05-16-2013 01:47 PM
Hello everyone, I've been rackin my brain on this one and cant seem to figure it out. I am setting up a site to site tunnel between an 1811 router and a 5505 ASA. I currently have several tunnels on the ASA but to other security appliances such as ASA's or sonicwalls. I have gotten the tunnel up, Phase 1 and Phase 2 both complete successfully. However I can not pass traffic across the tunnel. I see on the ASA Bytes Tx increases with attempts but Bytes Rx never moves. Same thing on the router, #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 - #pkts decaps: 453, #pkts decrypt: 453, #pkts verify: 453
Im sure it is somethin on the router end but cant figure it out. here is the config I have used:
1811 Router:
crypto isakmp policy 2
encr 3des
authentication pre-share
crypto isakmp key Abc123!@ address XXX.XXX.XXX.XXX
crypto ipsec transform-set Denver esp-3des esp-sha-hmac
crypto map SMD_CMAP_1 1 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set Denver
match address 120
interface FastEthernet1
ip address XXX.XXX.XXX.XX 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SMD_CMAP_1
ip nat inside source route-map nonat interface FastEthernet1 overload
access-list 115 deny ip 10.9.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 115 permit ip 10.9.1.0 0.0.0.255 any
access-list 120 permit ip 10.9.1.0 0.0.0.255 10.1.1.0 0.0.0.255
route-map nonat permit 10
match ip address 115
ASA 5510:
object network OKL
subnet 10.9.1.0 255.255.255.0
access-list Outside_cryptomap_6 extended permit ip 10.1.1.0 255.255.255.0 object OKL
nat (inside,any) source static obj-10.1.1.0 obj-10.1.1.0 destination static OKL OKL
crypto ipsec transform-set OKL esp-3des esp-sha-hmac
crypto map IPSECMAP 7 set peer XXX.XXX.XXX.XXX
crypto map IPSECMAP 7 set transform-set OKL
crypto map IPSECMAP 7 set reverse-route
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime none
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX general-attributes
default-group-policy VPNGrpPolicy
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key *****
Please help me figure this one out!!!!
Any help is much appreciated.
05-17-2013 07:41 AM
this is strange pinging is happening and no decaps happening strange !!!!!!
here i see some poblem. once diong ping
pri/act/dscasa001# ping inside 10.1.1.14
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
----------------------------------
but the other ping
pri/act/dscasa001# ping 10.1.1.14
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms -->why is it 1ms?
this ip address you are pinging belongs to the remote site right which is on the router end 10.1.1.14.
05-17-2013 07:32 AM
now show the outout for the command
sh cry ipsec sa
05-17-2013 07:35 AM
oops. sorry...
pri/act/dscasa001# ping inside 10.1.1.14
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
pri/act/dscasa001# sh crypto ipsec sa peer XXX.XXX.XXX.36
peer address: XXX.XXX.XXX.36
Crypto map tag: IPSECMAP, seq num: 7, local addr: XXX.XXX.XXX.68
access-list Outside_cryptomap_6 extended permit ip 10.1.1.0 255.255.255.0 10.9.1.0 255.255.255.0
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.9.1.0/255.255.255.0/0/0)
current_peer: XXX.XXX.XXX.36
#pkts encaps: 80, #pkts encrypt: 80, #pkts digest: 80
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 80, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: XXX.XXX.XXX.68/0, remote crypto endpt.: XXX.XXX.XXX.36/0
path mtu 1478, ipsec overhead 58, media mtu 1500
current outbound spi: C2E09BFB
current inbound spi : 792C3ECA
inbound esp sas:
spi: 0x792C3ECA (2032942794)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 31178752, crypto-map: IPSECMAP
sa timing: remaining key lifetime (kB/sec): (4374000/3013)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xC2E09BFB (3269499899)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 31178752, crypto-map: IPSECMAP
sa timing: remaining key lifetime (kB/sec): (4373995/3013)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
05-17-2013 07:51 AM
try to ping some ip in 10.9.1.0 network from the ASA
ping inside 10.9.1.X any live ip
and please paste the output and crypto decaps and encaps output
05-17-2013 07:56 AM
run the packet tracer once more because what u ran before was not right
first ip should be source and then destination
"packet-tracer input inside icmp 10.1.1.14 0 8 10.9.1.20"
now here the source is 10.1.1.14 and the destination is 10.9.1.20
05-17-2013 07:59 AM
pri/act/dscasa001# packet-tracer input inside icmp 10.1.1.14 0 8 10.9.1.20
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.9.1.20 255.255.255.255 Outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,any) source static obj-10.1.1.0 obj-10.1.1.0 destination static OKL OKL
Additional Information:
Static translate 10.1.1.14/0 to 10.1.1.14/0
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 12369145, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
05-17-2013 08:01 AM
show the output for
sh cry isa sa
sh cry ipsec sa
05-17-2013 08:02 AM
pri/act/dscasa001# ping 10.9.1.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.9.1.20, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
pri/act/dscasa001# sh crypto ipsec sa peer xxx.xxx.xxx.36
peer address: xxx.xxx.xxx.36
Crypto map tag: IPSECMAP, seq num: 7, local addr: xxx.xxx.xxx.68
access-list Outside_cryptomap_6 extended permit ip 10.1.1.0 255.255.255.0 10.9.1.0 255.255.255.0
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.9.1.0/255.255.255.0/0/0)
current_peer: xxx.xxx.xxx.36
#pkts encaps: 383, #pkts encrypt: 383, #pkts digest: 383
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 383, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxx.xxx.xxx.68/0, remote crypto endpt.: xxx.xxx.xxx.36/0
path mtu 1478, ipsec overhead 58, media mtu 1500
current outbound spi: C2E09BFB
current inbound spi : 792C3ECA
inbound esp sas:
spi: 0x792C3ECA (2032942794)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 31178752, crypto-map: IPSECMAP
sa timing: remaining key lifetime (kB/sec): (4374000/1362)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xC2E09BFB (3269499899)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 31178752, crypto-map: IPSECMAP
sa timing: remaining key lifetime (kB/sec): (4373977/1362)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
05-17-2013 08:04 AM
#sh cr isa sa
6 IKE Peer: 41.215.1.36
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
05-17-2013 08:06 AM
try to ping
ping inside 10.9.1.20
if still not pinging then try to clear the crypto
clear crypto isa sa peer 41.215.1.36 and check too
otherwise you need to rebulid the VPN tunnel
05-17-2013 08:10 AM
I tried the ping after clearing the crypto isakmp and still the same result. do you think rebuilding the tunnel will help? is there something that should be done differently?
05-17-2013 08:16 AM
if still no traffic going through after giving the command
ping inside 10.9.1.20 request timed out.... then decaps or ecaps will not work.
try to rebulid tunnel and when rebuliding increase the order of the crypto map
and then try to ping inside 10.9.1.20 and run the packet-tracer too.and lets see what is happening
05-17-2013 08:54 AM
I have rebuilt the tunnel and still no luck. I just want to make sure we are on the same page...
ASA local network is 10.1.1.0/24
1811 Router local network is 10.9.1.0/24
with the following config the tunnel comes up fine. it looks like traffic will leave from the ASA because the Bytes Tx counter will increase. but is not receiving anything back from the router because the Bytes Rx always shows 0. the router seems to be receiving the traffic from the ASA because the pkts decaps will increase, but is not sending anything back to the ASA because the pkts encaps counter stays at 0.
here is the config I just used:
1811 Router:
crypto isakmp policy 1
encr 3des
group 2
hash sha
lifetime 86400
authentication pre-share
crypto isakmp key Abc123!@ address xxx.xxx.xxx.68
crypto ipsec transform-set Denver esp-3des esp-sha-hmac
crypto map SMD_CMAP_1 1 ipsec-isakmp
set peer xxx.xxx.xxx
set transform-set Denver
match address 120
interface FastEthernet1
ip address xxx.xxx.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SMD_CMAP_1
ip nat inside source route-map nonat interface FastEthernet1 overload
access-list 115 deny ip 10.9.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 115 permit ip 10.9.1.0 0.0.0.255 any
access-list 120 permit ip 10.9.1.0 0.0.0.255 10.1.1.0 0.0.0.255
route-map nonat permit 10
match ip address 115
ASA 5510:
object network OKL
subnet 10.9.1.0 255.255.255.0
access-list Outside_cryptomap_6 extended permit ip 10.1.1.0 255.255.255.0 object OKL
nat (inside,any) source static obj-10.1.1.0 obj-10.1.1.0 destination static OKL OKL
crypto ipsec transform-set OKL esp-3des esp-sha-hmac
crypto map IPSECMAP 7 match address Outside_cryptomap_6
crypto map IPSECMAP 7 set peer xxx.xxx.xxx
crypto map IPSECMAP 7 set transform-set OKL
crypto map IPSECMAP 7 set reverse-route
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime none
tunnel-group xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx general-attributes
default-group-policy VPNGrpPolicy
tunnel-group xxx.xxx.xxx ipsec-attributes
pre-shared-key Abc123!@
What am I dont wrong????
05-20-2013 11:27 AM
Ah! found something,
this is the inside interface.......
description $FW_INSIDE$$ES_LAN$
ip address XXX.XXX.XXX.XXX 255.255.255.248 secondary
ip address 10.9.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
If I remove the IP NAT INSIDE command the traffic works..... however when I remove it, the LAN loses internet connectivity. is there any way around this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide