Solved: Re: ASA 5510 Site to Site VPN

William Benson · ‎04-14-2011

Ok my forehead is sore from all the keyboard pounding I know this has got to be something simple but I'm brand new to ASA's. I had a site to site VPN setup via to 1751 routers which was working fine, but we're looking to add some more remote field offices and I felt it would be easier to maintain multiple site to site's on the ASA 5510. I have the VPN configured on the ASA and it says the tunnel is up. I can telnet to the ASA and ping the remote gateway on the peer side of the VPN and it pings fine. If I try to ping from a local computer I get a "Request timed out". If I don't make any changes aside from going to the computer room and changing the network cable over to the 1751 then through the 1751 I can now ping the remote gate way from my computer. The remote router is obviously working fine, my route statement on my router to push vpn traffic through the ASA ip address (same ip address that was used by the 1751) is obviously working. So it just seems like the ASA is not excepting the VPN traffic being pushed to it on ethernet0/0 or at least it's not encrypting it. I've also noticed that the ACL's for NAT don't appear to be increasing in hit count either so, it really seems there's just one little thing missing to make the ASA except and encrypt traffic coming in on ethernet0/0:

My network is not setup with a DMZ so it's something like this, with the ASA ethernet0/0 and my LAN on the same subnet:

Router (Cisco 2811)

|

Layer 2 Switch (ProCurve)

| |

ASA5510 LAN Computers

I'm trying to except both sides of the VPN traffic in and out on Ethernet0/0 I saw there was a setting for this "Permit communication between VPN peers connected to the same interface" and I have enabled that option.

In short I need to figure out why the VPN tunnel shows as up, and I can ping the remote gateway from the ASA, but devices on my network cannot ping the remote gateway through the Ethernet0/0 int on the ASA.

From the ASA console I get this:

ASA5510# ping 192.52.128.1
Sending 5, 100-byte ICMP Echos to 192.52.128.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/108/120 ms

ASA5510# show crypto ipsec sa
interface: ************
Crypto map tag: **********_map, local addr: 10.52.120.23

      local ident (addr/mask/prot/port): (10.52.120.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.52.128.0/255.255.255.0/0/0)
      current_peer: x.x.x.204

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 10.52.120.23, remote crypto endpt.: x.x.x.204

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: C49EF75F

    inbound esp sas:
      spi: 0x21FDBB9D (570276765)
         transform: esp-3des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: **********_map
         sa timing: remaining key lifetime (kB/sec): (3824999/3529)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xC49EF75F (3298752351)
         transform: esp-3des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: **********_map
         sa timing: remaining key lifetime (kB/sec): (3824999/3527)
         IV size: 8 bytes
         replay detection support: Y

From my desk on the 10.52.120.0 network same as the etherenet0/0 interface on the ASA I get this:

C:\Users\**********>ping 192.52.128.1

Pinging 192.52.128.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.52.128.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

C:\Users\**********>ping 10.52.120.23

Pinging 10.52.120.23 with 32 bytes of data:
Reply from 10.52.120.23: bytes=32 time=5ms TTL=255
Reply from 10.52.120.23: bytes=32 time=3ms TTL=255
Reply from 10.52.120.23: bytes=32 time=1ms TTL=255
Reply from 10.52.120.23: bytes=32 time=1ms TTL=255

Ping statistics for 10.52.120.23:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 5ms, Average = 2ms

Count on VPN Tunnel ACL does not increase when I try to ping the remote gateway address.

Here's the running config from the ASA:

ASA Version 7.0(2)
names
!
interface Ethernet0/0
nameif InsideNetwork
security-level 100
ip address 10.52.120.23 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
enable password XXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXXX encrypted
hostname ciscoasa
domain-name default.domain.invalid
ftp mode passive
same-security-traffic permit intra-interface
access-list InsideNetwork_nat0_outbound extended permit ip 10.52.120.0 255.255.25
5.0 192.52.128.0 255.255.255.0
access-list InsideNetwork_cryptomap_20 extended permit ip 10.52.120.0 255.255.255
.0 192.52.128.0 255.255.255.0
pager lines 24
logging asdm informational
mtu management 1500
mtu InsideNetwork 1500
monitor-interface management
monitor-interface InsideNetwork
asdm image disk0:/asdm-502.bin
no asdm history enable
arp timeout 14400
nat (InsideNetwork) 0 access-list InsideNetwork_nat0_outbound
route InsideNetwork 0.0.0.0 0.0.0.0 10.52.120.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.52.120.0 255.255.255.0 InsideNetwork
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map InsideNetwork_map 20 match address InsideNetwork_cryptomap_20
crypto map InsideNetwork_map 20 set peer x.x.x.204
crypto map InsideNetwork_map 20 set transform-set ESP-3DES-MD5
crypto map InsideNetwork_map interface InsideNetwork
isakmp enable InsideNetwork
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 10.52.120.0 255.255.255.0 InsideNetwork
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
tunnel-group x.x.x.204 type ipsec-l2l
tunnel-group x.x.x.204 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:7e478b60b3e406091de466675c52eaaa
: end

I haven't added anything to the config except what seemed needed to get the VPN tunnel working. It should be pretty clean.

Thanks in advance for any help...I really hope this is something really simple that an ASA rookie just overlooked

mvsheik123 · ‎04-15-2011

Strange but good news. Thanks for the update. Glad everything is working.

Thx

MS

View solution in original post

mvsheik123 · ‎04-14-2011

Hi,

Do you have ethernet handoff from ISP on 2811..? If so you can remove the 2811 and terminate the directly on ASA interface (ex: interface Ethernet0/1 with Security 0). Then your infra looks like LAN--> L2 Switch-> ASA Inside --> ASA Outside--> ISP.

Add route outside 0.0.0.0 0.0.0.0 statement pointing to ISP gateway. The config loooks good except there is not route outside statement which tells the ASA to send any unknow network traffic towards Internet and then VPN rules applies accordingly.

If you need the router... still I would go with design : LAN--> L2 Switch-> ASA Inside --> ASA Outside--> Router(no nat or anything, just to pass traffic with public IPs from ISP).

hth

MS

William Benson · ‎04-14-2011

We're on a T1 to an MPLS, not a fast ethernet connection. All of our larger offices are tied together through the MPLS for WAN connectivity. We're adding some small satellite loactions over the course of the next year that will only have one or two people staffed. I'm hoping to just use site to site VPNs to connect these smaller offices into our network. The 1700 series routers were working fine and if I have to go I'll go back to that but the ASA looks like it offers a lot more management capabilities if I can figure out how to make the the thing work. My tunnel is up and I can ping from the ASA to the remote router I just can't figure out why when traffic is directed to the ethernet0/0 port on the ASA it doesn't look like it's encrypting it and passing it over the VPN tunnel

I hope I've given enough information that someone can understand the problem. I certainly cannot be the first person to configure a site to site vpn over a single ethernet interface on an ASA that sits behind a router and on the same subnet as the local network hehe

EDIT::::::

If you need the router... still I would go with design : LAN--> L2 Switch-> ASA Inside --> ASA Outside--> Router(no nat or anything, just to pass traffic with public IPs from ISP).

We're actually tied back into the corporate systems of the headquarters of the manufacturer that we sell for. We have 5 branch locations which all tie back to the manufacturer's corporate office and in order for our systems to perform correctly we have to maintain their addressing scheme. I could try to NAT a subnet behind the ASA "Inside" interface and assign their subnet address to the ASA "Outside" interface, but I'm not 100% sure how that would work out and unfortunately I don't have a "Test" environment. I know I wouldn't be able to use an overloaded NAT because of security policies in place that will not allow multiple concurrent connections from the same account or IP address to the business sytem. In theory it should work, but since they also need to be able to connect into our machines at any given moment, I'm pretty sure I'd have to do a 1-for-1 nat for each PC connecting to their system (about 100 computers) and I just don't want to take that overhead on hehe.

Anyrate for the time being I'm kind of stuck with (Lan + ASA) -> Switch -> Router.

mvsheik123 · ‎04-14-2011

Hi,

Yes.. I thought of it as MPLS after I posted my reply. I never did VPN on single interface, so lets see any gurus can help with the issue.

thx

MS

William Benson · ‎04-14-2011

Since everything seems to look good, the tunnel is up and I can ping from the ASA to the remote gateway, and if I simply switch the CAT5 cable from the ASA to the 1700 router it all starts working, it has to be something in the ASA. Since when pinging from my laptop I don't see any hits on the ACL for the tunnel, I'm really wondering if it's not some kind of firewall or security issue that is preventing forwarded traffic from the 2811 router from passing through the Ethernet0/0 interface on the ASA.

Ping from my laptop -> 2811 Router

2811 Route Staement - > ip route 192.52.128.0 255.255.255.0 10.52.120.23

So the ping should definitely be forwarding to the Ethernet0/0 interface of the ASA but the ACL is not aknowleding the presence of that traffic...grrrr

If everything works fine with the 1700 router in place that really leaves me with nothing but something I'm overlooking on the ASA. Maybe I'll have a brainstorm tonight. Or if I'm really lucky someone will come along and say "Hey you fool you forgot do "

William Benson · ‎04-14-2011

Here's the ACL hits if it helps:

ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list InsideNetwork_nat0_outbound; 1 elements
access-list InsideNetwork_nat0_outbound line 1 extended permit ip 10.52.120.0 255
.255.255.0 192.52.128.0 255.255.255.0 (hitcnt=0)
access-list InsideNetwork_cryptomap_20; 1 elements
access-list InsideNetwork_cryptomap_20 line 1 extended permit ip 10.52.120.0 255.
255.255.0 192.52.128.0 255.255.255.0 (hitcnt=15)

William Benson · ‎04-15-2011

This is the ACL that should be telling the ASA not to NAT and pass through the Tunnel:

nat (InsideNetwork) 0 access-list InsideNetwork_nat0_outbound

But it's not getting any hits at all. This is really frustrating me. I sent up the IPSEC tunnel on my routers in no time at all...what the heck am I missing here?

mvsheik123 · ‎04-15-2011

Hi,

Can you try by adding specific route on ASA to remote subnet (I know the default is existing) and clear arp on the switch after moved the connections to the ASA?

Thx

MS

William Benson · ‎04-15-2011

No dice...it's just not hitting the VPN ACL as traffic enters the switch on the Ethernet0/0 interface. This is so bloody frustrating. It can't be this difficult to use the one interface as in and out traffic for the VPN, I can configure it on the router in about 30 seconds...why is this ASA being such a pain?

mvsheik123 · ‎04-15-2011

Another thing you can try is .. lower the security level on the interface to '0'. (Iam not quite sute if it anything to do with). Alsom below is the info/bug I found for 7.0.4.Your code is 7.0.2 though..

ASA VPN: all packets for a l2l peer get dropped instead of encrypted

Symptom:

ASA drops traffic which should get encrypted for a valid L2L VPN peer.

Conditions:

ASA running 7.0.4 code. A valid "show crypto ipsec sa" output is
present: QuickMode has completed and you see the active SPI values.
Furthermore, the remote site is able to send traffic [#pkts decrypt counter
is increasing]. However the #pkts encrypt counter is not increasing.
Instead, you see the "show asp drop" counter "Tunnel being brought up or torn
down", which is increasing.

Workaround:

None, you must reload to recover

Thx

MS

William Benson · ‎04-15-2011

I alredy lowered security-level to 0. The error message your describing doesn't

apply. My tunnel is up and packets are increasing on both counters:

#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18

But it's only passing packets when I ping from the ASA itself, if I try to ping from the network the ASA is attached to I get nothing.

I think this is the heart of the problem here:

access-list inside_nat0_outbound; 1 elements
access-list inside_nat0_outbound line 1 extended permit ip 10.52.120.0 255.255.2
55.0 192.52.128.0 255.255.255.0 (hitcnt=0)

Packets going to the remote subnet from the local subnet that should be tunneled = 0

The ACL is just not picking up the traffic coming in on Ethernet0/0 as "interesting traffic" to be tunneled...grrrrrrrr

William Benson · ‎04-15-2011

Also:

From the 881W router on the other end, I can ping from a client computer through the router into the tunnel to the 10.52.120.23 interface. But if I try to ping anything inisde of the 10.52.120.23 network from the remote network it times out.

Everything is pointing to something on Ethernet0/0 I just don't know what it is. Ethernet0/0 is the point of failure from both ends of the tunnel. Clients in the 10.52.120.0 network can't ping past the 10.52.120.23 interface and clients in the 192.52.128.0 network can't ping past the 10.52.120.23 interface, but they can both ping all the way to it. /sigh

William Benson · ‎04-15-2011

IT'S WORKING!!! Underneath interfaces configuration menu there was a checkbox for allow traffic to pass between two interfaces with the same security level. I checked that box and applied settings and it started working.

I think it was this statement that did the trick:

same-security-traffic permit inter-interface

There was a intra-interface statement in place but not an inter-interface. I'm going to do a line by line compare later between my original config and this final one that is working and see what all is different. For now though I'm thrilled

Here's my final configuration that has the tunnel up and running using only one interface on the ASA:

ASA Version 7.0(2)
names
!
interface Ethernet0/0
nameif inside
security-level 0
ip address 10.52.120.23 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
enable password ********************* encrypted
passwd *********************** encrypted
hostname ciscoasa
domain-name default.domain.invalid
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 10.52.120.0 255.255.255.0 19
2.52.128.0 255.255.255.0
access-list inside_cryptomap_20 extended permit ip 10.52.120.0 255.255.255.0 192
.52.128.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu management 1500
monitor-interface inside
monitor-interface management
asdm image disk0:/asdm-502.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route inside 192.52.128.0 255.255.255.0 10.52.120.1 1
route inside 0.0.0.0 0.0.0.0 10.52.120.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.52.120.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map inside_map 20 match address inside_cryptomap_20
crypto map inside_map 20 set peer x.x.x.204
crypto map inside_map 20 set transform-set ESP-3DES-MD5
crypto map inside_map interface inside
isakmp enable inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
tunnel-group x.x.x.204 type ipsec-l2l
tunnel-group x.x.x.204 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:3acfd019e32c27c78d84b7f7e92cf097

mvsheik123 · ‎04-15-2011

Strange but good news. Thanks for the update. Glad everything is working.

Thx

MS

William Benson · ‎04-15-2011

MS,

Thx for your help. I'd like to mark a response as the correct answer, but it won't let me mark my own. If you want to repond by saying make sure you have the following lines in your config:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Also try setting the security level to 0 for the VPN interface.

I'll mark your response as the answer and give you a little credit for your help. Those were the only two changes from my original config so if anyone else stumbles across this thread they'll know it was resolved

Thanks again for your time MS! It was appreciated!

EDIT:::::

Disregard replying MS...I just marked your reply as the answer so it shows resovled. If someone stumbling across this thread can't figure it out oh well hehe.