cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2727
Views
0
Helpful
9
Replies

ASA 5505 rookie - can't ping remote site or vice versa

louis0001
Level 3
Level 3

Hi, I'm trying to setup an ipsec from an ASA 5505 (8.4) to a Sophos UTM (9.2)

Internet etc is up and accessible. Ipsec tunnel is up also but I can't pass traffic through it.

I get this message in the logs:

3Aug 05 201422:38:52 81.111.111.156 82.222.222.38 Deny inbound protocol 50 src outside:81.111.111.156 dst outside:82.222.222.38

 

SITE A (ASA 5505) = 82.222.222.38
SITE B (UTM 9) = 81.111.111.156

Any pointers would be good as this is the first time I've tried this. Thank you.

Running config below:


hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 description Zen Internet
 nameif outside
 security-level 0
 pppoe client vpdn group Zen
 ip address 82.222.222.38 255.255.255.255 pppoe setroute
!
boot system disk0:/asa922-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network MY-LAN
 subnet 192.168.1.0 255.255.255.0
object network THIER-LAN
 subnet 192.168.30.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.30.0_24
 subnet 192.168.30.0 255.255.255.0
object network THIER_VPN
 host 81.111.111.156
 description THIER VPN 
object service Sophos_Admin
 service tcp destination eq 4444
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
 protocol-object esp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object esp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
 protocol-object esp
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object udp destination eq domain
 service-object object Sophos_Admin
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object esp
object-group service DM_INLINE_SERVICE_2
 service-object icmp
 service-object object Sophos_Admin
 service-object esp
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_3
 service-object ip
 service-object esp
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_4
 service-object object Sophos_Admin
 service-object icmp echo
 service-object icmp echo-reply
access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_3 object MY-LAN object THIER-LAN
access-list outside_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_2 object MY-LAN object THIER-LAN
access-list inside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 object THIER-LAN object MY-LAN
access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_3 object THIER_VPN host 82.222.222.38
access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_1 any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object THIER_VPN host 82.222.222.38
access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_4 object MY-LAN object THIER-LAN
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-722.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 81.111.111.156
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal AES
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 81.111.111.156
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 2
 prf sha
 lifetime seconds 7800
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 7800
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group Zen request dialout pppoe
vpdn group Zen localname MYISP@zen
vpdn group Zen ppp authentication chap
vpdn username MYISP@zen password ***** store-local

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface outside
dynamic-filter drop blacklist interface outside
webvpn
 anyconnect-essentials
group-policy GroupPolicy_81.111.111.156 internal
group-policy GroupPolicy_81.111.111.156 attributes
 vpn-tunnel-protocol ikev1
username admin password JsE9Hv42G/zRUcG4 encrypted privilege 15
username bob password lTKS32e90Yo5l2L/ encrypted
tunnel-group 81.111.111.156 type ipsec-l2l
tunnel-group 81.111.111.156 general-attributes
 default-group-policy GroupPolicy_81.111.111.156
tunnel-group 81.111.111.156 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect dns preset_dns_map dynamic-filter-snoop
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:9430c8a44d330d2b55f981274599a67e
: end
ciscoasa#

1 Accepted Solution

Accepted Solutions

Hi,

 

By looking at your sh crypto ipsec output... i can see packets are getting encapsulated.... that means packets are going out from the peer network 88.222.222.38 and i do not see the return packet coming from UTM site 81.111.111.156 to ASA..... This means the UTM firewall either drops the packet or not able to get the return packet...... Peer to peer routing is there... but you need to check from LAN to other site peer....

Please check the crypto map (This should match at both ends), NAT (exemption should be there @ both ends) and routing at both the ends from inside LAN.....

 

I suggest you to try with the crypto map wthout specific port... say source LAN to destination LAN with any port....

 

access-list cryptomap extended permit ip <source LAN> <mask> <destination LAN> <mask>

 

Regards

Karthik

 

Regards

Karthik

View solution in original post

9 Replies 9

nkarthikeyan
Level 7
Level 7

Hi,

 

Have you enabled NAT-Traversal?

crypto isakmp nat-traversal <keepalive>

 

also you need to add no-nat for the source-lan to the destination LAN.....

object network locallan

subnet 192.168.1.0 255.255.255.0
object network remotelan
 subnet 192.168.30.0 255.255.255.0

!

 

nat (inside,outside) source static locallan locallan destination static remotelan remotelan

!

similar thing is needed on the other end as well...

Regards

Karthik

Hi,

just added that and it's giving the same error. I had it in before and things didn't work so I'm not sure what's causing this. I do know that the UTM works fine as I can hook up another UTM to it.

Just struggling with the ASA a bit.

Hi,

 

Can you run debug crypto ipsec 128 on ASA and share the output.... also do initiate traffic from one lan to the other LAN during the debug....

 

Regards

Karthik

Hi,

I started again and used various combinations of encryption etc but they all come back the same so I'm at a loss.

 

 

output of debug crypto ipsec 128

 

IPSEC: New embryonic SA created @ 0xcdbaeff8,
    SCB: 0xCDC33C70,
    Direction: inbound
    SPI      : 0x6699A5F8
    Session ID: 0x00006000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xcdc76048,
    SCB: 0xCDB97B98,
    Direction: outbound
    SPI      : 0xB4E5EBD5
    Session ID: 0x00006000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xB4E5EBD5
IPSEC: Creating outbound VPN context, SPI 0xB4E5EBD5
    Flags: 0x00000005
    SA   : 0xcdc76048
    SPI  : 0xB4E5EBD5
    MTU  : 1492 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x3653C7F5
    Channel: 0xc8c234e0
IPSEC: Completed outbound VPN context, SPI 0xB4E5EBD5
    VPN handle: 0x0003820c
IPSEC: New outbound encrypt rule, SPI 0xB4E5EBD5
    Src addr: 192.168.1.0
    Src mask: 255.255.255.0
    Dst addr: 192.168.30.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0xB4E5EBD5
    Rule ID: 0xca9505d8
IPSEC: New outbound permit rule, SPI 0xB4E5EBD5
    Src addr: 88.222.222.38
    Src mask: 255.255.255.255
    Dst addr: 80.111.111.156
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xB4E5EBD5
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0xB4E5EBD5
    Rule ID: 0xcdc482c8
IPSEC: New embryonic SA created @ 0xcdbaeff8,
    SCB: 0xCDC33C70,
    Direction: inbound
    SPI      : 0x6699A5F8
    Session ID: 0x00006000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host IBSA update, SPI 0x6699A5F8
IPSEC: Creating inbound VPN context, SPI 0x6699A5F8
    Flags: 0x00000006
    SA   : 0xcdbaeff8
    SPI  : 0x6699A5F8
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x0003820C
    SCB  : 0x363F2BE7
    Channel: 0xc8c234e0
IPSEC: Completed inbound VPN context, SPI 0x6699A5F8
    VPN handle: 0x00040e4c
IPSEC: Updating outbound VPN context 0x0003820C, SPI 0xB4E5EBD5
    Flags: 0x00000005
    SA   : 0xcdc76048
    SPI  : 0xB4E5EBD5
    MTU  : 1492 bytes
    VCID : 0x00000000
    Peer : 0x00040E4C
    SCB  : 0x3653C7F5
    Channel: 0xc8c234e0
IPSEC: Completed outbound VPN context, SPI 0xB4E5EBD5
    VPN handle: 0x0003820c
IPSEC: Completed outbound inner rule, SPI 0xB4E5EBD5
    Rule ID: 0xca9505d8
IPSEC: Completed outbound outer SPD rule, SPI 0xB4E5EBD5
    Rule ID: 0xcdc482c8
IPSEC: New inbound tunnel flow rule, SPI 0x6699A5F8
    Src addr: 192.168.30.0
    Src mask: 255.255.255.0
    Dst addr: 192.168.1.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x6699A5F8
    Rule ID: 0xcdc35348
IPSEC: New inbound decrypt rule, SPI 0x6699A5F8
    Src addr: 80.111.111.156
    Src mask: 255.255.255.255
    Dst addr: 88.222.222.38
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x6699A5F8
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x6699A5F8
    Rule ID: 0xc96f7cc8
IPSEC: New inbound permit rule, SPI 0x6699A5F8
    Src addr: 80.111.111.156
    Src mask: 255.255.255.255
    Dst addr: 88.222.222.38
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x6699A5F8
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x6699A5F8
    Rule ID: 0xc96f6388

 

ciscoasa# show cry ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 88.222.222.38

      access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
      current_peer: 80.111.111.156


      #pkts encaps: 250, #pkts encrypt: 250, #pkts digest: 250
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 250, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 88.222.222.38/0, remote crypto endpt.: 80.111.111.156/0
      path mtu 1492, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: B4E5EBD5
      current inbound spi : 6699A5F8

    inbound esp sas:
      spi: 0x6699A5F8 (1721345528)
         transform: esp-aes-256 esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 24576, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4374000/28269)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xB4E5EBD5 (3034966997)
         transform: esp-aes-256 esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 24576, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373985/28269)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Hi,

 

By looking at your sh crypto ipsec output... i can see packets are getting encapsulated.... that means packets are going out from the peer network 88.222.222.38 and i do not see the return packet coming from UTM site 81.111.111.156 to ASA..... This means the UTM firewall either drops the packet or not able to get the return packet...... Peer to peer routing is there... but you need to check from LAN to other site peer....

Please check the crypto map (This should match at both ends), NAT (exemption should be there @ both ends) and routing at both the ends from inside LAN.....

 

I suggest you to try with the crypto map wthout specific port... say source LAN to destination LAN with any port....

 

access-list cryptomap extended permit ip <source LAN> <mask> <destination LAN> <mask>

 

Regards

Karthik

 

Regards

Karthik

Many thanks for your efforts. It beat me in the end and I ended up tearing it down and starting again. This time it came up first time so I'm not sure what was going on.

Thanks for the assistance.

Rudy Sanjoko
Level 4
Level 4

Hi, 

3Aug 05 201422:38:52 81.111.111.156 82.222.222.38 Deny inbound protocol 50 src outside:81.111.111.156 dst outside:82.222.222.38

Above error log tells me that your ASA is denying protocol 50/esp from 81.111.111.156. 

Other thing that I notice, the tunnel is established between 82.x.x.x and 80.x.x.x. Shouldn't it between 82.x.x.x and 81.x.x.x as the returning packet coming from 81.x.x.x?

louis0001
Level 3
Level 3
*