03-17-2014 08:09 AM
ASA 5520(8.441)-----ASA 5505(8.441)
1.1.1.1 ----- 2.2.2.2
192.168.0.0/17------192.168.200.0/24
ASA 5505:
object network inside
subnet 192.168.200.0 255.255.255.0
object network remote
subnet 192.168.0.0 255.255.128.0
access-list l2lvpn extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.128.0
nat (inside,outside) source static inside inside destination static remote remote no-proxy-arp route-lookup
crypto ipsec ikev1 transform-set 1 esp-des esp-md5-hmac
crypto map vpnmap 10 match address l2lvpn
crypto map vpnmap 10 set pfs
crypto map vpnmap 10 set peer 1.1.1.1
crypto map vpnmap 10 set ikev1 transform-set 1
crypto map vpnmap interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
group-policy l2lvpn internal
group-policy l2lvpn attributes
vpn-tunnel-protocol ikev1
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy l2lvpn
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
ASA 5520(172.16.30.0 is used for client VPN, it can work well)
object network inside
subnet 192.168.0.0 255.255.128.0
object network remote-network
subnet 192.168.200.0 255.255.200.0
object network NETWORK_OBJ_172.16.30.0_24
subnet 172.16.30.0 255.255.255.0
access-list l2lvpn extended permit ip 192.168.0.0 255.255.128.0 192.168.200.0 255.255.255.0
nat (inside,outside) source static inside inside destination static remote-network remote-network no-proxy-arp route-lookup
nat (inside,outside) source static inside inside destination static NETWORK_OBJ_172.16.30.0_24 NETWORK_OBJ_172.16.30.0_24 no-proxy-arp route-lookup
crypto ipsec ikev1 transform-set 2 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set client esp-aes esp-md5-hmac ---(client)
crypto dynamic-map dyn1 10 set ikev1 transform-set client---(client)
crypto dynamic-map dyn1 10 set reverse-route---(client)
crypto map vpnmap 10 match address l2lvpn
crypto map vpnmap 10 set pfs
crypto map vpnmap 10 set peer 2.2.2.2
crypto map vpnmap 10 set ikev1 transform-set 2
crypto map vpnmap 60001 ipsec-isakmp dynamic dyn1
crypto map vpnmap interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
group-policy 2 internal
group-policy 2 attributes
vpn-tunnel-protocol ikev1
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy 2
tunnel-group 2.2.2.2. ipsec-attributes
ikev1 pre-shared-key ****
ASA 5505:
ASA5505# sh isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ASA5505#sh ipsec stats
IPsec Global Statistics
-----------------------
Active tunnels: 1
Previous tunnels: 1
Inbound
Bytes: 0
Decompressed bytes: 0
Packets: 0
Dropped packets: 0
Replay failures: 0
Authentications: 0
Authentication failures: 0
Decryptions: 0
Decryption failures: 0
Decapsulated fragments needing reassembly: 0
Outbound
Bytes: 31290
Uncompressed bytes: 31290
Packets: 298
Dropped packets: 0
Authentications: 298
Authentication failures: 0
Encryptions: 298
Encryption failures: 0
Fragmentation successes: 0
Pre-fragmentation successses: 0
Post-fragmentation successes: 0
Fragmentation failures: 0
Pre-fragmentation failures: 0
Post-fragmentation failures: 0
Fragments created: 0
PMTUs sent: 0
PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0
ASA 5505#sh ipsec sa
interface: outside
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list l2lvpn extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.128.0
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.128.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 305, #pkts encrypt: 305, #pkts digest: 305
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 305, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.:2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 2292754D
current inbound spi : F51E25E9
inbound esp sas:
spi: 0xF51E25E9 (4112393705)
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 12288, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3915000/22718)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x2292754D (580023629)
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 12288, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914968/22718)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA 5520
ASA5520# sh isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
ASA5520# sh ipsec sa
interface: outside
Crypto map tag: vpnmap, seq num: 10, local addr: 1.1.1.1
access-list l2lvpn extended permit ip 192.168.0.0 255.255.128.0 192.168.200.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.128.0/0/0)
remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 306, #pkts decrypt: 306, #pkts verify: 306
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F51E25E9
current inbound spi : 2292754D
inbound esp sas:
spi: 0x2292754D (580023629)
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 36864, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373968/22478)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xF51E25E9 (4112393705)
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 36864, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4374000/22478)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
A ping cannot work between private IP network by L2LVPN . It seems no data inbound at ASA 5505.
I'm confused .What's happened? Could you help me ? Thanks in advance .
Solved! Go to Solution.
03-17-2014 10:11 PM
Hi,
Thanks for the information!
I noticed that you are pinging from the ASA itself to the remote site of the tunnel. In order to make that packet to go through the VPN connection you will need to source the ping from the inside interface, otherwise the packet will be sourced from the closest interface to the destination, in this case the outside interface, however, the outside ip address/subnet is not included on the VPN traffic. Please enable management access on the inside interface and then try the ping again sourced from the inside. Below the outputs needed:
ASA(config)#management-access inside
ASA(config)#ping inside (remote host)
Note: If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
Remember to check the routing for the packets coming back.
I hope this helps,
Luis.
03-17-2014 10:45 AM
I'm assuming you're pinging from a host on the 5505 side to a host on the 5520 side and vice-versa. Is the ping from the 5520 side hitting the 5520? I would check that first.
03-17-2014 07:18 PM
ASA5520# ping 192.168.0.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5520# ping 192.168.200.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.21, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA5505# ping 192.168.200.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.21, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/50/230 ms
ASA5505# ping 192.168.0.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.12, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
03-17-2014 10:11 PM
Hi,
Thanks for the information!
I noticed that you are pinging from the ASA itself to the remote site of the tunnel. In order to make that packet to go through the VPN connection you will need to source the ping from the inside interface, otherwise the packet will be sourced from the closest interface to the destination, in this case the outside interface, however, the outside ip address/subnet is not included on the VPN traffic. Please enable management access on the inside interface and then try the ping again sourced from the inside. Below the outputs needed:
ASA(config)#management-access inside
ASA(config)#ping inside (remote host)
Note: If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
Remember to check the routing for the packets coming back.
I hope this helps,
Luis.
03-17-2014 11:07 PM
Luis,
yeah,you are right ,
I found my mistake ,that is makeing a ping from ASA itself. From a host to the other host is ok!
Now after add 'management-access inside' , I can do it on ASA.
Thanks a lot!
03-17-2014 11:18 AM
Hi,
As we could see on the outputs phase 1 and 2 are coming up using the correct crypto maps, which means that the VPN tunnel is properly configured. We can see the ASA 5505 encrypting the packets and the 5520 decrypting the packets, however, on the 5520 the packets are not being encrypted back through the VPN connection. This could be related to a NAT identity rule, a routing issue on the core behind the ASA 5520, or a route on the 5520. Please make sure that there is not any route on the 5520 covering the 192.168.200.0/24 network sending the packets through a different interface than the outside interface. You could configure a static route for the 192.168.200.0/24 network to make sure that it will take the VPN connection. For instance:
route outside 192.168.200.0 255.255.255.0 (next hop on the outside)
I checked the NAT rule on the 5520 and I could see that you specified an object group named remote-network. Based on the configuration attached the object group name is remote. I do not know if it was a typo but please correct it to make sure that’s not causing the problem.
Current configuration on ASA 5520:
object network inside
subnet 192.168.0.0 255.255.128.0
object network remote
subnet 192.168.200.0 255.255.200.0
nat (inside,outside) source static inside inside destination static remote-network remote-network no-proxy-arp route-lookup
Please correct as the one below if that’s needed:
nat (inside,outside) source static inside inside destination static remote remote no-proxy-arp route-lookup
As I mentioned previously we also need to make sure that we have the proper routes configured for the remote network (192.168.200.0/24) behind the ASA 5520. Remember that the packets need to get back to the ASA in order to send them back through the VPN connection.
I hope this helps,
Luis.
03-17-2014 07:10 PM
1,About object name is a typo . I fixed it.
2,I add a route on ASA 5520,such as 'route outside 192.168.200.0 255.255.255.0 2.2.2.2' . It still does not work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide