11-23-2010 07:34 PM
Hi all Cisco guru,
I'm trying to implement this scheme:
Office -> Cisco 877 -> Internet -> ASA 5505 -> remote network
Office network: 192.168.10.0/24
Cisco 877 internal IP: 192.168.10.200
Cisco 877 external IP: a.a.a.a
ASA 5505 external IP: b.b.b.b
ASA 5505 internal IP: 192.168.17.3 and 192.168.1.3
Remote network: 192.168.17.0/24 and 192.168.1.0/24
Both VPN tunnels are OK and up, but I unable to ping Remote network and start RPD sessions (no access at all). VPN initiator ASA, traffic initiator Office.
I'm novice in Cisco, so will be very appreciate for enhanced suggestions.
There are two configurations:
ASA 5505:
Result of the command: "show conf"
!
ASA Version 8.2(2)
!
hostname
domain-name
enable password password encrypted
passwd passwd encrypted
names
!
interface Vlan1
description INTERNET
mac-address 1234.5678.0000
nameif WAN
security-level 0
ip address b.b.b.b 255.255.255.248
ospf cost 10
!
interface Vlan2
description OLD-PRIVATE
mac-address 1234.5678.0001
nameif OLD-Private
security-level 0
ip address 192.168.17.3 255.255.255.0
ospf cost 10
!
interface Vlan6
description MANAGEMENT
mac-address 1234.5678.0002
nameif Management
security-level 0
ip address 192.168.1.3 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
switchport trunk allowed vlan 2,6
switchport mode trunk
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup WAN
dns domain-lookup OLD-Private
dns domain-lookup Management
dns server-group DefaultDNS
name-server 111.222.333.444
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
description RDP
port-object eq 3389
access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LAN_IP standard permit 192.168.17.0 255.255.255.0
access-list WAN_access_in extended permit ip any any log debugging
access-list WAN_access_in extended permit ip interface OLD-Private interface WAN log debugging inactive
access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging
access-list MANAGEMENT_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 log debugging inactive
access-list OLD-PRIVATE_access_in extended permit object-group TCPUDP host 192.168.10.7 any log debugging inactive
access-list OLD-PRIVATE_access_in extended permit icmp host 192.168.10.254 interface OLD-Private log debugging inactive
access-list OLD-PRIVATE_access_in extended permit icmp host 192.168.17.155 interface OLD-Private log debugging
access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 4096
logging asdm-buffer-size 100
logging trap debugging
logging asdm debugging
logging debug-trace
logging class auth trap debugging
mtu WAN 1500
mtu OLD-Private 1500
mtu Management 1500
ip local pool VPN_Admin_IP 192.168.1.100-192.168.1.131 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host a.a.a.a WAN
icmp deny any WAN
icmp permit host 192.168.10.7 WAN
icmp permit host a.a.a.a OLD-Private
icmp permit host 192.168.10.0 OLD-Private
icmp permit host 192.168.10.7 OLD-Private
icmp permit host 192.168.17.155 OLD-Private
icmp permit host 192.168.17.137 OLD-Private
icmp permit host a.a.a.a Management
icmp permit host 192.168.10.0 Management
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (OLD-Private) 0 access-list LAN_nat0_outbound
nat (OLD-Private) 1 0.0.0.0 0.0.0.0
access-group WAN_access_in in interface WAN
access-group OLD-PRIVATE_access_in in interface OLD-Private
access-group MANAGEMENT_access_in in interface Management
route WAN 0.0.0.0 0.0.0.0 b.b.b.85 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 WAN
http 0.0.0.0 0.0.0.0 WAN
http b.b.b.b 255.255.255.255 WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map WAN_map 1 set peer a.a.a.a
crypto map WAN_map 1 set transform-set ESP-DES-SHA
crypto map WAN_map 2 match address WAN_cryptomap_2
crypto map WAN_map 2 set peer a.a.a.a
crypto map WAN_map 2 set transform-set ESP-DES-SHA
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh a.a.a.a 255.255.255.255 WAN
ssh timeout 30
ssh version 2
console timeout 0
dhcpd address 192.168.17.95-192.168.17.99 OLD-Private
!
dhcpd address 192.168.1.100-192.168.1.131 Management
dhcpd enable Management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.28 source WAN prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-filter value WAN_access_in
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy admin internal
group-policy admin attributes
dns-server value 111.222.333.444
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LAN_IP
username username password password encrypted privilege 15
tunnel-group admin type remote-access
tunnel-group admin general-attributes
address-pool VPN_Admin_IP
default-group-policy admin
tunnel-group admin ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp ikev1-user-authentication none
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
--------------------------------------------------------------------------------------------
Configuration of Cisco 877 (cut):
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default if-authenticated
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network local_auth if-authenticated
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
l2tp tunnel receive-window 256
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 2
authentication pre-share
!
crypto isakmp policy 3
authentication pre-share
!
crypto isakmp policy 4
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 KEY address b.b.b.b
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 10
!
crypto isakmp profile ciscocp-ike-profile-1
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 900
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map SDM_CMAP_1 2 ipsec-isakmp
set peer b.b.b.b
set transform-set ASA-IPSEC
match address 160
!
!
!
!
ip access-list extended NAT_INTERNET
deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended NAT_INTERNET_1
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended sdm_dialer0_in
remark CCP_ACL Category=1
permit ahp host b.b.b.b any
remark Allow all
permit ip any any
permit esp host b.b.b.b any
permit udp host b.b.b.b any eq isakmp
permit udp host b.b.b.b any eq non500-isakmp
permit ahp host b.b.b.b any
permit ip 192.168.17.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
!
access-list 1 remark #NAT INTERNET USERS#
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip host 192.168.10.0 any
access-list 101 remark RULES FOR FW TO INTERNET
access-list 101 permit ip any any
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.17.0 0.0.0.255 any
access-list 101 remark Cisco_VPN_500
access-list 101 permit udp any any eq non500-isakmp log
access-list 101 remark Cisco_VPN_4500
access-list 101 permit udp any any eq isakmp log
access-list 115 remark CCP_ACL Category=16
access-list 115 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 130 deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 130 permit ip 129.168.10.0 0.0.0.255 any
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
snmp-server ifindex persist
!
end
Also there is a log from ASDM (trying RDP session from Office to remote network):
6|Nov 24 2010|16:27:48|302014|192.168.10.7|55645|192.168.17.155|3389|Teardown TCP connection 4390 for WAN:192.168.10.7/55645 to OLD-Private:192.168.17.155/3389 duration 0:00:30 bytes 0 SYN Timeout
7|Nov 24 2010|16:27:42|715075|||||Group = a.a.a.a, IP = a.a.a.a, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x23a1641e)
7|Nov 24 2010|16:27:42|715047|||||Group = a.a.a.a, IP = a.a.a.a, processing notify payload
7|Nov 24 2010|16:27:42|715047|||||Group = a.a.a.a, IP = a.a.a.a, processing hash payload
7|Nov 24 2010|16:27:42|713236|||||IP = a.a.a.a, IKE_DECODE RECEIVED Message (msgid=a02e705d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
7|Nov 24 2010|16:27:42|713236|||||IP = a.a.a.a, IKE_DECODE SENDING Message (msgid=a56040b2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
7|Nov 24 2010|16:27:42|715046|||||Group = a.a.a.a, IP = a.a.a.a, constructing qm hash payload
7|Nov 24 2010|16:27:42|715046|||||Group = a.a.a.a, IP = a.a.a.a, constructing blank hash payload
7|Nov 24 2010|16:27:42|715036|||||Group = a.a.a.a, IP = a.a.a.a, Sending keep-alive of type DPD R-U-THERE (seq number 0x23a1641e)
6|Nov 24 2010|16:27:18|302013|192.168.10.7|55645|192.168.17.155|3389|Built inbound TCP connection 4390 for WAN:192.168.10.7/55645 (192.168.10.7/55645) to OLD-Private:192.168.17.155/3389 (192.168.17.155/3389)
Thanks
11-23-2010 09:13 PM
Hi Nick,
The configuration looks correct, but since you are saying that you are not able to pass traffic, I would like to have a look on the IPSEC SA, please can you provide me to output of show crypto ipsec sa peer "Remote site peer IP" from noth the devices, so that i can look into the encaps and decaps and see which end is not encrypting or decrypting.
Regards,
Usaid.K
11-23-2010 09:37 PM
show crypto ipsec sa peer b.b.b.b (to ASA 5505 IP from Cisco 877)
interface: Dialer0
Crypto map tag: SDM_CMAP_1, local addr a.a.a.a
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer b.b.b.b port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2946, #pkts encrypt: 2946, #pkts digest: 2946
#pkts decaps: 892, #pkts decrypt: 892, #pkts verify: 892
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 294, #recv errors 0
local crypto endpt.: a.a.a.a, remote crypto endpt.: b.b.b.b
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x30F54E07(821382663)
inbound esp sas:
spi: 0xADD39892(2916325522)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 321, flow_id: Motorola SEC 1.0:321, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4461833/3537)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x30F54E07(821382663)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 322, flow_id: Motorola SEC 1.0:322, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4461832/3537)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)
current_peer b.b.b.b port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 587, #pkts encrypt: 587, #pkts digest: 587
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1953, #recv errors 0
local crypto endpt.: a.a.a.a, remote crypto endpt.: b.b.b.b
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0xA796E5A1(2811684257)
inbound esp sas:
spi: 0x4F62578D(1331845005)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 319, flow_id: Motorola SEC 1.0:319, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4414232/3497)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA796E5A1(2811684257)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 320, flow_id: Motorola SEC 1.0:320, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4414231/3497)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access3
Crypto map tag: SDM_CMAP_1, local addr 0.0.0.0
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer b.b.b.b port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 0.0.0.0, remote crypto endpt.: b.b.b.b
path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access3
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)
current_peer b.b.b.b port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 0.0.0.0, remote crypto endpt.: b.b.b.b
path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access3
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
----------------------------------------------------------------------------------------
show crypto ipsec sa peer a.a.a.a (to Cisco 877 from ASA 5505 IP)
peer address: a.a.a.a
Crypto map tag: WAN_map, seq num: 2, local addr: b.b.b.b
access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: a.a.a.a
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: b.b.b.b, remote crypto endpt.: a.a.a.a
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: ADD39892
current inbound spi : 30F54E07
inbound esp sas:
spi: 0x30F54E07 (821382663)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: WAN_map
sa timing: remaining key lifetime (kB/sec): (4373999/2975)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000003F
outbound esp sas:
spi: 0xADD39892 (2916325522)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: WAN_map
sa timing: remaining key lifetime (kB/sec): (4374000/2975)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: WAN_map, seq num: 1, local addr: b.b.b.b
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: a.a.a.a
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: b.b.b.b, remote crypto endpt.: a.a.a.a
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 4F62578D
current inbound spi : A796E5A1
inbound esp sas:
spi: 0xA796E5A1 (2811684257)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: WAN_map
sa timing: remaining key lifetime (kB/sec): (4373999/2933)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000000F
outbound esp sas:
spi: 0x4F62578D (1331845005)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: WAN_map
sa timing: remaining key lifetime (kB/sec): (4374000/2932)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
----------------------------------------------------------------------------------------------
Also during monitoring of DHCP there is no assigned ip via dhcp. In my opinion it's strange too.
Thanks
11-23-2010 11:13 PM
Hi Nick,
Thank you for the reply, i see that on the ASA the packets are getting decrypted but the reply packets are not getting encrypted and sent back.
I would like to point on the issue probably around the ASA end point,
a> Now I see that on the ASA you have two crypto maps with same peer IP address on both, please remove the second crypto map (crypto map WAN_map 2)and in the first crypto map's access-list (WAN_1_cryptomap) add the below entry.
access-list WAN_1_cryptomap permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
b> regarding the dhcpd not working, please add this command to enable it on OLD-Private interface
dhcpd enable OLD-Private
dhcpd dns (dns server ip address)
c> ensure that the hosts behind the OLD-Privatre interface are receiving the ip address.
d> now get the tunnel back up and verify if the traffic is flowing
If the issue still persits please execute the below command on the asa and get me the output
packet-tracer input OLD-Private icmp 192.168.17.10 8 0 192.168.10.33
do not worry about the ip address in the above command, just execute it and let me know the results of the same.
e> I just wanted to let you know this that the security level on all the interfaces are 0, the private lan usually has a securilty level of 100 and the internet facing interface has 0.
Thanks.
Usaid.K
11-24-2010 01:39 PM
Thanks for your help.
So, after changes ASA configuration become:
...
interface Vlan2
description OLD-PRIVATE
mac-address 1234.5678.0202
nameif OLD-Private
security-level 100
ip address 192.168.17.3 255.255.255.0
ospf cost 10
interface Vlan6
description MANAGEMENT
mac-address 1234.5678.0206
nameif Management
security-level 100
ip address 192.168.1.3 255.255.255.0
ospf cost 10
...
access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LAN_IP standard permit 192.168.17.0 255.255.255.0
access-list WAN_access_in extended permit ip any any log debugging
access-list WAN_access_in extended permit ip interface OLD-Private interface WAN log debugging inactive
access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging
access-list MANAGEMENT_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 log debugging inactive
access-list OLD-PRIVATE_access_in extended permit object-group TCPUDP host 192.168.10.7 any log debugging inactive
access-list OLD-PRIVATE_access_in extended permit icmp host 192.168.10.254 interface OLD-Private log debugging inactive
access-list OLD-PRIVATE_access_in extended permit icmp host 192.168.17.155 interface OLD-Private log debugging
access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
...
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map WAN_map 1 set peer a.a.a.a
crypto map WAN_map 1 set transform-set ESP-DES-SHA
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
...
dhcpd dns 192.168.17.80 (<------------------------------- Not sure which DNS IP should use Internal or External)
!
dhcpd address 192.168.17.95-192.168.17.99 OLD-Private
dhcpd enable OLD-Private
!
dhcpd address 192.168.1.100-192.168.1.131 Management
dhcpd enable Management
---------------------------------------------------------------------------------------------------------------
All hosts behind the OLD-Privatre interface have IP from DHCP server or Static IP.
The result of command packet-tracer input OLD-Private icmp 192.168.17.155 8 0 192.168.10.7 (ASA is able to ping 192.168.17.155 byself)
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 WAN
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OLD-PRIVATE_access_in in interface OLD-Private
access-list OLD-PRIVATE_access_in extended permit ip any any log debugging
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip OLD-Private 192.168.17.0 255.255.255.0 WAN 192.168.10.0 255.255.255.0
NAT exempt
translate_hits = 1, untranslate_hits = 0
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (OLD-Private) 1 0.0.0.0 0.0.0.0
match ip OLD-Private any WAN any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (OLD-Private) 1 0.0.0.0 0.0.0.0
match ip OLD-Private any WAN any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: OLD-Private
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
-------------------------------------------------------------------------------------------
P.S. still no DHCP leases. See attached image
Thanks
11-25-2010 03:35 PM
Hi all,
The problem still persist and very annoying. Will be appresiate for your help.
Cheers
11-25-2010 05:33 PM
Hi Nick,
Sorry for the delay,
attached is the link below to configure dhcp on ASA, please ensure that the configuration is according the document.
The Issue is with the machines behind the ASA not replying back, we can verify this by placing captures on the ASA, to do the same please follow
the steps given below.
Please enter an IP address which is pingable from ASA and router in the access-list given below.
1> access-list capin permit ip host (Behind ASA host local IP address) host (Behind Router local IP address)
access-list capin permit ip host (Behind Router local IP address) host (Behind ASA host local IP address)
Ex: access-list capin permit ip host 192.168.17.10 host 192.168.10.11
access-list capin permit ip host 192.168.10.11 host 192.168.17.10
Note: The ip address 192.168.17.10 must be reachable when pinged from ASA
and the ip address 192.168.10.11 should be reachble from router.
2> capture capin interface OLD-Private access-list capin
3> Now initiate the ping from the machine which is present in the access-list (behind the router) to the destination mentioned in the access-list ( behind the ASA)
4> please enter this command to see the captures show capture capin
5> Paste the output of the captures here and i will get back to you.
Regards,
Usaid.K
11-25-2010 05:51 PM
Hi Usaid,
ASA able to ping 192.168.17.155, also 877 able to ping 192.168.10.7.
I've added
>access-list capin permit ip host 192.168.17.155
>access-list capin permit ip host 192.168.10.7
>capture capin interface OLD-Private access-list capin
Result of ping and RDP
7 packets captured
1: 14:43:28.641766 802.1Q vlan#2 P0 192.168.10.7.51639 > 192.168.17.155.3389: S 1985400044:1985400044(0) win 8192
2: 14:43:31.571290 802.1Q vlan#2 P0 192.168.10.7.51639 > 192.168.17.155.3389: S 1985400044:1985400044(0) win 8192
3: 14:43:37.573746 802.1Q vlan#2 P0 192.168.10.7.51639 > 192.168.17.155.3389: S 1985400044:1985400044(0) win 8192
4: 14:44:12.176107 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request
5: 14:44:17.123605 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request
6: 14:44:22.123879 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request
7: 14:44:27.124612 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request
7 packets shown
DHCP configuration checking right now.
Cheers
11-25-2010 06:16 PM
Hi Nick,
Thanks for the reply,
I see from the captures that for RDP the SYN packets are going to the machine 192.168.17.155 but the ame machine is not replying back to
192.168.10.7.
It is the same with ping as well, the echo-request are going in, but the echo-reply are not comoing back to the interface because the machine is not responding back to the echo-request.
So there is somehting wrong in your internal lan, please check the configuration of the switch behind the ASA and also check if there are any routers behind the ASA which might not be sending packets back to the ASA
If you can attach a topology of your netowrk it would be great.
Lets verify if the packets are coming to the ASA in first place by initianing a ping and RDP request from the ASA local host.
please enter the following configuration on the ASA, you can copy these commands and paste it on the terminal window.
clear configure access-list capin
access-list capin permit ip host 192.18.17.155 host 192.168.10.7
access-list capin permit ip host 192.168.10.7 host 192.168.17.155
no capture capin
capture capin interface OLD-Private access-list capin
Now initate the RDP request and ping request from 192.168.17.155 to 192.168.10.7
please use these command to see the captures show capture capin
And please provide me the output of capture.
Regards,
Usaid.K
11-25-2010 06:47 PM
CANRT2(config)# clear configure access-list capin
CANRT2(config)# access-list capin permit ip host 192.18.17.155 host 192.168.10$
CANRT2(config)# access-list capin permit ip host 192.168.10.7 host 192.168.17.$
CANRT2(config)# no capture capin
CANRT2(config)# capture capin interface OLD-Private access-list capin
CANRT2(config)# show capture capin
6 packets captured
1: 15:37:15.907820 802.1Q vlan#2 P0 192.168.10.7.55314 > 192.168.17.155.3389: S 1051493393:1051493393(0) win 8192
2: 15:37:21.908461 802.1Q vlan#2 P0 192.168.10.7.55314 > 192.168.17.155.3389: S 1051493393:1051493393(0) win 8192
3: 15:37:34.494710 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request
4: 15:37:39.483953 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request
5: 15:37:44.488957 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request
6: 15:37:49.483983 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request
6 packets shown
My topology quite difficult.
ASA connected directly to ISP provider. 0/0 - ISP. 0/6 - Switch.
Also Juniper SRX connected directly to ISP. 1 Switch connected to Juniper. 192.168.17.155 connected to Switch.
192.168.17.155 able to ping and trace cisco internal interface 192.168.17.3.
Cisco unable to traceroute 192.168.17.155, but able to ping (probably firewall settings)
Cheers
11-25-2010 07:30 PM
Hi Nick,
Please provide the captures when you are intitating ping from 192.168.17.155 to 192.168.10.7
for the same please do this before you do the ping.
clear capture capin
(((((then ping 192.168.10.7 from 192.168.17.155))))
the enter this command show capture capin and provide me with the output.
Thanks,
Usaid.k
12-20-2010 07:35 PM
Hi Syed,
Sorry for long-long delay. I was very sick.
Let back to our sheeps (russian proverb)
There are 2 responces from Cisco ASA:
Result of the command: "clear capture capin"
ERROR: Capture
Result of the command: "show capture capin"
ERROR: Capture
Also there are no messages in Syslog during ping from 192.168.17.155 to 192.168.10.7. By the way I need VPN just in one way - from office 192.168.10.x to 192.168.1.x and 192.168.17.x
Cheers
12-23-2010 01:15 PM
Hi Syed and all cisco geeks,
The problem is solved. I'm able to RDP, SMB, ping and what ever I need from office to remote network.
Unfortunatelly it still doesn't assign DHCP, but works properly.
The problem was here:
nat (OLD-Private) 0 access-list LAN_nat0_outbound
nat (OLD-Private) 1 0.0.0.0 0.0.0.0
Correct settings:
global (OLD-Private) 1 interface
global (Management) 1 interface
nat (WAN) 1 0.0.0.0 0.0.0.0
Plus add few changes for Reverse NAT (access from remote lan to local)
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
nat (WAN) 0 access-list inside_nat0_outbound
There is my full config
!
ASA Version 8.2(2)
!
hostname ASA2
domain-name default.domain.invalid
enable password password encrypted
passwd password encrypted
names
!
interface Vlan1
description INTERNET
mac-address 1234.5678.0002
nameif WAN
security-level 100
ip address b.b.b.b 255.255.248.0
ospf cost 10
!
interface Vlan2
description OLD-PRIVATE
mac-address 1234.5678.0202
nameif OLD-Private
security-level 0
ip address 192.168.17.3 255.255.255.0
ospf cost 10
!
interface Vlan6
description MANAGEMENT
mac-address 1234.5678.0206
nameif Management
security-level 0
ip address 192.168.1.3 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
switchport trunk allowed vlan 2,6
switchport mode trunk
!
interface Ethernet0/7
shutdown
!
banner login ** W A R N I N G **
banner login Unauthorized access prohibited. All access is
banner login monitored, and trespassers shall be prosecuted
banner login to the fullest extent of the law.
banner motd ** W A R N I N G **
banner motd Unauthorized access prohibited. All access is
banner motd monitored, and trespassers shall be prosecuted
banner motd to the fullest extent of the law.
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup WAN
dns server-group DefaultDNS
name-server dns.dns.dns.dns
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
description RDP
port-object eq 3389
access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LAN_IP standard permit 192.168.17.0 255.255.255.0
access-list WAN_access_in extended permit ip any any log debugging
access-list WAN_access_in extended permit ip interface OLD-Private interface WAN log debugging inactive
access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging
access-list MANAGEMENT_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 log debugging inactive
access-list OLD-PRIVATE_access_in extended permit object-group TCPUDP host 192.168.10.7 any log debugging inactive
access-list OLD-PRIVATE_access_in extended permit icmp host 192.168.10.254 interface OLD-Private log debugging inactive
access-list OLD-PRIVATE_access_in extended permit icmp host 192.168.17.155 interface OLD-Private log debugging
access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list capin extended permit ip host 192.18.17.155 host 192.168.10.7
access-list capin extended permit ip host 192.168.10.7 host 192.168.17.155
access-list LAN_access_in extended permit ip any any log debugging
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
pager lines 24
logging enable
logging trap debugging
logging asdm debugging
logging debug-trace
logging class auth trap debugging
mtu WAN 1500
mtu OLD-Private 1500
mtu Management 1500
ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host a.a.a.a WAN
icmp deny any WAN
icmp permit host 192.168.10.7 WAN
icmp permit host b.b.b.b WAN
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (OLD-Private) 1 interface
global (Management) 1 interface
nat (WAN) 1 0.0.0.0 0.0.0.0
nat (WAN) 0 access-list inside_nat0_outbound
access-group WAN_access_in in interface WAN
access-group OLD-PRIVATE_access_in in interface OLD-Private
access-group MANAGEMENT_access_in in interface Management
route WAN 0.0.0.0 0.0.0.0 b.b.b.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 WAN
http 0.0.0.0 0.0.0.0 WAN
http b.b.b.b 255.255.255.255 WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map WAN_map 1 set peer a.a.a.a
crypto map WAN_map 1 set transform-set ESP-DES-SHA
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh a.a.a.a 255.255.255.255 WAN
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config Management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.28 source WAN prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy admin internal
group-policy admin attributes
dns-server value dns.dns.dns.dns
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LAN_IP
username administrator password password encrypted privilege 15
tunnel-group admin type remote-access
tunnel-group admin general-attributes
address-pool VPN_Admin_IP
default-group-policy admin
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a general-attributes
default-group-policy admin
tunnel-group a.a.a.a ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide