cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1669
Views
5
Helpful
18
Replies

IPSec tunnel connectivity

BHconsultants88
Level 1
Level 1

Hi everyone

 

I hope someone can point me in the right direction here...I've been going around in circles with connectivity issues between two parties who want traffic to pass through a VPN tunnel via a Cisco ASA. 

 

Please see attached - in summary, router A can reach router B but not vice versa. I'm thinking it's some natting misconfiguration on the ASA but I can't see anything obvious. If not natting, then perhaps MTU related?

**Additional note - router B is able to ping router A public IP, however cannot ping the LAN.

 

Router A - Digi Transport Router

Router B - VPN termination point is an AWS device

ASA in the middle

 

I've also attached the IPSec config on the ASA. Could anyone suggest any ideas as to why router B can't get to router A?

 

Thanks in advance.

18 Replies 18

Router A LAN can ping to Router B LAN and Router B LAN fail to ping Router A LAN.

Now here is the question does Router A and Router B are configured with site-to-site vpn configuration and the ASA is in the middle acting as proxy. if so you need to make sure the Router A config (vpn config with ACL mirror) the Router B.

 

if that is not the case than provide us the config of all device to look into this.

please do not forget to rate.

The original post says that it includes the config of the ASA. But all I am seeing is a drawing and 2 sets of statistics for the tunnels. ASA config would be a good place to start.

 

HTH

 

Rick

HTH

Rick

Hi Rick

 

Thanks for the response. Attached is the relevant ASA config. The underlying problem is that Router B (thorman) is unable to ping Router A (Noverton). Please let me know if further information is needed

 

Thanks in advance.

 

 

no access-list 81.149.11.243_Noverton extended permit ip any object-group Noverton-remote
access-list 81.149.11.243_Noverton extended permit ip object-group Noverton-local object-group Noverton-remote
!
crypto map external-vpns 600 match address thorman

 

i can not see the thorman.  and why you define twice the 81.149.11.243_Noverton 

please do not forget to rate.

Hi Sheraz and Rick,

 

Thanks for your assistance on this so far. I've just been looking through the NAT rules, examples below:

 

Outside Outside: Source-thorman-remote, Dest-DIGI_VPN_SITES

Outside Outside: Source-DIGI_VPN_SITES, Dest-thorman-remote

Inside Outside: Source-Noverton-local, Dest-Noverton-remote

Outside Inside: Source-Noverton-remote, Dest-Noverton-local

Inside Outside: Source-thorman-local, Dest-thorman-remote

Outside Inside: Source-thorman-remote, Dest-thorman-local

 

Each object group has a different number of subnets contained within them. Would this cause a problem with the natting? For instance, thorman-local has 11 subnets whereas thorman-remote has just the 1 - is this ok?

 

Reminder, here are the object groups:

 

object-group network thorman-local

network-object 10.99.206.0 255.255.255.0

network-object 10.99.240.0 255.255.255.0

network-object 10.99.241.0 255.255.255.0

network-object 10.99.242.0 255.255.255.0

network-object 10.99.243.0 255.255.255.0

network-object 10.1.0.0 255.255.0.0

network-object 10.2.0.0 255.255.0.0

network-object 10.20.3.0 255.255.255.0

network-object 10.20.4.0 255.255.255.0

network-object 10.20.12.0 255.255.255.0

network-object 10.20.5.0 255.255.255.0

object-group network thorman-remote

network-object 192.168.142.0 255.255.255.0

object-group network Noverton-local

network-object 10.99.206.0 255.255.255.0

network-object 192.168.142.0 255.255.255.0

object-group network Noverton-remote

network-object 10.20.4.0 255.255.255.0

object-group network DIGI_VPN_SITES

network-object 10.20.3.0 255.255.255.0

network-object 10.20.4.0 255.255.255.0

network-object 10.20.12.0 255.255.255.0

network-object 10.20.5.0 255.255.255.0

Each object group has a different number of subnets contained within them. Would this cause a problem with the natting? For instance, thorman-local has 11 subnets whereas thorman-remote has just the 1 - is this ok?

 

This is not an issue.

 

 

you mind to upload the complete ASA config instead of showing a small part of it. you can remove the real public ip addresses and username or fake it up.

please do not forget to rate.

I have looked through the object groups that you showed us and have these comments and questions:

- am I correct in assuming that the object groups with local in the name would represent networks that are local at that site? If so it is not logical that 10.99.206.0/24 is listed as a local network at both Noverton and thorman.

- am I correct in assuming that object groups with remote in the name would represent networks at the other side that they want to access? That does match up for thorman to Noverton 192.168.142.0/24 is remote for thorman and is local for Noverton. But it does not match up for Noverton to thorman. Noverton remote has only 10.20.4.0/24 whereas thorman local has 11 entries.

- has there been testing of access from Noverton to the 10.20.4.0 subnet at thorman?

 

HTH

 

Rick

HTH

Rick

Hi Rick

 

That also threw me at the beginning. 

 

The actual ranges for each site are as follows:

Noverton subnet - 10.20.4/0 /24

Thormac subnet - 192.168.142.25.0 /24

HQ subnet - 10.99.206.0 /24

 

I'm still waiting for a response as to why the above subnets are in multiple object groups but I suspect this would cause a problem. The DIGI_VPN_SITES group also contains networks from Noverton.

Hi Rick, just to clarify further. Noverton (10.20.4.0 /24) is able to access Thorman network (192.168.142.0 /24). Both sites can access HQ and vice versa. Thorman cannot access Noverton

Thanks Sherz, I've attached the ASA configuration.

 

Thanks in advance.

in your most recent ASA config you provided i have simplified for us to understand/break them so we could easliy know what is going on.

however in you config. i dont see the Thorman config.

 Note: I also notice you give us the config from your secondary firewall. could be all config are in Active firewall and they not syn to secondary firwall

============================================

!
object-group network Noverton-local
 network-object 10.99.206.0 255.255.255.0
 network-object 192.168.142.0 255.255.255.0
object-group network Noverton-remote
 network-object 10.20.4.0 255.255.255.0
!
access-list 181.49.11.243_Noverton extended permit ip object-group Noverton-local object-group Noverton-remote
!
nat (inside,outside) source static Noverton-local Noverton-local destination static Noverton-remote Noverton-remote
!
crypto map external-vpns 320 match address 181.49.11.243_Noverton
crypto map external-vpns 320 set peer 181.49.11.243
crypto map external-vpns 320 set ikev1 transform-set ESP-AES-256-SHA
crypto map external-vpns 320 set security-association lifetime seconds 28800
crypto map external-vpns 320 set security-association lifetime kilobytes 4608000
!

===============================================================

Now If i go back to your post the first 2 posts you provide some of the config of your firewall. as i already said in post recent i can not find the Thorman and relying on old information we have. here What i found.

!

Problematic
-------
object-group network thorman-local
 network-object 10.99.206.0 255.255.255.0
 network-object 10.99.240.0 255.255.255.0
 network-object 10.99.241.0 255.255.255.0
 network-object 10.99.242.0 255.255.255.0
 network-object 10.99.243.0 255.255.255.0
 network-object 10.1.0.0 255.255.0.0
 network-object 10.2.0.0 255.255.0.0
 network-object 10.20.3.0 255.255.255.0
 network-object 10.20.4.0 255.255.255.0
 network-object 10.20.12.0 255.255.255.0
 network-object 10.20.5.0 255.255.255.0
!
object-group network thorman-remote
 network-object 192.168.142.0 255.255.255.0
!
nat (inside,outside) source static thorman-local thorman-local destination static thorman-remote thorman-remot
!
access-list incoming-outside extended permit ip object-group thorman-remote object-group Noverton-remote
!
crypto map external-vpns 600 match address thorman---PROBLEM I can not find the thorman. where is the access-list for that?
crypto map external-vpns 600 set pfs
crypto map external-vpns 600 set peer 135.176.20.84 135.177.156.235
crypto map external-vpns 600 set ikev1 transform-set AES-128-SHA
crypto map external-vpns 600 set security-association lifetime seconds 3600
crypto map external-vpns 600 set security-association lifetime kilobytes 4608000
!

please do not forget to rate.

Sorry Sheraz, that was the wrong config. I have attached the correct one here.

can you try this

!

access-list thorman2 extended permit ip object-group thorman-local object-group thorman-remote
!
crypto map external-vpns 600 match address thorman2
crypto map external-vpns 600 set pfs
crypto map external-vpns 600 set peer 135.176.20.84 135.177.156.235
crypto map external-vpns 600 set ikev1 transform-set AES-128-SHA
crypto map external-vpns 600 set security-association lifetime seconds 3600
crypto map external-vpns 600 set security-association lifetime kilobytes 4608000
!

please do not forget to rate.

I will try this and feedback shortly
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: