01-30-2019 02:20 AM
Hello!
I have a new Cisco ASA VPN configuration, it's different from I did before - it's behind NAT and I need some advices if it possible.
So, I have next structure:
Site A:
ASAv (192.168.100.2) -> 1to1 NAT -> VMware Edge Gateway Services -> 1to1 NAT -> Fortigate -> Public address (PUB1)
Site B:
ASA (PUB2) - it's OK.
And I can't create an IPsec between this two sites, ASAv doesn't want to create Phase1 (no messages in debug, PT got en error on VPN phase, also I have some strange sort of asp drops).
ASAv VPN configuration:
crypto map outside 1 match address vpn-acl
crypto map outside 1 set pfs
crypto map outside 1 set peer %PUB2%
crypto map outside 1 set ikev1 transform-set aes256-sha1
crypto map outside interface outside
tunnel-group %PUB2% type ipsec-l2l
tunnel-group %PUB2% ipsec-attributes
ikev1 pre-shared-key *****
access-list vpn-acl extended permit ip object-group local object-group remote log disable
packet-tracer input inside tcp (ip from local object-group) 5555 (ip from remote object-group) 4444
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.100.1 using egress ifc outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote remote no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate (ip from local object-group)/5555 to (ip from local object-group)/5555
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_in in interface inside
access-list inside_in extended permit ip any any
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote remote no-proxy-arp route-lookup
Additional Information:
Static translate (ip from remote object-group)/5555 to (ip from remote object-group)/5555
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
sh asp drop
Frame drop:
Flow is denied by configured rule (acl-drop) 21
IKE new SA limit exceeded (ike-sa-rate-limit) 12
Last clearing: 09:31:40 UTC Jan 30 2019 by enable_15
Flow drop:
Need to start IKE negotiation (need-ike) 42
NAT-T enabled. Ping is OK - site A can ping site B and src&dst are correct.
I'm confused because I have no messages in debug log and I have strange asp drops.
Please, help me to resolve this.
Solved! Go to Solution.
01-30-2019 05:23 AM
01-30-2019 02:31 AM - edited 01-30-2019 02:38 AM
NAT-T is globally enable on the security appliance by default automatically detect NAT and change the phase 1 upd 500 in to 4500.
but load the config of the firewall.
01-30-2019 03:25 AM
sh run
: Saved
:
: Serial Number:
: Hardware: ASAv, 1536 MB RAM, CPU Xeon E5 series 2600 MHz
:
ASA Version 9.10(1)
!
hostname smartcloud
enable password ***** pbkdf2
names
no mac-address auto
!
interface GigabitEthernet0/0
description
nameif outside
security-level 100
ip address 192.168.100.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address %local_addr% 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object-group network local
network-object %local_subnet% 255.255.255.0
object-group network remote
network-object %remote_subnet% 255.255.255.0
access-list outside_in extended permit ip any any
access-list vpn-acl extended permit ip object-group local object-group remote log disable
access-list inside_in extended permit ip any any
access-list inside_out extended permit ip any any
access-list outside_out extended permit ip any any
pager lines 23
logging enable
logging timestamp
logging buffer-size 52428800
logging buffered debugging
logging trap debugging
logging facility 23
logging debug-trace
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source static local ocal destination static remote remote no-proxy-arp route-lookup
access-group outside_in in interface outside
access-group outside_out out interface outside
access-group inside_in in interface inside
access-group inside_out out interface inside
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set aes256-sha1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside 1 match address vpn-acl
crypto map outside 1 set pfs
crypto map outside 1 set peer %PUB2%
crypto map outside 1 set ikev1 transform-set aes256-sha1
crypto map outside interface outside
crypto ca trustpool policy
auto-import
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh stricthostkeycheck
ssh %IP_ADDR% 255.255.255.255 outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 5
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username %USERNAME% password ***** pbkdf2
tunnel-group %PUB2% type ipsec-l2l
tunnel-group %PUB2% ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
call-home
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:eba89603857917c74cbbe89e3b0cae96
: end
01-30-2019 04:23 AM
configuration look ok to me.
when you do a packet tracker after giving command can you show us the out of theses command
show crypto ikev1 sa / show crypto isakmp sa
show crypto ipsec
!
also ask the other side to sent a packet to its interested ACL.
01-30-2019 05:12 AM
01-30-2019 05:23 AM
Fixed.
Need to be enabled ikev1.
crypto ikev1 enable outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide