ASA 5506 Site-to-Site VPN

Ben F · ‎05-31-2017

Hello all. I'm new to the ASA world and I'm having some issues with a site-to-site VPN. Currently I have both ASAs in my lab. Each inside interface has a switch with an IP assigned to an SVI acting as a host. I followed the CLI steps found here: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html ; But instead of static to dynamic I configured both sides as static since the IPs should not change. Upon completion of configuration I'm not able to ping between the hosts and the tunnel isn't up. Each host can ping its default gateway which is the inside interface on the ASA. I am able to ping between the ASA's via their outside interfaces. I'm using private IPs for the testing and here is the configuration for the VPN piece. I can scrub the entire config if needed, but this is what I used specifically for the VPN.

ASA1:

inside IP 192.168.1.1/24

outside IP 10.10.10.1/29

object network LAN_192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network REMOTE_192.168.2.0
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) source static LAN_192.168.1.0 LAN_192.168.1.0 destination static REMOTE_192.168.2.0 REMOTE_192.168.2.0
!
tunnel-group 10.10.10.2 type ipsec-l2l
tunnel-group 10.10.10.2 ipsec-attributes
ikev1 pre-shared-key notmyrealkey
exit
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
exit
crypto ipsec ikev1 transform-set UIC_SET esp-aes-256 esp-sha-hmac
access-list UIC_VPN extended permit ip object LAN_192.168.1.0 object REMOTE_192.168.2.0
crypto map UIC_MAP 1 match address UIC_VPN
crypto map UIC_MAP 1 set peer 10.10.10.2
crypto map UIC_MAP 1 set ikev1 transform-set UIC_SET
crypto map UIC_MAP interface outside
crypto ikev1 enable outside
!
route outside 192.168.2.0 255.255.255.0 10.10.10.2

-----------------------------------------------

ASA 2:

inside IP 192.168.1.2/24

outside IP 10.10.10.2/29

object network LAN_192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network REMOTE_192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static LAN_192.168.2.0 LAN_192.168.2.0 destination static REMOTE_192.168.1.0 REMOTE_192.168.1.0
!
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
ikev1 pre-shared-key notmyrealkey
exit
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
exit
crypto ipsec ikev1 transform-set UIC_SET esp-aes-256 esp-sha-hmac
!
access-list UIC_VPN extended permit ip object LAN_192.168.2.0 object REMOTE_192.168.1.0
crypto map UIC_MAP 1 match address UIC_VPN
crypto map UIC_MAP 1 set peer 10.10.10.1
crypto map UIC_MAP 1 set ikev1 transform-set UIC_SET
crypto map UIC_MAP interface outside
crypto ikev1 enable outside
!
route outside 192.168.1.0 255.255.255.0 10.10.10.1

Marvin Rhoads · ‎05-31-2017

Pretty straightforward overall and most of it looks OK.

You should remove the static routes. Both ASAs will see each other as connected routes. In production you would of course have a default route and the remote end will be reachable via that.

Let us know what happens when you remove the static routes and initiate interesting traffic from the local host (SVI) to the remote one.

Ben F · ‎05-31-2017

I went ahead and removed those routes. I had added them when this didn't work. I can still ping the local gateway, but nothing beyond that. I did a capture on the ASA's inside interface and when I execute the ping to the remote device I don't even see the the icmp message hit the interface. I do see the icmp messages when I ping the gateway. I've attached the result of some pings and the capture.

Rahul Govindan · ‎05-31-2017

Is your tunnel attempting to establish when you send your ping across? Run the following debugs on the ASA before you initiate a ping:

debug crypto ikev1 127

debug crypto ipsec 127

If you start seeing debugs and tunnel does not establish, this should help you get more info on whats wrong.

Also, try adding the "no-proxy-arp" and "route-lookup" keywords at the end of your nat statement like this:

nat (inside,outside) source static LAN_192.168.2.0 LAN_192.168.2.0 destination static REMOTE_192.168.1.0 REMOTE_192.168.1.0 no-proxy-arp route-lookup

Finally, use this document as reference for creating Static Site to Site VPN's:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

Ben F · ‎06-01-2017

When I run those debugs and try the ping I see no messages, however I enabled some other debugs etc. and when I ran the ping this is the message I got:

ASA(config)# %ASA-6-110002: Failed to locate egress interface for ICMP from inside:192.168.2.2/7886 to 192.168.1.1/0

I followed up on that message. I added this command.

route outside 0.0.0.0 0.0.0.0 10.10.10.1

Now I see some build/teardown, but the pings still fail.

%ASA-7-609001: Built local-host inside:192.168.2.2
%ASA-7-609001: Built local-host outside:192.168.1.1
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.1.1/0 gaddr 192.168.2.2/9157 laddr 192.168.2.2/9157
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.1.1/0 gaddr 192.168.2.2/9158 laddr 192.168.2.2/9158
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.1/0 gaddr 192.168.2.2/9157 laddr 192.168.2.2/9157
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.1.1/0 gaddr 192.168.2.2/9159 laddr 192.168.2.2/9159
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.1/0 gaddr 192.168.2.2/9158 laddr 192.168.2.2/9158
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.1.1/0 gaddr 192.168.2.2/9160 laddr 192.168.2.2/9160
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.1/0 gaddr 192.168.2.2/9159 laddr 192.168.2.2/9159
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.1.1/0 gaddr 192.168.2.2/9161 laddr 192.168.2.2/9161
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.1/0 gaddr 192.168.2.2/9160 laddr 192.168.2.2/9160
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.1/0 gaddr 192.168.2.2/9161 laddr 192.168.2.2/9161
%ASA-7-609002: Teardown local-host inside:192.168.2.2 duration 0:00:10
%ASA-7-609002: Teardown local-host outside:192.168.1.1 duration 0:00:10
%ASA-6-302010: 0 in use, 41 most used

----------------------------------------------------------------

Edit: Ran debug on the remote ASA and saw this:

%ASA-3-106014: Deny inbound icmp src outside:192.168.2.2 dst inside:192.168.1.2 (type 8, code 0)
%ASA-3-106014: Deny inbound icmp src outside:192.168.2.2 dst inside:192.168.1.2 (type 8, code 0)
%ASA-3-106014: Deny inbound icmp src outside:192.168.2.2 dst inside:192.168.1.2 (type 8, code 0)
%ASA-3-106014: Deny inbound icmp src outside:192.168.2.2 dst inside:192.168.1.2 (type 8, code 0)
%ASA-6-302010: 0 in use, 2 most used

created an ACL and applied it to outside interface for inbound traffic

access-list ICMP extended permit icmp any any

access-group ICMP in interface outside

Still fails...I'm kind of thinking it is something with ACLs & the ASA default behavior. I'll keep digging!

Marvin Rhoads · ‎06-01-2017

Seems like you're not getting NATted correctly.

Try a packet trace as follows:

packet-tracer input inside tcp <local subnet host address> 1025 <remote subnet host address> 80

I also note that the config snippets you pasted above have 192.168.1.1 on ASA1 inside and 192.168.1.2 on ASA2 inside. I'm hoping that's a typo - otherwise it won't work for sure as built.

Ben F · ‎06-01-2017

I have attached the output of the trace. The actual addresses are ASA1 192.168.1.1 and ASA2 192.168.2.1

Ben F · ‎06-01-2017

I think my NAT statement wasn't being hit by the internal traffic so I added "1" after "(inside,outside)". Not sure if that was part of the issue, but it looks like the tunnel formed and everything. So I did a factory reset and pasted in my config. I can now ping from host to host. I'm not able to ping the IP on the remote ASA interface (maybe by design?), but if the hosts can talk I assume I'm good to go.

ASA# show cryp ipsec sa
interface: outside
    Crypto map tag: UIC_MAP, seq num: 1, local addr: 10.10.10.2

      access-list UIC_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 10.10.10.1

      #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.10.2/0, remote crypto endpt.: 10.10.10.1/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 7760984B
      current inbound spi : 283A3E24

    inbound esp sas:
      spi: 0x283A3E24 (674905636)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 4096, crypto-map: UIC_MAP
         sa timing: remaining key lifetime (kB/sec): (4373999/28614)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000003F
    outbound esp sas:
      spi: 0x7760984B (2002819147)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 4096, crypto-map: UIC_MAP
         sa timing: remaining key lifetime (kB/sec): (4373998/28614)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Marvin Rhoads · ‎06-01-2017

Yes - that's the problem when we only see a snippet of the conifguration - oher bits may interact with the directly relevant ones to prevent you from getting the desired results.

I'm glad it's working for you. Please take a moment to mark your question as answered or rate helpful replies.

mfdarvesh · ‎03-27-2020

I have problem, Packet Tracer 7.2.1 -> nat % Unrecognized command, please help