Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6819
Views
0
Helpful
12
Replies

Site to Site VPN issue on ASA (5510&5505)

ruben-lopes
Level 1
Level 1

‎10-06-2010 04:03 AM

Hi All,

Im currently having a serious issue setting up a simple Site to Site VPN.

I have used this as  guide: http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5500/quick/guide/sitvpn_b.html

i have the the following setup:

A
10.10.10.0  are PERMITTED to use this IPSec tunnel to communicate with the remote-site 10.20.20.0

B
10.20.20.0  are PERMITTED to use this IPSec tunnel to communicate with the remote-site 10.10.10.0

site B can ping A, but A cant ping B.

Any ideas What Im dong wrong? I have other VPN's running with no issue, but thisa one is just not working...

Exempt ASA side host network from address translation check box is ticked on both sides...

The VPN was created with the ASDM Site to Site VPN wizard.

Help!

Labels:
0 Helpful
12 Replies 12

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-06-2010 04:06 AM

A few things to check is if you have any access-list that might be blocking ICMP. Also check if icmp inspection has been configured on both ASA.

Lastly, check if host B has any personal firewall that might be blocking incoming pings.

0 Helpful

ruben-lopes
Level 1
Level 1
In response to Jennifer Halim

‎10-06-2010 04:10 AM

it's not realy about the pings I can't access anythign on the A side, not even the router...

0 Helpful

Namit Agarwal
Cisco Employee
Cisco Employee
In response to ruben-lopes

‎10-06-2010 04:20 AM

Hi Ruben,

Can you paste your config here ?

Thanks,

Namit

0 Helpful

ruben-lopes
Level 1
Level 1

‎10-06-2010 04:28 AM

Just an update, I have just realised I can browse to the servers from B to A!

so right now I cannot remote onto the servers or ping them...anything related to rdp/ssl maybe?

I can remote and ping from A to B, but fro some odd reason cant ping or access my ESXi server through the Vsphere client, assuming somewhere along the line SSL is being blocked?

Is there any command that I can execute that will get the relevante information, I have just tried sanatizing the Sh Run, and it will just mixp thingsas there is soo much information that i would have to remove.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to ruben-lopes

‎10-06-2010 04:55 AM

Where is the traffic actually failing, ie: at which point?

Without looking at the config, it's difficult to tell where exactly is the problem.

It could be access-list, or inspection.

What does the output of "show cry ipsec sa" shows on both sides?

Try packet tracer on the ASA, and it will tell you where it might fail if it's the ASA. If not, then it could be other things within the network. Are the server subnets directly connected to the ASA?

0 Helpful

ruben-lopes
Level 1
Level 1

‎10-06-2010 05:09 AM

Please see below:

                              ASA 5505             ASA5510

10.253.254.0/24  -- 38.101.x.x << -->> 91.75.x.x -- 10.252.254.0/24

One side:

Result of the command: "show crypto IPsec sa"

interface: outside
    Crypto map tag: outside_dyn_map, seq num: 20, local addr: 38.101.x.x

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.253.254.10/255.255.255.255/0/0)
      current_peer: xx, username: xx
      dynamic allocated peer ip: 10.253.254.10

      #pkts encaps: 22768, #pkts encrypt: 22768, #pkts digest: 22768
      #pkts decaps: 21470, #pkts decrypt: 21470, #pkts verify: 21470
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 22768, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 38.101.x.x, remote crypto endpt.: 80.227.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 8D808986

    inbound esp sas:
      spi: 0xBF34948C (3207894156)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 878, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28245
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x8D808986 (2374011270)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 878, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28245
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: outside_map, seq num: 1, local addr: 38.101.x.x

      access-list outside_1_cryptomap permit ip 10.253.254.0 255.255.255.0 10.252.254.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.253.254.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.252.254.0/255.255.255.0/0/0)
      current_peer: 91.75.x.x

      #pkts encaps: 6751, #pkts encrypt: 6751, #pkts digest: 6751
      #pkts decaps: 6719, #pkts decrypt: 6719, #pkts verify: 6719
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 6751, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 38.101.x.x, remote crypto endpt.: 91.75.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 574368C8

    inbound esp sas:
      spi: 0x24B29DEA (615685610)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 880, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3824559/22591)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x574368C8 (1464035528)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 880, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3824556/22591)
         IV size: 8 bytes
         replay detection support: Y

Other Side:

Result of the command: "show crypto IPsec sa"

interface: Outside
    Crypto map tag: Outside_map, seq num: 80, local addr: 91.75.x.x

      access-list Outside_cryptomap_80 permit ip 10.252.254.0 255.255.255.0 10.253.254.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.252.254.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.253.254.0/255.255.255.0/0/0)
      current_peer: 38.101.x.x

      #pkts encaps: 6814, #pkts encrypt: 6814, #pkts digest: 6814
      #pkts decaps: 6840, #pkts decrypt: 6840, #pkts verify: 6840
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 6814, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 91.75.x.x, remote crypto endpt.: 38.101.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 24B29DEA

    inbound esp sas:
      spi: 0x574368C8 (1464035528)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 32, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4274551/22497)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x24B29DEA (615685610)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 32, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4274554/22497)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 91.75.35.140

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.252.254.101/255.255.255.255/0/0)
      current_peer: 109.70.x.x, username: x.x
      dynamic allocated peer ip: 10.252.254.101

      #pkts encaps: 9843, #pkts encrypt: 9843, #pkts digest: 9843
      #pkts decaps: 15702, #pkts decrypt: 15702, #pkts verify: 15702
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9843, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 91.75.x.x/4500, remote crypto endpt.: 109.70.x.x/4261
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: F7DD7D3C

    inbound esp sas:
      spi: 0x365FE11A (912253210)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 30, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 8302
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xF7DD7D3C (4158487868)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 30, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 8302
         IV size: 16 bytes
         replay detection support: Y

    Crypto map tag: Outside_map, seq num: 60, local addr: 91.75.35.140

      access-list Outside_cryptomap_60 permit ip 10.252.254.0 255.255.255.0 10.251.254.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.252.254.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.251.254.0/255.255.255.0/0/0)
      current_peer: 202.63.x.x

      #pkts encaps: 45386, #pkts encrypt: 45386, #pkts digest: 45386
      #pkts decaps: 40752, #pkts decrypt: 40752, #pkts verify: 40752
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 45386, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 91.75x.x, remote crypto endpt.: 202.63.x.x

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 4D2D3910

    inbound esp sas:
      spi: 0x35E0B702 (903919362)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 31, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (3819169/6856)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x4D2D3910 (1294809360)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 31, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (3805674/6856)
         IV size: 16 bytes
         replay detection support: Y

    Crypto map tag: Outside_map, seq num: 20, local addr: 91.75.35.140

      access-list Outside_cryptomap_20_2 permit ip 192.168.0.0 255.255.255.0 10.254.254.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.254.254.0/255.255.255.0/0/0)
      current_peer: 216.107.x.x

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 510, #pkts decrypt: 510, #pkts verify: 510
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 91.75.x.x, remote crypto endpt.: 216.107.x.x

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 0A800416

    inbound esp sas:
      spi: 0x8389203F (2206801983)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 26, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (3824993/4605)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x0A800416 (176161814)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 26, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (3825000/4605)
         IV size: 16 bytes
         replay detection support: Y

    Crypto map tag: Outside_map, seq num: 20, local addr: 91.75.x.x

      access-list Outside_cryptomap_20_2 permit ip 10.252.254.0 255.255.255.0 10.254.254.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.252.254.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.254.254.0/255.255.255.0/0/0)
      current_peer: 216.107.x.x

      #pkts encaps: 340798, #pkts encrypt: 340798, #pkts digest: 340798
      #pkts decaps: 404622, #pkts decrypt: 404622, #pkts verify: 404622
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 340798, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 91.75.x.x, remote crypto endpt.: 216.107.x.x

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 58AF6FDC

    inbound esp sas:
      spi: 0x0E076F75 (235368309)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 26, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (3824672/28177)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x58AF6FDC (1487892444)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 26, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (3824835/28177)
         IV size: 16 bytes
         replay detection support: Y

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to ruben-lopes

‎10-07-2010 02:19 AM

Doesn't appear to be VPN problem at least from the output provided.

Have you tested packet-tracer? what is the result? where does it say it's failing?

0 Helpful

ruben-lopes
Level 1
Level 1
In response to Jennifer Halim

‎10-07-2010 03:04 AM

       Site A              ASA 5505             ASA5510        Site B

10.253.254.0/24  -- 38.101.x.x << -->> 91.75.x.x -- 10.252.254.0/24

All seems ok with the tunnel. my current  problems are:

  • Site A cannot ping/tracert or  RDP anything on Site B but can browse to the servers
  • Site B can ping and access all IP's on Site A accept one specific IP which belongs to my ESX Server

Any idea on the above?

these are my security policies for Site A:

and for Site B:

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to ruben-lopes

‎10-07-2010 03:14 AM

  • Site A cannot ping/tracert or  RDP anything on Site B but can browse to the servers

In regards to ping, have you enabled ICMP inspection on the ASA?

With RDP, can you telnet on port 3389? Is the server allowing RDP?

  • Site B can ping and access all IP's on Site A accept one specific IP which belongs to my ESX Server

Sounds like an ESX server issue to me.

So far, all the issues sounds more networking issues than related to VPN tunnel, or firewall policy as you have allowed everything to go through between the 2 subnets. I would suggest that you investigate hop by hop and see where it is failing.

0 Helpful

ruben-lopes
Level 1
Level 1
In response to Jennifer Halim

‎10-07-2010 03:38 AM

  • i can't telnet or tracert to anything on the other LAN (Site B)... - Any idea how I can enable the ICMP on the ASA through the ASDM?

  • There is nothing wrong with the ESXI server, I can ping it and conect to it with no problem at all if Im connected to the LAN through the VPN or from the servers.
0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to ruben-lopes

‎10-07-2010 03:42 AM

Go to Configuration --> Firewall --> Service Policy Rules --> right click on "inspection_default" --> Edit ... --> Rule Actions --> enabled both ICMP and ICMP error --> OK --> Apply

0 Helpful

ruben-lopes
Level 1
Level 1
In response to Jennifer Halim

‎10-07-2010 04:04 AM

Seems a little different on the 5505:

there is no default..do I create a global SCR?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents