It's allowed:# packet-tracer

Tony Daniels · ‎07-15-2015

I have a HQ VPN head-end Cisco ASA 5520 (v8.2) and a vpn tunnel established with a remote Cisco 1811 router (124-15.T17).

The remote side is configured for a dynamic IP.

The tunnel is up, phase 1 & phase 2. From the remote router, I can ping/access the HQ subnets defined in my "Interesting Traffic" ACL with no issues.

The issue is, my HQ cannot access/ping anything on the remote side UNTIL traffic is initiated first FROM the remote.

Example:

I have a L0 defined on my remote router, 10.157.1.1/32. Sitting at my desk, I am not able to ping 10.157.1.1 from 10.129.105.100 until I first ping from the router back to myself:

#ping 10.129.105.100 source l0

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

C:\>ping 10.157.1.1 -t

Pinging 10.157.1.1 with 32 bytes of data:
Request timed out.
Request timed out. ( <- This is where I typed in the #ping 10.129.105.100 source l0)
Reply from 10.157.1.1: bytes=32 time=4ms TTL=253
Reply from 10.157.1.1: bytes=32 time=4ms TTL=253

With a "show crypto ipsec sa" on the HQ, the ASA is not creating the local/remote ident entries.

I can post configs is necessary.

Note: PFS is OFF

Thanks in advance,

Tony

allen mert · ‎07-15-2015

Hi Tony,

Can you pls post below command's result?

On your ASA5520:

#packet-tracer input outside icmp 10.129.105.100 8 0 <internal IP address behind Router>

e.g. above "outside" is nameif for outside interface.

Use 8 : Icmp type - Echo

Use 0 : Icmp Code - Echo Reply

Check where your ICMP is blocked.. Let me know,

Please rate if it helps,

Thanks,

Allen

Tony Daniels · ‎07-15-2015

It fails, 10.129.105.100 would not be coming from the "outside" interface, it would come from the "inside" interface on the ASA HQ firewall.

Path:

10.129.105.100 (host at HQ) -> (inside) interface of HQ ASA -> (outside) interface of HQ ASA -> (vpn tunnel) -> FastEthernet0 (outside Interface of 1811 router) -> 10.157.1.1 (L0 Interface on remote router)

# packet-tracer input outside icmp 10.129.105.100 8 0 10.157.1.1

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.157.1.1 255.255.255.255 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group acl_OUTSIDE in interface outside
access-list acl_OUTSIDE extended deny ip any any
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

allen mert · ‎07-15-2015

My bad.. I misinterpret your config..

Can you please change outside with inside interface and post the result? At which phase are you getting Drop ?

#packet-tracer input inside icmp 10.129.105.100 8 0 10.157.1.1

And can you post your ACL - interesting traffic ?

Tony Daniels · ‎07-15-2015

It's allowed:

# packet-tracer input MKB icmp 10.129.105.100 8 0 10.157.1.1

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.157.1.1 255.255.255.255 outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_MKB in interface MKB
access-list acl_MKB extended permit icmp any any
access-list acl_MKB remark ===== Allow NTP =====
Additional Information:

Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip MKB 10.129.0.0 255.255.0.0 outside host 10.157.1.1
NAT exempt
translate_hits = 1504, untranslate_hits = 6
Additional Information:

Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (MKB) 1 0.0.0.0 0.0.0.0
match ip MKB any outside any
dynamic translation to pool 1 (207.201.237.5 [Interface PAT])
translate_hits = 38967, untranslate_hits = 301
Additional Information:

Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (MKB) 1 0.0.0.0 0.0.0.0
match ip MKB any VS any
dynamic translation to pool 1 (No matching global)
translate_hits = 933, untranslate_hits = 0
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4215046, packet dispatched to next module

Result:
input-interface: MKB
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

acl_NONAT:

access-list acl_NONAT remark ===== Do Not NAT these Networks Talking to each other =====
access-list acl_NONAT extended permit ip 10.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list acl_NONAT extended permit ip 10.0.0.0 255.255.0.0 10.129.0.0 255.255.0.0
access-list acl_NONAT extended permit ip 10.129.0.0 255.255.0.0 172.21.0.0 255.255.0.0
access-list acl_NONAT extended permit ip 10.129.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list acl_NONAT extended permit ip 10.129.0.0 255.255.0.0 10.129.132.0 255.255.254.0
access-list acl_NONAT extended permit ip 10.129.132.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list acl_NONAT extended permit ip 10.129.132.0 255.255.254.0 10.129.0.0 255.255.0.0
access-list acl_NONAT extended permit ip 10.129.132.0 255.255.254.0 172.21.0.0 255.255.0.0
access-list acl_NONAT extended permit ip 192.168.1.0 255.255.255.0 172.21.0.0 255.255.0.0
access-list acl_NONAT extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list acl_NONAT extended permit ip 192.168.1.0 255.255.255.0 10.129.132.0 255.255.254.0
access-list acl_NONAT extended permit ip 172.21.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list acl_NONAT extended permit ip 172.21.0.0 255.255.0.0 10.129.0.0 255.255.0.0
access-list acl_NONAT remark ----- VPN -----
access-list acl_NONAT extended permit ip 192.168.1.0 255.255.255.0 host 10.157.1.1
access-list acl_NONAT extended permit ip 172.21.0.0 255.255.0.0 host 10.157.1.1
access-list acl_NONAT extended permit ip 10.129.0.0 255.255.0.0 host 10.157.1.1
access-list acl_NONAT extended permit ip 192.168.1.0 255.255.255.0 10.63.0.0 255.255.255.0
access-list acl_NONAT extended permit ip 172.21.0.0 255.255.0.0 10.63.0.0 255.255.255.0
access-list acl_NONAT extended permit ip 10.129.0.0 255.255.0.0 10.63.0.0 255.255.255.0

allen mert · ‎07-15-2015

Hi Tony,

Sorry for the late response, Can you please try checking nat-traversal (NAT-T) on both ASA and 1811 ? I believe in IOS, NAT-T is enabled by default after Cisco IOS Software Release 12.2(13)T and later. Both sides should be NAT-T enabled or vice versa.

On ASA 5520, configure:

securityappliance(config)#crypto isakmp nat-traversal 20

20 is the keepalive time by default.

Let me know if it doesn't work. If not, then please try to ping L0 from ASA again, and post #show log , sh crypto ipsec sa

Please rate if it helps,

Thanks,

Allen

Tony Daniels · ‎07-15-2015

Yes, Nat-T is enabled. Debug crypto isakmp:

Router:

000596: Jul 16 03:15:05: ISAKMP (0:2012): vendor ID is NAT-T RFC 3947

ASA:

Jul 15 2015 22:15:05: %ASA-7-715046: Group = VPN1001, IP = x.x.x.x, constructing NAT-Traversal VID ver RFC payload

ASA# ping 10.157.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.157.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_MAP_DYNAMIC, seq num: 100, local addr: x.x.x.5

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.157.1.1/255.255.255.255/0/0)
      current_peer: x.x.x.x

      #pkts encaps: 56, #pkts encrypt: 56, #pkts digest: 56
      #pkts decaps: 56, #pkts decrypt: 56, #pkts verify: 56
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 56, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.5/4500, remote crypto endpt.: x.x.x.x/16008
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: C14FADFC
      current inbound spi : 5978B203

    inbound esp sas:
      spi: 0x5978B203 (1501082115)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 1216512, crypto-map: VPN_MAP_DYNAMIC
         sa timing: remaining key lifetime (kB/sec): (4373991/28549)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x01FFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xC14FADFC (3243224572)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 1216512, crypto-map: VPN_MAP_DYNAMIC
         sa timing: remaining key lifetime (kB/sec): (4373992/28549)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Crypto map tag: VPN_MAP_DYNAMIC, seq num: 100, local addr: 207.201.237.5

      local ident (addr/mask/prot/port): (x.x.x.5/255.255.255.255/17/1701)
      remote ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/17/0)
      current_peer: 97.101.174.75, username: ajdaniels
      dynamic allocated peer ip: 10.129.132.88

      #pkts encaps: 16035, #pkts encrypt: 16035, #pkts digest: 16035
      #pkts decaps: 19911, #pkts decrypt: 19911, #pkts verify: 19911
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 16035, #pkts comp failed: 0, #pkts decomp failed: 0
      #post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 10

      local crypto endpt.: x.x.x.5/4500, remote crypto endpt.: x.x.x.75/4500
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 0D5491FF
      current inbound spi : B9B50EA0

    inbound esp sas:
      spi: 0xB9B50EA0 (3115650720)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Transport, NAT-T-Encaps, }
         slot: 0, conn_id: 1204224, crypto-map: VPN_MAP_DYNAMIC
         sa timing: remaining key lifetime (sec): 2839
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x0D5491FF (223646207)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Transport, NAT-T-Encaps, }
         slot: 0, conn_id: 1204224, crypto-map: VPN_MAP_DYNAMIC
         sa timing: remaining key lifetime (sec): 2839
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

As you can see above, it doesn't create the ident network entries. In this case:

local ident (addr/mask/prot/port): (172.21.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.157.1.1/255.255.255.255/0/0)

Log:

Jul 15 2015 22:26:26: %ASA-5-713257: Phase 2 failure: Mismatched attribute types for class Encapsulation Mode: Rcv'd: UDP Tunnel(NAT-T) Cfg'd: UDP Transport
Jul 15 2015 22:26:26: %ASA-5-713049: Group = VPN1001, IP = x.x.x.66, Security negotiation complete for LAN-to-LAN Group (VPN1001) Responder, Inbound SPI = 0x65cdcae1, Outbound SPI = 0x80ca0307
Jul 15 2015 22:26:26: %ASA-5-713120: Group = VPN1001, IP = x.x.x.66, PHASE 2 COMPLETED (msgid=8bcd472c)

Above bold log entry is because we also have RA configuration set, and that uses transport mode, this is a lan-2-lan and the transform-set this uses is using tunnel mode.

ASA 5520 v8.2 and 1811 router vpn ipsec tunnel