- Cisco Community
- Technology and Support
- Security
- VPN
- ASA L2L IPSec and packet filtering
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA L2L IPSec and packet filtering
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2013 12:55 PM - edited 02-21-2020 06:47 PM
Hi. Please, help me out.
I need to set up several L2L ipsec tunnels using ASA 5540 (8.2) as a central node and ASA 5505s (8.4)
for branch offices. So far I've configured ipsec for the sake of testing between a 5540 and one of
5505, but it blocks ICMP between hosts behind ASAs. Although there's an echo response from
5540's inside interface (172.30.0.1) to echo requests from a host behind ASA 5505 and I see ipsec
counters growing. I still can't figure it out despite hurting my eyes with cisco manuals for the
relevant ASA software versions. So, please, help me!
One thing I couldn't understand in the 8.4 documentation - it says I need ACLs to allow ipsec traffic
on outside if I don't NAT/PAT it. Isn't it achieved with "sysopt connection permit-vpn" or do I have
to do it manually? I've actually tried adding access-groups for the "in" traffic on outside and those
ACLs get hits on both ASAs.
The packet-tracer shows some weird DROP at phase 6 on 5505, but I see no rule denying this traffic
and the description doesn't mention implicit rules.
######
[5540]
######
ASA Version 8.2(5)
!
hostname 5540-1
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.117.40 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.30.0.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network inside_net
network-object 172.30.0.0 255.255.255.0
object-group network ipsec_nets
network-object 172.30.1.0 255.255.255.0
network-object 172.30.2.0 255.255.255.0
access-list ipsec extended permit ip object-group inside_net object-group ipsec_nets
access-list nat0 extended permit ip object-group inside_net object-group ipsec_nets
access-list inside_in extended permit ip object-group inside_net any
access-list outside_in extended permit ip object-group ipsec_nets object-group inside_net
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
global (outside) 1 interface
nat (inside) 0 access-list ipsec
nat (inside) 1 access-list inside_in
access-group outside_in in interface outside
access-group inside_in in interface inside
route outside 172.30.1.0 255.255.255.0 192.168.117.41 1
dynamic-access-policy-record DfltAccessPolicy
sysopt noproxyarp outside
sysopt noproxyarp inside
crypto ipsec transform-set tset0 esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map cmap0 100 match address ipsec
crypto map cmap0 100 set peer 192.168.117.41 192.168.117.42
crypto map cmap0 100 set transform-set tset0
crypto map cmap0 100 set security-association lifetime seconds 3600
crypto map cmap0 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 192.168.117.41 type ipsec-l2l
tunnel-group 192.168.117.41 ipsec-attributes
pre-shared-key cisco
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
######
[5505]
######
ASA Version 8.4(4)1
!
hostname 5505-1
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.30.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.117.41 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside_net
subnet 172.30.1.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ipsec_nets
subnet 172.30.0.0 255.255.255.0
access-list ipsec extended permit ip object inside_net object ipsec_nets
access-list inside_in extended permit ip object inside_net any
access-list outside_in extended permit ip object ipsec_nets object inside_net
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
nat (inside,outside) source static inside_net inside_net destination static ipsec_nets ipsec_nets
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_in in interface inside
access-group outside_in in interface outside
route outside 172.30.0.0 255.255.255.0 192.168.117.40 1
dynamic-access-policy-record DfltAccessPolicy
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec ikev1 transform-set tset0 esp-des esp-sha-hmac
crypto map cmap0 100 match address ipsec
crypto map cmap0 100 set peer 192.168.117.40
crypto map cmap0 100 set ikev1 transform-set tset0
crypto map cmap0 100 set security-association lifetime seconds 86400
crypto map cmap0 interface outside
crypto isakmp identity address
crypto isakmp disconnect-notify
crypto ikev1 enable outside
crypto ikev1 am-disable
crypto ikev1 policy 100
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 192.168.117.40 type ipsec-l2l
tunnel-group 192.168.117.40 ipsec-attributes
ikev1 pre-shared-key cisco
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
!
service-policy global_policy global
############
[some stats]
############
5540-1(config)# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.117.41
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
5540-1(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: cmap0, seq num: 100, local addr: 192.168.117.40
access-list ipsec extended permit ip 172.30.0.0 255.255.255.0 172.30.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.30.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.30.1.0/255.255.255.0/0/0)
current_peer: 192.168.117.41
#pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 32
#pkts decaps: 32, #pkts decrypt: 32, #pkts verify: 32
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 32, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.117.40, remote crypto endpt.: 192.168.117.41
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 5211354D
current inbound spi : 1FE25C4F
inbound esp sas:
spi: 0x1FE25C4F (534928463)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: cmap0
sa timing: remaining key lifetime (kB/sec): (3914998/3561)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000007 0xFFFFFFFF
outbound esp sas:
spi: 0x5211354D (1376859469)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: cmap0
sa timing: remaining key lifetime (kB/sec): (3914998/3561)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
######
[5540]
######
5540-1(config)# packet-tracer input outside rawip 172.30.1.4 1 172.30.0.2
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.30.0.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_in in interface outside
access-list outside_in extended permit ip object-group ipsec_nets object-group inside_net
object-group network ipsec_nets
network-object 172.30.1.0 255.255.255.0
network-object 172.30.2.0 255.255.255.0
object-group network inside_net
network-object 172.30.0.0 255.255.255.0
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 1 access-list inside_in
match ip inside 172.30.0.0 255.255.255.0 outside any
dynamic translation to pool 1 (192.168.117.40 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2034, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
######
[5505]
######
5505-1(config)# packet-tracer input outside rawip 172.30.0.2 1 172.30.1.4 deta$
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static inside_net inside_net destination static ipsec_nets ipsec_nets
Additional Information:
NAT divert to egress interface inside
Untranslate 172.30.1.4/0 to 172.30.1.4/0
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_in in interface outside
access-list outside_in extended permit ip object ipsec_nets object inside_net
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcaf0ed78, priority=13, domain=permit, deny=false
hits=5, user_data=0xc9618f70, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.30.0.0, mask=255.255.255.0, port=0
dst ip/id=172.30.1.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb4bebb8, priority=0, domain=inspect-ip-options, deny=true
hits=3786, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbd2cd00, priority=70, domain=inspect-icmp, deny=false
hits=102, user_data=0xcbd2bce0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbd2eee8, priority=70, domain=inspect-icmp-error, deny=false
hits=102, user_data=0xcbd2dec8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0dc9f0, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=3766, user_data=0x1033c, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=172.30.0.0, mask=255.255.255.0, port=0
dst ip/id=172.30.1.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: down
output-line-status: down
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
- Labels:
-
IPSEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2013 01:48 PM
Hi,
To enable traffic to flow freely in a L2L VPN environment you generally need to make sure
- NAT0 / NAT Exemption is configured
- sysopt connection permit-vpn is at its default setting (doesnt show in the CLI config at all)
- Initiated traffic is allowed on the local firewalls "inside" interface either by ACL or "security-level"
- For ICMP testing have "inspect icmp" configured
That being said it seems you should have all of those covered
What I am wondering about is how ASA reacts to to having them ASA directly connected by their "outside" interfaces in the same network. In a Client to ASA VPNs this causes problems. Not sure if this causes problems with L2L VPN.
You could perhaps try to remove the route configurations completely and just add "crypto map
To my understanding also the "packet-tracer" command doesnt give accurate information when you are trying to simulate traffic entering through a VPN connection. Or that has been my understanding so far. For "inside" to "outside" traffic destined for VPN it seems to work fine. It even initiates L2L VPN negotiation which for me is a great tool to determine if L2L VPN parameter are configured correctly on both ends.
If you command ouput shows that theres an equal amount of traffic flowing through the L2L VPN. That would seem seem to hint that traffic is flowing both ways if you are using ICMP alone. You mentioned something about interface IP. Are you by any chance trying to PING either ASAs "inside" interface IP address from the other LAN? I am not sure if this is even possible. To my understading you cant ping an ASA interface behind a different interface. Only from behind the said interface you are trying to ping.
In general your configuration seems ok to me. The ASAs being directly connected would be something I would change by having some L3 device in between them but not sure if it makes any difference.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide