Re: IPSEC Site-To-Site Tunnel

CiscoIPMAN · ‎06-28-2018

I have a site-to-site VPN using 2 Cisco ASAv. It looks like the IPSec tunnel is up but I can not reach the other side of the tunnel. It looks like my crypto map is correct but I cannot ping or telnet. Below is a basic topology and I attached some config files. Looking for some help with something I may have missed. Thanks for any help!

Will rate response posts!

Rob Ingram · ‎06-28-2018

Hi,

Do you have any NAT defined anywhere?If yes, then you will need to define a no-nat rule between the lan subnets for both vpn peers.

Can you provide the full configuration of both ASA?

Have you run packet-tracer? Could you provide the output here please?

HTH

CiscoIPMAN · ‎06-28-2018

RJI,

I am not doing NAT for these networks. I did a packet tracer and the access-list is dropping the packet. But I have these networks in my crypto map. Should I have these ACL some where else?

Rob Ingram · ‎06-28-2018

Change the crypto map ACL and get rid of the object group DM_INLINE_SERVICE_1.

Perform filtering of traffic over the tunnel using vpn-filter.

HTH

CiscoIPMAN · ‎06-29-2018

Thanks for the response. I did create an new crypto map on both ASA and I was able to ping and telnet. The only way I am able to do that is by setting ip any any. If I set a source and destination IP it does not work. I did a packet capture and see the source host go out but never establishes a connection.

Rob Ingram · ‎06-29-2018

You just need to modify the ACL as so:-

access-list outside_cryptomap extended permit ip object NETWORK_OBJ_172.16.10.0_24 object VPN-Remote-10.10.10.0_24

This will allow you to establish a VPN and then from there use the vpn filter to lock down the permitted traffic.

CiscoIPMAN · ‎06-29-2018

Thanks for the response RJI.

Does the crypto map have to have permit ip? This will allow all types of service traffic correct? So if I wanted the tunnel to be limited just to telnet traffic, would I create another entry in the crypto map or create something new? Could you provide an example with the filtering?

Thanks for the help!

Rob Ingram · ‎06-29-2018

No you don't need to have a permit ip, but you may struggle in establishing a VPN in the first instance and in the future if you need to permit further protocols/services, you'll need to amend the crypto map acl which would require resetting the tunnel to renegotiate. If there is an issue with that, that will require a lot of troubleshooting.

As explained previously, establish the tunnel by permit ip source subnet dest subnet, then lock down the allowed traffic over the VPN using VPN Filter feature. Any amendments in the future will not impact the VPN connectivity.

Example 2 here covers what you want to be doing. More examples here

Deepakumar1 · ‎06-30-2018

I checked the config and found your crypto acl and vpn filter acl is same.

VPN filter are always work in reverse like if crypto acl is

access-list crypto_acl_1 per ip X.X.X.X24 Y.Y.Y.Y/24

THEN FILTER ACL SHOULD BE IN

access-list vpn-filter per ip Y.Y.Y.Y/24 X.X.X.X/24

VPN filters are primarily used to filter port specific traffic, so in your scenario you can remove the filter and use crypto acl only as you are using IP based ACL.

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc7

Regards,

Deepak Kumar