06-08-2016 01:07 PM
I setup a Lab for site to site VPN connection between ASA5512 and 2851 router for the customer.
Internet access for LANs at each site.
I can reach the internal network of the router side from ASA LAN, and everything works perfectly.
but I am not able to reach the ASA LAN from router side, and if I start the ping from router side first, the VPN tunnel even not showing up.
when i show ip access-list, i can see the traffic hits the VPN tunnel ACL, and block the traffic getting through the Internet.
when i debug crypto isakmp on router it has no output.
router configuration:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxx address x.x.x.x no-xauth
!
!
crypto ipsec transform-set vpntest esp-3des esp-md5-hmac
!
crypto map maptest 10 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime seconds 86400
set transform-set vpntest
match address vpnremote
ip access-list extended nat
deny ip 172.30.0.0 0.0.255.255 192.168.10.0 0.0.0.255
permit ip 172.30.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.0.1.255 any
ip access-list extended outside
permit udp any any eq bootpc
permit icmp any any
permit tcp any any eq 22
permit esp any any
permit udp host 8.8.8.8 any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq ntp
permit udp any eq ntp any
permit udp any any
ip access-list extended vpnremote
permit ip 172.30.0.0 0.0.255.255 192.168.10.0 0.0.0.255
06-08-2016 04:58 PM
Hi,
Please use interface captures on the ASA to check whether the traffic is reaching to the ASA or not.
I hope the crypto ACL is matching on both the devices.
You can also capture UDP 500 traffic on the outside interface of the ASA. ( set a
You can also use debug
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-08-2016 05:12 PM
Hi
Can you post ASA config file please? (delete all confidential data).
It could be an issue coming from ACL, or NAT. Did you already check that?
If you want, I can build up a quick lab and show you config from ASA and router. Then you can compare.
Thanks
06-09-2016 06:28 AM
thanks for you response, please see the ASA config:
ASA Version 9.1(2)
!
hostname FirewallTest
domain-name xxxx
enable password XgqE2ti75e5Du.lY encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name acstest
object network local_network
subnet 192.168.10.0 255.255.255.0
object network remote_network
subnet 172.30.0.0 255.255.0.0
access-list inside_access_in extended permit ip object local_network any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit icmp any any
access-list outside_cryptomap extended permit ip object local_network object remote_network
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static local_network local_network destination static remote_network remote_network no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic local_network interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set vpntest esp-3des esp-md5-hmac
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set ikev1 transform-set vpntest
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.10.101-192.168.10.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username testadmin password .hnKhTzJUM6CVX4W encrypted
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 23
subscribe-to-alert-group configuration periodic monthly 23
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f7a99df13cbe0f735efb01ce7c371029
: end
06-09-2016 06:37 AM
Hi
I'm reading it through my smartphone and it's a little bit hard :-)
I think you are missing a route.
Could you try a ping from router LAN to ASA LAN and run a logging console on ASA to see logs? Could you please share it?
If not working, could you try to add a route :
route 172.30.0.0 255.255.0.0 x.x.x.255 (ASA outside interface).
In the mean time, I will re-read your config this evening when I'm back home to check because again through a smartphone it's quite hard.
In any case, I will share you a sketch with configs, then you will be able to compare if needed
06-09-2016 08:04 AM
although the VPN tunnel is showing up, i am still not able to reach the ASA inside network.
this is the output of debug cry isa on the router:
un 9 15:16:00.819: ISAKMP:(1002):purging node -1560853873
*Jun 9 15:16:10.819: ISAKMP (1002): received packet from x.x.x.x dport 500 sport 500 Global (R) QM_IDLE
*Jun 9 15:16:10.819: ISAKMP: set new node -922729395 to QM_IDLE
*Jun 9 15:16:10.819: ISAKMP:(1002): processing HASH payload. message ID = 3372237901
*Jun 9 15:16:10.819: ISAKMP:(1002): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 3372237901, sa = 0x48824C5C
*Jun 9 15:16:10.819: ISAKMP:(1002):deleting node -922729395 error FALSE reason "Informational (in) state 1"
*Jun 9 15:16:10.819: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jun 9 15:16:10.819: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
06-09-2016 03:43 PM
Hi
Sorry for the late answer. I've went through your config and everything seems to be working fine.
Could you add a design of your infrastructure?
I've done a quick lab with your configs (see attachment) and when I initiate ICMP request from PC behind Router, the tunnel came up. I have also added a logging when the VPN was coming up.
Here the small lab I've done:
Here the ping initiated from PC2. There were timeouts as VPN was down and after it cames up:
06-10-2016 08:37 AM
06-10-2016 11:41 AM
Hi
On my router R1, that simulates a Internet cloud, itès a very simple config with 2 static routes.
Your issue is on remote sites. Are you sure concerning the traffic going out?
Did you do some traces on ASA (Debug, captures,...) ?
Thanks
06-10-2016 12:26 PM
yes, i debugged the traffic on ASA, it captured the ICMP getting in but no answer.
06-10-2016 02:51 PM
What does that means? No traffic coming on ASA?
Could you share your router config?
06-13-2016 09:14 AM
sorry for the late answer.
i tried ping the host 192.168.10.101 that is connected to the ASA internal network from the router side switch 172.30.0.10 that is connected to the router directly and
i captured the information on ASA as follows:
it looks like the traffic from the router could hit the ASA internal network, but there was no answer sending back to the router.
06-13-2016 10:05 AM
While the IPSEC is UP. Is it UP on both end?
Could you issue the command show route 172.30.0.0 and give the output?
06-13-2016 12:57 PM
on the Firewall:
FirewallTest# sh cry isa sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 206.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
===============================================
on the router:
Router_Site_R#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
206.x.x.x 72.x.x.x QM_IDLE 1005 ACTIVE
Router_Site_R#sh cry ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: maptest, local addr 206.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (172.30.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer 72.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 772, #pkts encrypt: 772, #pkts digest: 772
#pkts decaps: 876, #pkts decrypt: 876, #pkts verify: 876
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 206.x.x.x, remote crypto endpt.: 72.x.x.x
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x2A1DF98C(706607500)
PFS (Y/N): N, DH group: none
you can see actually the VPN tunnel is up, but i am still not able to ping the ASA host from the router inside network.
06-13-2016 01:04 PM
Could you send output of show route from ASA to join Remote LAN?
From ASA-LAN-INSIDE to Remote LAN, are your ping responding?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide