09-19-2014 02:11 AM
Dear all,
I have to connect two remote sites using an IPSec Tunnel (EasyVPN). The devices to be used are two Cisco ASA 5505.
They have already been connected to the internet and configured and they can see and ping each other via the “outside” interface. The inside interfaces on both sides have a private address range 192.168.160.0/24 and 192.168.128.0/24.
Before connecting the to the internet I configured them connected to a 2921 Router that simulated the Internet (both interfaces had the adresses of the real gateways). In my test configuration the tunnel was established (checked via show isakmp sa) and two computers connected in the inside interfaces of each ASA could ping each other.
Test Config: *PC*-------*in*ASA*out*-------*2921*----------*out*ASA*in*---------*PC*
The problems came when I connected the ASA devices to the internet. The tunnel is established but I cannot ping devices in the inside interface of the other ASA. Even though the routing table has the correct values.
Real Config: *PC*-------*in*ASA*out*-------*Internet*----------*out*ASA*in*---------*PC*
I am not an expert with the ASA, but as far as I know there shouldn't be a problem with the inside interfaces having a private address, since the whole information is sent through the tunnel, right?
Thanks a lot for your help!
Fabio
09-23-2014 11:23 PM
Hi,
Here's the commands:
split-tunnel-policy tunnelall
split-tunnel-network-list none
Regards,
Altaf
09-23-2014 11:25 PM
Dear Altaf,
thanks a lot for your help.
I will try it later since I do not have access to the server. In my site I only have access to the ASA-client.
regards,
Fabio
09-24-2014 11:20 PM
Hi Altaf,
it still does not work :-(
Taking a look in the packet tracer of both devices it seems that they are always dropping the incoming packets. The sent ones are sent without problems. (also after doing the split-tunnel changes!)
If I change the security level of the interface vlan1 (inside) would it make any difference? I do not mind having it with the lowest security value. Is there any way to bypass the ACL for incoming traffic?
Best regards,
Fabio
09-25-2014 11:03 PM
Hi Altaf,
I somehow managed to find the solution for the problems I saw with the PacketTracer. I just put an ACL List permitting ip traffic in the outside interface (inbound). Apparently the traffic was being sent but not being received.
Now I got a Problem, that the incoming traffic on both ASAs is recognized as "IPSEC Spoof". Therefore it is also being dropped........... I do not know if I should cry or just throw the ASA out of the window... :-((((
regards,
Fabio
09-25-2014 11:03 PM
Hi Fabio,
Could I get your contact# we could check this in remote session.
-Altaf
09-25-2014 11:14 PM
Hi Altaf,
thanks for your offering. Unfortunately due to enterprise policy I am not allowed to do this. Furthermore there is no public internet access where the ASAs are located. However, thank you very much for your offer!
I took a look and read about this IPSEC Spoof problem and in most of the cases has to do with NAT or the Routing Table. Since I am not natting, I suppose that there is something wrong with the routing tables. Is there something specific that has to be done when routing through the tunnel? I took a look at the routing tables, and they seem correct to me. I do not know if in the ASA the behavior is different as in the routers. All my Cisco experience has to do with routers and switches and not ASA.
Thanks again!
Fabio
09-23-2014 07:16 AM
This is the configuration from the device:
If I put security-level 0 in the inside interface, would it work? (independently of the security issues)
ASA# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname ASA
enable password *************** encrypted
passwd ******************* encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.160.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.224
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route outside 2.2.2.0 255.255.255.224 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.160.0 255.255.224.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.160.11-192.168.160.20 inside
dhcpd enable inside
!
vpnclient server 2.2.2.2
vpnclient mode network-extension-mode
vpnclient vpngroup groupname password ********
vpnclient username user password ********
vpnclient enable
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
09-19-2014 05:10 AM
09-19-2014 05:39 AM
Hi Pete,
but the problem is not there when I got the ASAs connected to my test scenario via the 2911 as "internet simulation".
thanks!
Fabio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: