0xab88b23e

Here's the output of "show crypto ipsec sa":

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: 173.x.x.x

access-list outside_1_cryptomap extended permit ip 10.57.4.0 255.255.255.0 192.168.4.0 255.255.255.0

local ident (addr/mask/prot/port): (10.57.4.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)

current_peer: 72.x.x.x

#pkts encaps: 152, #pkts encrypt: 152, #pkts digest: 152

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 152, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 173.x.x.x/0, remote crypto endpt.: 72.x.x.x/0

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 609CE00B

current inbound spi : 5B8DDB35

inbound esp sas:

spi: 0x5B8DDB35 (1536023349)

transform: esp-3des esp-md5-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 1462272, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4373999/1474)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x0000001F

outbound esp sas:

spi: 0x609CE00B (1620893707)

transform: esp-3des esp-md5-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 1462272, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4373992/1474)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Crypto map tag: outside_map, seq num: 2, local addr: 173.x.x.x

access-list outside_2_cryptomap extended permit ip 192.168.9.0 255.255.255.0 192.168.6.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)

current_peer: 173.162.x.x

#pkts encaps: 194, #pkts encrypt: 194, #pkts digest: 194

#pkts decaps: 1579, #pkts decrypt: 1579, #pkts verify: 1579

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 194, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 173.x.x.x/0, remote crypto endpt.: 173.162.x.x/0

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 8F8E990C

current inbound spi : 7EBBED6E

inbound esp sas:

spi: 0x7EBBED6E (2126245230)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 352256, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4374000/23599)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x8F8E990C (2408487180)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 352256, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4374000/23599)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Crypto map tag: outside_map, seq num: 2, local addr: 173.x.x.x

access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.6.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)

current_peer: 173.162.x.x

#pkts encaps: 1353568, #pkts encrypt: 1353568, #pkts digest: 1353568

#pkts decaps: 1358106, #pkts decrypt: 1358106, #pkts verify: 1358106

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 1353568, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 173.x.x.x/0, remote crypto endpt.: 173.162.x.x/0

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 9C2EF78F

current inbound spi : 03ADBAF4

inbound esp sas:

spi: 0x03ADBAF4 (61717236)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 352256, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4373506/23504)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x9C2EF78F (2620323727)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 352256, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4373508/23504)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

The "show asp drop" didn't show anything for either subnet.

John

anujsharma85 · ‎12-12-2012

As per th captures it is clearly visible that reply packet is not coming back.

Even the IPSEC SA shows that decrypted packet count is only 4 which reflect ICMP reply.

Thus, its time we should check config at remote end and take similar outputs at other end to track reply packet.

Regards,
Anuj

Sent from Cisco Technical Support Android App

brunellej · ‎12-12-2012

Agreed, unfortantly I have don't have access and waiting. Enhance the reason I am doing so much work upfront to rule out my configuration issue.

Now, when I ping from 192.168.0.112 to 192.168.4.20, I receive a normal response. So pinging is passing, but the traffic to TCP port 6800 is not; and possible being blocked by the far end?

Anything in my configuration that could be causing the block?

John

ALIAOF_ · ‎12-13-2012

If you do not have access to the remote site then you'll need to get their network person involved and compare each others configurations. You'll need to make sure that they are seeing 192.168.0.112 as 10.57.4.50 and their server is responding back to that and NOT to 192.168.0.112.

brunellej · ‎12-17-2012

Anuj and Mohammad,

As I expected, the problem was on the far side and related to their NAC implementations. I would like to say thank you again for all the advice and review of my implementation.

There forums really save time and effort.

John