12-10-2012 12:45 PM - edited 02-21-2020 06:32 PM
Hi,
I have what I thought was a simple configuration, but I having issues and could use a second set of eyes.
I have a site-to-site between two locations:
Site A is 192.168.0.0/24
Site B is 192.168.4.0/24
I have been asked to NAT all communications between these sites to 10.57.4.0/24 and for a single host 192.168.0.112 to static NAT to 10.57.4.50.
Tunnel is up and running, and I can ping across the link to to the far end host at 192.168.4.20; no issues. But I am having an application problem where it will not established communications. I suspect its the reverse NAT, but I have reviewed the configure several times. All connections to the NAT'd addres of 10.57.4.50 should forwarded to 192.168.0.112, no restrictions. All connections to 192.168.4.20, should be NAT'd to 10.57.4.50 to tranverse the tunnel.
The site B system can also ping 10.57.4.50.
Here's the running configuration:
ASA Version 8.3(2)
!
hostname fw1
domain-name <removed>
enable password <removed> encrypted
passwd <removed> encrypted
names
!
interface Vlan1
description Town Internal Network
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
!
interface Vlan2
description Public Internet
nameif outside
security-level 0
ip address 173.166.117.186 255.255.255.248
!
interface Vlan3
description DMZ (CaTV)
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Vlan5
description PD Network
nameif PDNet
security-level 95
ip address 192.168.0.1 255.255.255.0
!
interface Vlan10
description Infrastructure Network
nameif InfraNet
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan13
description Guest Wireless
nameif Wireless-Guest
security-level 25
ip address 192.168.1.1 255.255.255.0
!
interface Vlan23
nameif StateNet
security-level 75
ip address 10.63.198.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 23
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk native vlan 1
switchport mode trunk
shutdown
!
banner exec Access Restricted
banner login Access Restricted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name <removed>
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service IMAPoverSSL
service tcp destination eq 993
description IMAP over SSL
object service POPoverSSL
service tcp destination eq 995
description POP3 over SSL
object service SMTPwTLS
service tcp destination eq 465
description SMTP with TLS
object network obj-192.168.9.20
host 192.168.9.20
object network obj-claggett-https
host 192.168.9.20
object network obj-claggett-imap4
host 192.168.9.20
object network obj-claggett-pop3
host 192.168.9.20
object network obj-claggett-smtp
host 192.168.9.20
object network obj-claggett-imapoverssl
host 192.168.9.20
object network obj-claggett-popoverssl
host 192.168.9.20
object network obj-claggett-smtpwTLS
host 192.168.9.20
object network obj-192.168.9.120
host 192.168.9.120
object network obj-192.168.9.119
host 192.168.9.119
object network obj-192.168.9.121
host 192.168.9.121
object network obj-wirelessnet
subnet 192.168.1.0 255.255.255.0
object network WirelessClients
subnet 192.168.1.0 255.255.255.0
object network obj-dmznetwork
subnet 192.168.2.0 255.255.255.0
object network FD_Firewall
host 74.94.142.229
object network FD_Net
subnet 192.168.6.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network obj-TownHallNet
subnet 192.168.9.0 255.255.255.0
object network obj_InfraNet
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network NHDOS_Firewall
host 72.95.124.69
object network NHDOS_SpotsHub
host 192.168.4.20
object network IMCMOBILE
host 192.168.0.112
object network NHDOS_Net
subnet 192.168.4.0 255.255.255.0
object network NHSPOTS_Net
subnet 10.57.4.0 255.255.255.0
object network IMCMobile_NAT_IP
host 10.57.4.50
object-group service EmailServices
description Normal Email/Exchange Services
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_1
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq pop3
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_2
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group network obj_clerkpc
description Clerk's PCs
network-object object obj-192.168.9.119
network-object object obj-192.168.9.120
network-object object obj-192.168.9.121
object-group network TownHall_Nets
network-object 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
object-group network DOS_Networks
network-object 10.56.0.0 255.255.0.0
network-object object NHDOS_Net
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
access-list StateNet_access_in extended permit ip object-group obj_clerkpc any
access-list PDNet_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list PDNet_access_in extended permit ip object IMCMobile_NAT_IP object-group DOS_Networks log debugging
access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net
access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object-group DOS_Networks
pager lines 24
logging enable
logging list Test1 level debugging class vpn
logging asdm debugging
logging mail errors
logging from-address <removed>
logging recipient-address <removed> level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu Wireless-Guest 1500
mtu StateNet 1500
mtu InfraNet 1500
mtu PDNet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
nat (any,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static DOS_Networks DOS_Networks
!
object network obj_any
nat (inside,outside) static interface
object network obj-claggett-https
nat (inside,outside) static interface service tcp https https
object network obj-claggett-imap4
nat (inside,outside) static interface service tcp imap4 imap4
object network obj-claggett-pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network obj-claggett-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network obj-claggett-imapoverssl
nat (inside,outside) static interface service tcp 993 993
object network obj-claggett-popoverssl
nat (inside,outside) static interface service tcp 995 995
object network obj-claggett-smtpwTLS
nat (inside,outside) static interface service tcp 465 465
object network obj-192.168.9.120
nat (inside,StateNet) static 10.63.198.12
object network obj-192.168.9.119
nat (any,StateNet) static 10.63.198.10
object network obj-192.168.9.121
nat (any,StateNet) static 10.63.198.11
object network obj-wirelessnet
nat (Wireless-Guest,outside) static interface
object network obj-dmznetwork
nat (any,outside) static interface
object network obj_InfraNet
nat (InfraNet,outside) static interface
access-group outside_access_in in interface outside
access-group StateNet_access_in in interface StateNet
access-group PDNet_access_in in interface PDNet
route outside 0.0.0.0 0.0.0.0 173.x.x.x 1
route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 5443
http 192.x.x.x 255.255.255.0 inside
http 7.x.x.x 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 72.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 173.x.x.x
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd auto_config outside
!
dhcpd address 192.168.2.100-192.168.2.254 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd enable dmz
!
dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest
dhcpd enable Wireless-Guest
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 63.240.161.99 source outside prefer
ntp server 207.171.30.106 source outside prefer
ntp server 70.86.250.6 source outside prefer
webvpn
group-policy DfltGrpPolicy attributes
group-policy FDIPSECTunnel internal
group-policy FDIPSECTunnel attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
username support password <removed> encrypted privilege 15
tunnel-group 72.x.x.x type ipsec-l2l
tunnel-group 72.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group 173.x.x.x type ipsec-l2l
tunnel-group 173.x.x.x general-attributes
default-group-policy FDIPSECTunnel
tunnel-group 173.x.x.x ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
smtp-server 192.168.9.20
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76
: end
Solved! Go to Solution.
12-11-2012 12:50 PM
Did you ever fix the ACL?
12-11-2012 12:53 PM
I must have missed that, which ACL and what was the suggested fix?
12-11-2012 12:55 PM
ACL for the VPN:
access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object-group DOS_Networks
*** Your source is right but the destination DOS_Networks has 10.56.0.0/16 where did that come from? If you need to go from 192.168.0.112 -- NAT --> 10.57.4.50 --> 192.168.4.0/24 then your destination should include only that network. And the other end will need to also match your side so something like this:
access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net 192.168.4.0 255.255.255.0
or
access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object NSDOS_Net
12-11-2012 01:32 PM
Yes, I have changed it to access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object NHDOS_Net.
Did anyone see any issues with the packet captures?
12-12-2012 12:17 PM
I have checked the capture files. In the captures, it seems that only packet from 192.168.0.112 to 192.168.4.20 is visible however the reply packet is not invisible. Thus, either the reply packet is not coming back or ASA is dropping it or traffic is not captured properly.
Can you please share the ACL that you have used for capturing this traffic.It should be like:
access-list captured permit ip host 192.168.0.112 host 192.168.4.20
access-list captured permit ip host 192.168.4.20 host 192.168.0.112
If access-list is correct then try capturing traffic with ACL mentioned below:
access-list captured permit ip host 192.168.0.112 host 192.168.4.20
access-list captured permit ip host 192.168.4.20 host 192.168.0.112
access-list captured permit ip host 10.57.4.50 host 192.168.4.20
access-list captured permit ip host 192.168.4.20 host 10.57.4.50
For applying capture you can use command:
capture cap access-list captured interface PDNet buffer 2000000 circular
Also, try passing traffic and grab the output of following command by taking the output several times while executing tests:
show asp drop | inc 10.57.4.50
show asp drop | inc 192.168.0.112
Along with this grab the output of following command as well after executing test:
show crypto ipsec sa
[If possible, reset tunnel once before doing this test]
Regards,
Anuj
12-12-2012 01:43 PM
Anuj,
Thank you for the continued assistance.
Here's the output of the capture:
33 packets captured
1: 16:27:05.392969 802.1Q vlan#5 P0 192.168.0.112.2792 > 192.168.4.20.6800: S 946526132:946526132(0) win 65535
2: 16:27:08.345807 802.1Q vlan#5 P0 192.168.0.112.2792 > 192.168.4.20.6800: S 946526132:946526132(0) win 65535
3: 16:27:14.361599 802.1Q vlan#5 P0 192.168.0.112.2792 > 192.168.4.20.6800: S 946526132:946526132(0) win 65535
4: 16:27:45.392313 802.1Q vlan#5 P0 192.168.0.112.2796 > 192.168.4.20.6800: S 903808292:903808292(0) win 65535
5: 16:27:48.308577 802.1Q vlan#5 P0 192.168.0.112.2796 > 192.168.4.20.6800: S 903808292:903808292(0) win 65535
6: 16:27:54.243059 802.1Q vlan#5 P0 192.168.0.112.2796 > 192.168.4.20.6800: S 903808292:903808292(0) win 65535
7: 16:28:07.063015 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request
8: 16:28:07.103693 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply
9: 16:28:08.066097 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request
10: 16:28:08.104898 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply
11: 16:28:09.069011 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request
12: 16:28:09.107523 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply
13: 16:28:10.071941 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request
14: 16:28:10.111047 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply
15: 16:28:19.881836 802.1Q vlan#5 P0 192.168.0.112.2817 > 192.168.4.20.6800: S 2273411373:2273411373(0) win 65535
16: 16:28:22.808979 802.1Q vlan#5 P0 192.168.0.112.2817 > 192.168.4.20.6800: S 2273411373:2273411373(0) win 65535
17: 16:28:25.376552 802.1Q vlan#5 P0 192.168.0.112.2818 > 192.168.4.20.6800: S 1361468755:1361468755(0) win 65535
18: 16:28:28.341168 802.1Q vlan#5 P0 192.168.0.112.2818 > 192.168.4.20.6800: S 1361468755:1361468755(0) win 65535
19: 16:28:28.743461 802.1Q vlan#5 P0 192.168.0.112.2817 > 192.168.4.20.6800: S 2273411373:2273411373(0) win 65535
20: 16:30:41.384242 802.1Q vlan#5 P0 192.168.0.112.2823 > 192.168.4.20.6800: S 3911555739:3911555739(0) win 65535
21: 16:30:44.230655 802.1Q vlan#5 P0 192.168.0.112.2823 > 192.168.4.20.6800: S 3911555739:3911555739(0) win 65535
22: 16:30:50.265718 802.1Q vlan#5 P0 192.168.0.112.2823 > 192.168.4.20.6800: S 3911555739:3911555739(0) win 65535
23: 16:34:26.434120 802.1Q vlan#5 P0 192.168.0.112.2826 > 192.168.4.20.6800: S 1638122493:1638122493(0) win 65535
24: 16:34:29.443946 802.1Q vlan#5 P0 192.168.0.112.2826 > 192.168.4.20.6800: S 1638122493:1638122493(0) win 65535
25: 16:34:35.475103 802.1Q vlan#5 P0 192.168.0.112.2826 > 192.168.4.20.6800: S 1638122493:1638122493(0) win 65535
26: 16:34:56.796192 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request
27: 16:34:56.837481 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply
28: 16:34:57.799961 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request
29: 16:34:57.838839 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply
30: 16:34:58.801899 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request
31: 16:34:58.841020 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply
32: 16:34:59.804798 802.1Q vlan#5 P0 192.168.0.112 > 192.168.4.20: icmp: echo request
33: 16:34:59.843538 802.1Q vlan#5 P0 192.168.4.20 > 192.168.0.112: icmp: echo reply
33 packets shown
Here;s the captured access-list used:
access-list captured; 4 elements; name hash: 0x64472634
access-list captured line 1 extended permit ip host 192.168.0.112 host 192.168.4.20 (hitcnt=35) 0x70841416
access-list captured line 2 extended permit ip host 192.168.4.20 host 192.168.0.112 (hitcnt=12) 0x2902a719
access-list captured line 3 extended permit ip host 10.57.4.50 host 192.168.4.20 (hitcnt=0) 0xb5044bca
access-list captured line 4 extended permit ip host 192.168.4.20 host 10.57.4.20 (hitcnt=0) 0xab88b23e
Here's the output of "show crypto ipsec sa":
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 173.x.x.x
access-list outside_1_cryptomap extended permit ip 10.57.4.0 255.255.255.0 192.168.4.0 255.255.255.0
local ident (addr/mask/prot/port): (10.57.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer: 72.x.x.x
#pkts encaps: 152, #pkts encrypt: 152, #pkts digest: 152
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 152, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 173.x.x.x/0, remote crypto endpt.: 72.x.x.x/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 609CE00B
current inbound spi : 5B8DDB35
inbound esp sas:
spi: 0x5B8DDB35 (1536023349)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1462272, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373999/1474)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x609CE00B (1620893707)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1462272, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373992/1474)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 173.x.x.x
access-list outside_2_cryptomap extended permit ip 192.168.9.0 255.255.255.0 192.168.6.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
current_peer: 173.162.x.x
#pkts encaps: 194, #pkts encrypt: 194, #pkts digest: 194
#pkts decaps: 1579, #pkts decrypt: 1579, #pkts verify: 1579
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 194, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 173.x.x.x/0, remote crypto endpt.: 173.162.x.x/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8F8E990C
current inbound spi : 7EBBED6E
inbound esp sas:
spi: 0x7EBBED6E (2126245230)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 352256, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/23599)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x8F8E990C (2408487180)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 352256, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/23599)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 173.x.x.x
access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.6.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
current_peer: 173.162.x.x
#pkts encaps: 1353568, #pkts encrypt: 1353568, #pkts digest: 1353568
#pkts decaps: 1358106, #pkts decrypt: 1358106, #pkts verify: 1358106
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1353568, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 173.x.x.x/0, remote crypto endpt.: 173.162.x.x/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 9C2EF78F
current inbound spi : 03ADBAF4
inbound esp sas:
spi: 0x03ADBAF4 (61717236)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 352256, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373506/23504)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x9C2EF78F (2620323727)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 352256, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373508/23504)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
The "show asp drop" didn't show anything for either subnet.
John
12-12-2012 01:55 PM
As per th captures it is clearly visible that reply packet is not coming back.
Even the IPSEC SA shows that decrypted packet count is only 4 which reflect ICMP reply.
Thus, its time we should check config at remote end and take similar outputs at other end to track reply packet.
Regards,
Anuj
Sent from Cisco Technical Support Android App
12-12-2012 02:04 PM
Agreed, unfortantly I have don't have access and waiting. Enhance the reason I am doing so much work upfront to rule out my configuration issue.
Now, when I ping from 192.168.0.112 to 192.168.4.20, I receive a normal response. So pinging is passing, but the traffic to TCP port 6800 is not; and possible being blocked by the far end?
Anything in my configuration that could be causing the block?
John
12-13-2012 06:58 AM
If you do not have access to the remote site then you'll need to get their network person involved and compare each others configurations. You'll need to make sure that they are seeing 192.168.0.112 as 10.57.4.50 and their server is responding back to that and NOT to 192.168.0.112.
12-17-2012 05:56 AM
Anuj and Mohammad,
As I expected, the problem was on the far side and related to their NAC implementations. I would like to say thank you again for all the advice and review of my implementation.
There forums really save time and effort.
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide