Solved: 800 Series Router and ASA will not create tunnel

Benjamin Crites · ‎02-11-2014

Hey everyone, this ones had me confused for a week now, and i have a feeling it is something small that im overlooking. My 800 router and my ASA will not pass traffic over a VPN. Here are my configs (minus sensitive data of course). I've also weeded out some unimportant data to shrink down the config.

800 Series Router:

ip dhcp excluded-address 192.168.2.1 192.168.2.100

!

ip dhcp pool internaldhcp

network 192.168.2.0 255.255.255.0

dns-server x.x.x.x x.x.x.x

default-router 192.168.2.1

!

ip cef

no ip domain lookup

ip domain name (domain here)

ip name-server x.x.x.x

no ipv6 cef

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key (my password) address (WAN ip of ASA)

!

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac

crypto ipsec transform-set remote esp-3des esp-md5-hmac

!

crypto map KentonMap 1 ipsec-isakmp

set peer (ASAs WAN IP)

set transform-set 3des-sha

match address 110

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description Outside int

ip address (Local WAN) 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map KentonMap

service-policy output VoiceLLQ

!

interface Vlan1

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

fair-queue

!

ip nat pool insidepool (WAN IP) (WAN IP) netmask 255.255.255.252

ip nat inside source list 100 pool insidepool overload

ip route 0.0.0.0 0.0.0.0 (Next Hop)

!

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 110 remark VPN ACL

access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.24.0 0.0.0.255

!

ASA Config:

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.24.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address (LOCAL WAN) 255.255.255.252

!

same-security-traffic permit intra-interface

access-list NoNat extended permit ip 192.168.24.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list LimatoKenton extended permit ip 192.168.24.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list OutsideIn extended permit tcp any interface outside eq 3389

global (outside) 1 interface

nat (inside) 0 access-list NoNat

nat (inside) 1 192.168.24.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 (Next Hop) 1

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map LimaMap 1 match address LimatoKenton

crypto map LimaMap 1 set peer (800 Router WAN)

crypto map LimaMap 1 set transform-set 3des-sha

crypto map LimaMap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group (800 Router WAN) type ipsec-l2l

tunnel-group (800 Router WAN)

ipsec-attributes

pre-shared-key ****

Crypto isakmp sa output:

ASA

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Router

dst src state conn-id status

(Local WAN) (ASA WAN) QM_IDLE 2003 ACTIVE

Vasilii Mikhailovskii · ‎02-11-2014

Hello, Benjamin.

I guess your router is doing NAT even for site-to-site traffic.

So, you need to deny inter-site traffic in ACL 100.

PS: if this doesn't solve your issue, could you please share isakmp/ipsec sa from both sides?

View solution in original post

Poonam Garg · ‎02-11-2014

Hello Benjamin,

The ACL for NAT Exemption on router should be :

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.24.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

View solution in original post

Vasilii Mikhailovskii · ‎02-11-2014

Hello, Benjamin.

I guess your router is doing NAT even for site-to-site traffic.

So, you need to deny inter-site traffic in ACL 100.

PS: if this doesn't solve your issue, could you please share isakmp/ipsec sa from both sides?

Benjamin Crites · ‎02-11-2014

I tried this in place for the access list 100, is that what you meant? too deny any of the 192.168.24.0 network from being translated. Unfortunently this did not work either if thats what you were looking for me to do.

access-list 100 deny ip 192.168.24.0 0.0.0.255 any

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

Crypto isakmp sa output:

ASA

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Router

dst src state conn-id status

(Local WAN) (ASA WAN) QM_IDLE 2003 ACTIVE

Crypto IPSEC sa output:

Router

interface: FastEthernet4

Crypto map tag: KentonMap, local addr (LOCAL WAN)

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.24.0/255.255.255.0/0/0)

current_peer (ASA WAN) port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 302768, #pkts decrypt: 302768, #pkts verify: 302768

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: (LOCAL WAN), remote crypto endpt.: (ASA WAN)

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

current outbound spi: 0x3DDF82D1(1038058193)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x47DA7072(1205497970)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 55, flow_id: Onboard VPN:55, sibling_flags 80000046, crypto map: KentonMap

sa timing: remaining key lifetime (k/sec): (4602390/1551)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x3DDF82D1(1038058193)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 56, flow_id: Onboard VPN:56, sibling_flags 80000046, crypto map: KentonMap

sa timing: remaining key lifetime (k/sec): (4602433/1551)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

ASA

interface: outside

Crypto map tag: LimaMap, seq num: 1, local addr: (LOCAL WAN)

access-list LimatoKenton extended permit ip 192.168.24.0 255.255.255.0 192 .168.2.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.24.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer: (ROUTER WAN)

#pkts encaps: 394, #pkts encrypt: 394, #pkts digest: 394

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 394, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: (LOCAL WAN), remote crypto endpt.: (ROUTER WAN)

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 47DA7072

current inbound spi : 3DDF82D1

inbound esp sas:

spi: 0x3DDF82D1 (1038058193)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 1638400, crypto-map: LimaMap

sa timing: remaining key lifetime (kB/sec): (4374000/1342)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x47DA7072 (1205497970)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 1638400, crypto-map: LimaMap

sa timing: remaining key lifetime (kB/sec): (4373976/1342)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Poonam Garg · ‎02-11-2014

Hello Benjamin,

The ACL for NAT Exemption on router should be :

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.24.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

Benjamin Crites · ‎02-11-2014

ITS ALIVE!!!!!

You guys are life savers, thank you so much. Ill pay it forward!