- Cisco Community
- Technology and Support
- Security
- VPN
- Route another sub-net traffic via Site-to-Site VPN on ASA 5500
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Route another sub-net traffic via Site-to-Site VPN on ASA 5500
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2012 07:17 PM
I have a functioning site-to-site VPN between two ASA 5505 appiances. Sub-net on one side is 192.168.20.0/24 (inside I/F) and on the other side is 192.168.30.0/24 (inside I/F). VPN is built over public Internet (outside I/Fs of those two ASAs).
Now I connected another subnet on 192.168.30.0/24 - e.g. 192.168.35.0/24. Traffic from 192.168.30.0 subnet is routed to 192.168.35.0 via Gateway at 192.168.30.250 IP.
My task is to make packets from 192.168.20.0 subnet to go to 192.168.35.0 subnet and vice versa.
I setup a static route on 20.0 ASA's Inside interface as 192.168.35.0 255.255.255.0 to 192.168.30.250. I also created NAT examptions for outbound packets from 20.0 to 35.0 and inbound as well. I also added destination network of 35.0 to VPN cryptomap traffic selection (on both ASAs).
Still packets are not going through
Any help with the setup would be highly appreciated. Thanks!
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2012 08:40 PM
Packet-tracer is your friend here. Plug in your source and destination IPs and it will show you the steps the packet takes through the ASA and where they are being dropped. You can access it either via the ASDM GUI or via the cli.
If you want to follow a more detailed path you can always "show cry ipsec sa" and make sure the source and destination networks have formed IPsec SAs properly at both ends. If not, you can "debug crypto ipsec 7" at both ends and look for errors in the cryptomaps. If you have more than one site-site VPN you may want to add "debug crypto condition peer
The static shouldn't be necessary if your default gateway is on the outside interface. The packets should come into the ASA, be NAT-exempted, hit the cryptomap access-list on interface outside, and be put into an IPsec SA on the site-site VPN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2012 06:14 AM
Thank you for reply! It seems that based on a packet-tracer info ICMP packets should be going fine (see below), but when I do "ping 192.168.35.3" from 20.0 network - I get "Request timed out".
asa-office# packet-tracer input inside icmp 192.168.20.12 8 0 192.168.35.3 det$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8134868, priority=1, domain=permit, deny=false
hits=590132413, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 INT_NET_US 255.255.255.0 any
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81d35b8, priority=12, domain=permit, deny=false
hits=18792771, user_data=0xd64d25a0, cs_id=0x0, flags=0x0, protocol=0
src ip=INT_NET_US, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8136fa0, priority=0, domain=inspect-ip-options, deny=true
hits=40604213, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class1
match any
policy-map global-policy-netflow
class global-class1
inspect http
service-policy global-policy-netflow global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd881a8e0, priority=70, domain=inspect-http, deny=false
hits=30199129, user_data=0xd881a728, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8136c18, priority=66, domain=inspect-icmp-error, deny=false
hits=1215301, user_data=0xd8136b00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd881b3b8, priority=17, domain=flow-export, deny=false
hits=34923104, user_data=0xd88189d0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside INT_NET_US 255.255.255.0 outside 192.168.35.0 255.255.255.0
NAT exempt
translate_hits = 74, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xda0f5700, priority=6, domain=nat-exempt, deny=false
hits=74, user_data=0xd932f938, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=INT_NET_US, mask=255.255.255.0, port=0
dst ip=192.168.35.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 10
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8127c88, priority=6, domain=nat-exempt-reverse, deny=false
hits=25, user_data=0xd8a32840, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=INT_NET_US, mask=255.255.255.0, port=0
dst ip=192.168.35.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 11
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) APU_E APU_I netmask 255.255.255.255
match ip inside host APU_I outside any
static translation to APU_E
translate_hits = 73421, untranslate_hits = 1248268
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81cec08, priority=5, domain=nat, deny=false
hits=458056, user_data=0xd81ce360, cs_id=0x0, flags=0x0, protocol=0
src ip=APU_I, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 12
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) APU_E APU_I netmask 255.255.255.255
match ip inside host APU_I outside any
static translation to APU_E
translate_hits = 73421, untranslate_hits = 1248268
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81cef60, priority=5, domain=host, deny=false
hits=1593063, user_data=0xd81ce360, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=APU_I, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 13
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8188f98, priority=0, domain=host-limit, deny=false
hits=30198109, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 14
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd93e0748, priority=70, domain=encrypt, deny=false
hits=1, user_data=0xa6ad18c, cs_id=0xd8798648, reverse, flags=0x0, protocol=0
src ip=INT_NET_US, mask=255.255.255.0, port=0
dst ip=192.168.35.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 42393361, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_http
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
############################ Below is the portion of sho cry ipsec command #############################
asa-office# show cry ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: AAA.AAA.AAA.AAA
access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0
local ident (addr/mask/prot/port): (INT_NET_US/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (INT_NET_COLO/255.255.255.0/0/0)
current_peer: BBB.BBB.BBB.BBB
#pkts encaps: 1029637, #pkts encrypt: 1029637, #pkts digest: 1029637
#pkts decaps: 1295803, #pkts decrypt: 1295803, #pkts verify: 1295803
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1029637, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.:AAA.AAA.AAA.AAA, remote crypto endpt.: BBB.BBB.BBB.BBB
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: DCB91573
current inbound spi : 28863050
inbound esp sas:
spi: 0x28863050 (679882832)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2609152, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3828550/12552)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xDCB91573 (3703117171)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2609152, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3874748/12552)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 1, local addr: AAA.AAA.AAA.AAA
access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.35.0 255.255.255.0
local ident (addr/mask/prot/port): (INT_NET_US/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.35.0/255.255.255.0/0/0)
current_peer: BBB.BBB.BBB.BBB
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: AAA.AAA.AAA.AAA, remote crypto endpt.: BBB.BBB.BBB.BBB
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8156359C
current inbound spi : EB153CB4
inbound esp sas:
spi: 0xEB153CB4 (3944037556)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2609152, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/27325)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x8156359C (2169910684)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2609152, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/27322)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide