Solved: SOLVED: ASA L2L tunnel up, no traffic (or one-way...)

johnnykaye · ‎08-15-2012

I have two ASA 5505, 8.2(1), let's call them HQ and BRANCH. HQ has an L2L going towards a third point, and that one works fine.

Now I am trying to set up an L2L VPN between HQ and BRANCH. The tunnel comes up (passes phase 1 and 2), but I cannot ping from either end.

sh cry isa sa looks 100% ok

sh cry ips sa shows that HQ has only decaps, whereas Branch has only encaps. So HQ looks like the prime suspect to me (even with its other L2L working fine).

Below are the configs, great if anyone could help me pinpoint any config issues...

-----------------------------------------------------------------

HQ:

ASA Version 8.2(1)

!

hostname HQ

domain-name blah.com

enable password blah

passwd blah encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.106.1 255.255.255.128

!

interface Vlan2

nameif outside

security-level 0

ip address 191.xx.xx.xx 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

dns server-group DefaultDNS

domain-name blah.com

access-list inside_outbound_nat0_acl extended permit ip 172.16.106.0 255.255.255.128 any

access-list outside_cryptomap_20 extended permit ip 172.16.106.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip 172.16.106.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip 172.16.106.0 255.255.255.128 172.16.106.160 255.255.255.224

access-list outside_1_cryptomap extended permit ip 172.16.106.0 255.255.255.0 any

access-list outside_1_cryptomap_1 extended permit ip 172.16.106.0 255.255.255.0 any

access-list HQ-BRANCH extended permit ip 172.16.106.0 255.255.255.128 172.16.106.160 255.255.255.248

!

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 191.xx.xx.xx 1

!

sysopt noproxyarp inside

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec security-association replay disable

crypto map outside_map 1 match address outside_1_cryptomap_1

crypto map outside_map 1 set peer 191.xx.xx.xx

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 10 match address HQ-BRANCH

crypto map outside_map 10 set peer 82.xx.xx.xx

crypto map outside_map 10 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

!

webvpn

tunnel-group 191.xx.xx.xx type ipsec-l2l

tunnel-group 191.xx.xx.xx ipsec-attributes

pre-shared-key *

tunnel-group 82.xx.xx.xx type ipsec-l2l

tunnel-group 82.xx.xx.xx ipsec-attributes

pre-shared-key *

tunnel-group-map default-group 191.xx.xx.xx

!

class-map inspection_default

match default-inspection-traffic

!

service-policy global_policy global

prompt hostname context

: end

-----------------------------------------------------------------

BRANCH:

ASA Version 8.2(1)

!

hostname BRANCH

enable password djfldksjafl encrypted

passwd djfldksjafl encrypted

names

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

nameif inside

security-level 100

ip address 172.16.106.161 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

boot system disk0:/asa821-k8.bin

object-group network obj_any

access-list BRANCH-HQ extended permit ip 172.16.106.160 255.255.255.248 172.16.106.0 255.255.255.128

access-list NONAT extended permit ip 172.16.106.160 255.255.255.248 172.16.106.0 255.255.255.128

logging enable

icmp unreachable rate-limit 1 burst-size 1

!

nat-control

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 82.xx.xx.xx

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 10 match address BRANCH-HQ

crypto map outside_map 10 set peer 191.xx.xx.xx

crypto map outside_map 10 set transform-set myset

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

dhcpd dns xx.xx.xx.xx

dhcpd auto_config outside

!

dhcpd address 172.16.106.162-172.16.106.166 inside

dhcpd enable inside

!

webvpn

tunnel-group 191.xx.xx.xx type ipsec-l2l

tunnel-group 191.xx.xx.xx ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

service-policy global_policy global

prompt hostname context

: end

-----------------------------------------------------------------

Best,

Johnny

Julio Carvajal · ‎08-18-2012

Hello Johnny,

Great to hear that, there you have some points for you

Please mark the question as answered so future users can learn from this as you did

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

johnnykaye · ‎08-17-2012

Anyone?

rizwanr74 · ‎08-17-2012

Hi John,

Please change the ACL at HQ as shown below and remove the hightlighted line and change the mask in the second line.

no access-list inside_nat0_outbound extended permit ip 172.16.106.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip 172.16.106.0 255.255.255.128 172.16.106.160 255.255.255.248

Please add this route at each respective locations as shown below.

at HQ.

route outside 172.16.106.160 255.255.255.248 191.xx.xx.xx <- default-gateway address at HQ.

at Branch.

route outside 172.16.106.0 255.255.255.128 82.xx.xx.xx <- default-gateway address at branch.

Please update.

thanks

Rizwan Rafeek

johnnykaye · ‎08-18-2012

Finally solved it

I did a re-read on IPSEC L2L VPNs, and realised that the first statements in the original cryptomap (see my first HQ config posted above) captured traffic for both L2L VPNs, so the BRANCH statements were never applied, thus keeping traffic from flowing on the BRANCH L2L from HQ to BRANCH.

@Rizwan: Working default routes were in place on both ASAs, so I did not touch those. As for the nonat on HQ, it was working correctly as it was. Altering it to allow only traffic towards the BRANCH network would have left out the traffic towards the second already existing L2L VPN, so I let that one be as well. Thanks though.

To make this work, I had to give the BRANCH crypto map statements higher priority by setting its sequence number lower than the sequence number of the default crypto map. So I changed the default crypto map sequence number to 100, and set the BRANCH crypto map sequence number to 10. All changes were made on the HQ side only.

That's it, and now both VPNs work just fine.

I did some tidying up as well, lots of people have been onto this box since it was put to use, and several ACLs were totally superfluous by now.

Below is the final working VPN config for the HQ side...

------------------------------------------------------

HQ:

access-list inside_nat0_outbound extended permit ip 172.16.106.0 255.255.255.0 any

access-list outside_1_cryptomap_1 extended permit ip 172.16.106.0 255.255.255.0 any

access-list BRANCH extended permit ip 172.16.106.0 255.255.255.128 172.16.106.160 255.255.255.248

!

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 191.xx.xx.xx 1

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec security-association replay disable

crypto map outside_map 10 match address HQ-BRANCH

crypto map outside_map 10 set peer 82.xx.xx.xx

crypto map outside_map 10 set transform-set ESP-3DES-MD5

crypto map outside_map 100 match address outside_1_cryptomap_1

crypto map outside_map 100 set peer 191.xx.xx.xx

crypto map outside_map 100 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

!

tunnel-group 191.xx.xx.xx type ipsec-l2l

tunnel-group 191.xx.xx.xx ipsec-attributes

pre-shared-key *

tunnel-group 82.xx.xx.xx type ipsec-l2l

tunnel-group 82.xx.xx.xx ipsec-attributes

pre-shared-key *

tunnel-group-map default-group 191.xx.xx.xx

------------------------------------------------------

Best,

Johnny

Julio Carvajal · ‎08-18-2012

Hello Johnny,

Great to hear that, there you have some points for you

Please mark the question as answered so future users can learn from this as you did

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

johnnykaye · ‎08-19-2012

Thanks