cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
24603
Views
0
Helpful
10
Replies

Tunnel Established but No Traffic Passing Over Site-2-Site VPN

mzeimen
Level 1
Level 1

    I have a cisco 2900 series building a site-2-site vpn tunnel to an ASA 5510.  The tunnel establishes just fine but I am unable to get traffic to flow through the tunnel.  I have read several other posts and tried many of the suggestion (probably breaking things in the process).  I am not sure if I have no nat all screwed up or if my access lists on the router are goofy.  Any help is greatly appreciated.

ASA CONFIG:


ASA Version 8.4(4)1
!
hostname test-fw
domain-name ficticious.local

names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.*
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.3.2 255.255.255.0
!
interface Ethernet0/2
nameif DMZ-TNS
security-level 10
ip address 192.168.31.1 255.255.255.0
interface Ethernet0/3
nameif DMZ-SMTP
security-level 9
ip address 192.168.32.1 255.255.255.0
!
interface Management0/0
nameif cradelpoint
security-level 1
ip address 192.168.254.1 255.255.255.0
!
boot system disk0:/asa844-1-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ficticious.local
object network obj-172.16.3.2
host 172.16.3.2
object network obj-172.16.7.2
host 172.16.7.2
object network obj-172.16.10.2
host 172.16.10.2
object network obj-172.16.13.2
host 172.16.13.2
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.6.0
subnet 192.168.6.0 255.255.255.0
object network obj-192.168.7.0
subnet 192.168.7.0 255.255.255.0
object network obj-192.168.8.0
subnet 192.168.8.0 255.255.255.0
object network obj-192.168.9.0
subnet 192.168.9.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network obj-192.168.12.0
subnet 192.168.12.0 255.255.255.0
object network obj-192.168.13.0
subnet 192.168.13.0 255.255.255.0
object network obj-192.168.15.0
subnet 192.168.15.0 255.255.255.0
object network obj-192.168.16.0
subnet 192.168.16.0 255.255.255.0
object network obj-10.1.0.0
subnet 10.1.0.0 255.255.0.0
object network obj-192.168.32.10
host 192.168.32.10
object network NETWORK_OBJ_192.168.20.0
host 192.168.20.0
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network NETWORK_OBJ_192.168.3.0_24
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.0.0_16
subnet 192.168.0.0 255.255.0.0
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0

object network NETWORK_OBJ_192.168.3.0
host 192.168.3.0
object network NETWORK_OBJ_192.168.3.144_28
subnet 192.168.3.144 255.255.255.240
object network obj-192.168.50.11
object network obj-192.168.30.10
host 192.168.30.10
object network obj-192.168.40.10
host 192.168.40.10
object network obj-192.168.70.10
host 192.168.70.10
object network obj-192.168.150.10
host 192.168.150.10
object network obj-192.168.160.10
host 192.168.160.10
object network obj-10.10.10.10
host 10.10.10.10
object network obj-192.168.120.10
host 192.168.120.10

access-list Out-In extended deny ip any any
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging console informational
logging monitor informational
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm informational

mtu outside 1500
mtu inside 1500
mtu DMZ-TNS 1500
mtu DMZ-SMTP 1500
mtu cradelpoint 1500

no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp deny any inside
icmp deny any DMZ-TNS


arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.3.144_28 NETWORK_OBJ_192.168.3.144_28 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24
!
object network obj-172.16.3.2
nat (inside,outside) dynamic interface
object network obj-172.16.7.2
nat (inside,outside) dynamic interface
object network obj-172.16.10.2
nat (inside,outside) dynamic interface
object network obj-172.16.13.2
nat (inside,outside) dynamic interface
object network obj-192.168.3.0
nat (inside,outside) dynamic interface
object network obj-192.168.4.0
nat (inside,outside) dynamic interface
object network obj-192.168.5.0
nat (inside,outside) dynamic interface
object network obj-192.168.6.0
nat (inside,outside) dynamic interface
object network obj-192.168.7.0
nat (inside,outside) dynamic interface
object network obj-192.168.8.0
nat (inside,outside) dynamic interface
object network obj-192.168.9.0
nat (inside,outside) dynamic interface
object network obj-192.168.10.0
nat (inside,outside) dynamic interface
object network obj-192.168.12.0
nat (inside,outside) dynamic interface
object network obj-192.168.13.0
nat (inside,outside) dynamic interface
object network obj-192.168.15.0
nat (inside,outside) dynamic interface
object network obj-192.168.16.0
nat (inside,outside) dynamic interface
object network obj-10.1.0.0
nat (inside,outside) dynamic interface
object network obj-192.168.32.10
nat (DMZ-SMTP,outside) static 12.200.89.172
object network obj-192.168.50.11

route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
route inside 10.1.0.0 255.255.0.0 192.168.3.1 1
route inside 10.10.0.0 255.255.0.0 192.168.3.1 1
route inside 10.200.0.0 255.255.0.0 192.168.3.1 1
route inside 172.16.3.2 255.255.255.255 192.168.3.1 1
route inside 172.16.7.2 255.255.255.255 192.168.3.1 1
route inside 172.16.10.2 255.255.255.255 192.168.3.1 1
route inside 172.16.13.2 255.255.255.255 192.168.3.1 1
route inside 192.168.4.0 255.255.255.0 192.168.3.1 1
route inside 192.168.5.0 255.255.255.0 192.168.3.1 1
route inside 192.168.6.0 255.255.255.0 192.168.3.1 1
route inside 192.168.7.0 255.255.255.0 192.168.3.1 1
route inside 192.168.8.0 255.255.255.0 192.168.3.1 1
route inside 192.168.9.0 255.255.255.0 192.168.3.1 1
route inside 192.168.10.0 255.255.255.0 192.168.3.1 1
route inside 192.168.12.0 255.255.255.0 192.168.3.1 1
route inside 192.168.13.0 255.255.255.0 192.168.3.1 1
route inside 192.168.15.0 255.255.255.0 192.168.3.1 1
route inside 192.168.16.0 255.255.255.0 192.168.3.1 1
route outside 192.168.20.0 255.255.255.0 *.*.*.* 1
route inside 192.168.30.0 255.255.255.0 192.168.3.1 1
route inside 192.168.40.0 255.255.255.0 192.168.3.1 1
route inside 192.168.50.0 255.255.255.0 192.168.3.1 1
route inside 192.168.70.0 255.255.255.0 192.168.3.1 1
route inside 192.168.100.0 255.255.255.0 192.168.3.1 1
route inside 192.168.120.0 255.255.255.0 192.168.3.1 1
route inside 192.168.150.0 255.255.255.0 192.168.3.1 1
route inside 192.168.160.0 255.255.255.0 192.168.3.1 1


crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set cradelpoint_vpn
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside

telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.1.2.13 prefer
ssl trust-point ASDM_TrustPoint0 outside

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map IPSclass
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map IPSpolicy
class IPSclass
  ips inline fail-open
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
class class-default
  user-statistics accounting
!

Router Config:

Current configuration : 2605 bytes
!
! Last configuration change at 18:39:30 UTC Tue Aug 7 2012
! NVRAM config last updated at 19:50:03 UTC Mon Aug 6 2012
! NVRAM config last updated at 19:50:03 UTC Mon Aug 6 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec

!
hostname router
!
boot-start-marker
boot-end-marker
!
!
enable password blahblahblah
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip name-server 192.168.100.1
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!

!
!
!
redundancy
crypto isakmp policy 2
authentication pre-share
crypto isakmp key 6 IBETYOUCANTGUESS address *.*.*.*
!
!
crypto ipsec transform-set cradelpoint_vpn esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to *.*.*.*
set peer *.*.*.*
set transform-set cradelpoint_vpn
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address

shutdown
!
interface GigabitEthernet0/0
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
no cdp enable
!
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
no cdp enable
!
interface GigabitEthernet0/1
ip address dhcp
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 110 interface GigabitEthernet0/1 overload
ip nat inside source list nonat interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 192.168.100.1 254
ip route 0.0.0.0 0.0.0.0 192.168.100.1 254
ip route 192.168.3.0 255.255.255.0 192.168.3.1
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 deny   ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
!
route-map nonat permit 10
match ip address 110
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

1 Accepted Solution

Accepted Solutions

Ahh, looks like the CradelPoint router might have dropped the ESP packet, as we can see the router is encrypting the packets, but the ASA receives nothing/decrypts nothing, meaning it doesn't even reach the ASA.

Enable NAT-T, so ESP gets encapsulated in UDP/4500.

On ASA:

crypto isakmp nat-traversal 30

View solution in original post

10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

On the ASA, configure the following instead:

nat (inside,outside) source static obj-192.168.3.0 obj-192.168.3.0 any destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24

and remove the following:

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24

Then "clear xlate" after the above changes.

On the router, remove the following route:

ip route 192.168.3.0 255.255.255.0 192.168.3.1

Thank you so much for your response.  I changed the nat rule on the ASA as advised along with executing the clear xlate command, however, I'm not sure if it is a typo but you have "any"after the first network object in the nat rule and it does not fit the syntax of the command so I omitted it and it is as follows now:

2 (inside) to (outside) source static obj-192.168.3.0 obj-192.168.3.0   destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24

    translate_hits = 0, untranslate_hits = 0

  I also removed the route on the router but I am still having no traffic cross the tunnel.

Here is the routing table on the router now that I have removed the suggested route:

Gateway of last resort is 192.168.100.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 192.168.100.1
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, GigabitEthernet0/0.1
L 192.168.0.1/32 is directly connected, GigabitEthernet0/0.1
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, GigabitEthernet0/1
L 192.168.100.170/32 is directly connected, GigabitEthernet0/1

  I don't know if it is any help but if I perform a show route-map on the router I do not see any packets matching my access-list even though I have a continuous ping running from a node on the inside interface of the router:

router#sh route-map

route-map nonat, permit, sequence 10

  Match clauses:

    ip address (access-lists): 110

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

I would expect to see the ping at least match the access-list and make it to the ASA side of the tunnel right?

Thanks again for your support!

Apology, yes, it's a typo, shouldn't have included "any".

BTW, why is the router default gateway 192.168.100.1? what ip address do you get from the dhcp?

is the router having dynamic ip address or static ip address? is the router getting private or public ip? if it's private ip, then where are you configuring the NAT to public ip and is the public ip static or dynamic? if it's getting dhcp address, that means you are configuring dynamic PAT for the router, right? so only the router can initiate the outbound connection. Can you assign static ip for the router then?

The reason why you aren't seeing any hit on the route-map is because you haven't configured "ip nat outside" on gig0/1.

The router's default gateway is a 3G CradelPoint router assigned 192.168.100.1 and acts as the internet gateway which recieves a dynamic public address (yes I know I have to change the peer and crypto map IP on the ASA every time this changes).  The cradelpoint assigns private IP 192.168.100.170 via DHCP to the 0/1 gigabit interface, I know it is not ideal but the cradelpoint router wouldn't play nice when the 2900 was using a static address for some reason.  I had this setup passing traffic and working at one point but am missing something still obviously after startinig from scratch again.  Perhaps it is configuring dynamic PAT as you have mentioned but unfortunately that is beyond the scope of my knowledge.  I can confirm that I have attempted to initiate the outbound connection from the ASA side and it does not work if that is any help.   

I assigned "ip nat outside" on gig0/1 and still see no packets in "sh route-map" output. 

No, you don't have to change the ip address everytime the router changes the IP. You can configure dynamic crypto map on the ASA which would accept connection from dynamic IP.

You definitely can't initiate the VPN from the ASA side because the router end is configured with dynamic PAT, which means only outbound connection works. Which in turn means, you can only initiate the traffic from the router end towards the ASA, not the other way round. Once the VPN tunnel is established, you can send traffic both ways.

Try to initiate ping sourcing from 192.168.0.1 towards the ASA inside interface and see if that brings up the tunnel.

Poor choice of words on my behalf, I understand I can use a dynamic crypto map but we choose not to for security purposes and this is just in testing stages so ideally we will have a static address to use eventually. 

I don't have any problem bringing the tunnel up whatsoever by initiating a ping from a client on the inside interface of the 2900 but the strange part is I don't see any hits on the route-map and can't seem to get traffic to flow accrossed the tunnel.

Since you don't want to perform any NAT on the router, you can just remove "ip nat inside" and "ip nat outside" on the router interfaces, that way the router will not NAT anything at all.

Can you share the output of:

show cry isa sa

show cry ipsec sa

from both the router and ASA.

Ok, I removed the "ip nat" statements from the interfaces and here is the output you requested:

ASA:


IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: *.*.*.*
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE


interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: *.*.*.*

      access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
      current_peer: *.*.*.*

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: *.*.*.*/0, remote crypto endpt.: *.*.*.*/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 87D7FB25
      current inbound spi : 54B98F16

    inbound esp sas:
      spi: 0x54B98F16 (1421446934)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 57344, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/3580)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x87D7FB25 (2279078693)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 57344, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/3580)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Router:

router#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
Not.Gonna.Tell.Ya   192.168.100.170 QM_IDLE           1291 ACTIVE

IPv6 Crypto ISAKMP SA

router#sh crypto ipsec sa

interface: GigabitEthernet0/1
    Crypto map tag: SDM_CMAP_1, local addr 192.168.100.170

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   current_peer *.*.*.* port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 142, #pkts encrypt: 142, #pkts digest: 142
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 192.168.100.170, remote crypto endpt.: *.*.*.*
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x86E6CAE1(2263272161)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xB451FB24(3025271588)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2193, flow_id: Onboard VPN:193, sibling_flags 80000046, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4557938/3147)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x86E6CAE1(2263272161)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2194, flow_id: Onboard VPN:194, sibling_flags 80000046, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4557921/3147)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Ahh, looks like the CradelPoint router might have dropped the ESP packet, as we can see the router is encrypting the packets, but the ASA receives nothing/decrypts nothing, meaning it doesn't even reach the ASA.

Enable NAT-T, so ESP gets encapsulated in UDP/4500.

On ASA:

crypto isakmp nat-traversal 30

Genious!  Thank you so much!  That did the trick, I knew it was something small like that but a fresh set of eyes was just what I needed!  now I just have to figure out why my vpn traffic isn't being exempt from the firewall rules. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: