08-15-2012 01:05 PM
I have two ASA 5505, 8.2(1), let's call them HQ and BRANCH. HQ has an L2L going towards a third point, and that one works fine.
Now I am trying to set up an L2L VPN between HQ and BRANCH. The tunnel comes up (passes phase 1 and 2), but I cannot ping from either end.
sh cry isa sa looks 100% ok
sh cry ips sa shows that HQ has only decaps, whereas Branch has only encaps. So HQ looks like the prime suspect to me (even with its other L2L working fine).
Below are the configs, great if anyone could help me pinpoint any config issues...
-----------------------------------------------------------------
HQ:
ASA Version 8.2(1)
!
hostname HQ
domain-name blah.com
enable password blah
passwd blah encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.106.1 255.255.255.128
!
interface Vlan2
nameif outside
security-level 0
ip address 191.xx.xx.xx 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
dns server-group DefaultDNS
domain-name blah.com
access-list inside_outbound_nat0_acl extended permit ip 172.16.106.0 255.255.255.128 any
access-list outside_cryptomap_20 extended permit ip 172.16.106.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 172.16.106.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 172.16.106.0 255.255.255.128 172.16.106.160 255.255.255.224
access-list outside_1_cryptomap extended permit ip 172.16.106.0 255.255.255.0 any
access-list outside_1_cryptomap_1 extended permit ip 172.16.106.0 255.255.255.0 any
access-list HQ-BRANCH extended permit ip 172.16.106.0 255.255.255.128 172.16.106.160 255.255.255.248
!
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 191.xx.xx.xx 1
!
sysopt noproxyarp inside
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay disable
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set peer 191.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 10 match address HQ-BRANCH
crypto map outside_map 10 set peer 82.xx.xx.xx
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
!
webvpn
tunnel-group 191.xx.xx.xx type ipsec-l2l
tunnel-group 191.xx.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group 82.xx.xx.xx type ipsec-l2l
tunnel-group 82.xx.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 191.xx.xx.xx
!
class-map inspection_default
match default-inspection-traffic
!
!
service-policy global_policy global
prompt hostname context
: end
-----------------------------------------------------------------
BRANCH:
ASA Version 8.2(1)
!
hostname BRANCH
enable password djfldksjafl encrypted
passwd djfldksjafl encrypted
names
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
nameif inside
security-level 100
ip address 172.16.106.161 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa821-k8.bin
object-group network obj_any
access-list BRANCH-HQ extended permit ip 172.16.106.160 255.255.255.248 172.16.106.0 255.255.255.128
access-list NONAT extended permit ip 172.16.106.160 255.255.255.248 172.16.106.0 255.255.255.128
logging enable
icmp unreachable rate-limit 1 burst-size 1
!
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 82.xx.xx.xx
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 10 match address BRANCH-HQ
crypto map outside_map 10 set peer 191.xx.xx.xx
crypto map outside_map 10 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
dhcpd dns xx.xx.xx.xx
dhcpd auto_config outside
!
dhcpd address 172.16.106.162-172.16.106.166 inside
dhcpd enable inside
!
webvpn
tunnel-group 191.xx.xx.xx type ipsec-l2l
tunnel-group 191.xx.xx.xx ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
!
service-policy global_policy global
prompt hostname context
: end
-----------------------------------------------------------------
Best,
Johnny
Solved! Go to Solution.
08-18-2012 11:52 PM
Hello Johnny,
Great to hear that, there you have some points for you
Please mark the question as answered so future users can learn from this as you did
08-17-2012 05:52 AM
Anyone?
08-17-2012 06:50 AM
Hi John,
Please change the ACL at HQ as shown below and remove the hightlighted line and change the mask in the second line.
no access-list inside_nat0_outbound extended permit ip 172.16.106.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 172.16.106.0 255.255.255.128 172.16.106.160 255.255.255.248
Please add this route at each respective locations as shown below.
at HQ.
route outside 172.16.106.160 255.255.255.248 191.xx.xx.xx <- default-gateway address at HQ.
at Branch.
route outside 172.16.106.0 255.255.255.128 82.xx.xx.xx <- default-gateway address at branch.
Please update.
thanks
Rizwan Rafeek
08-18-2012 11:32 AM
Finally solved it
I did a re-read on IPSEC L2L VPNs, and realised that the first statements in the original cryptomap (see my first HQ config posted above) captured traffic for both L2L VPNs, so the BRANCH statements were never applied, thus keeping traffic from flowing on the BRANCH L2L from HQ to BRANCH.
@Rizwan: Working default routes were in place on both ASAs, so I did not touch those. As for the nonat on HQ, it was working correctly as it was. Altering it to allow only traffic towards the BRANCH network would have left out the traffic towards the second already existing L2L VPN, so I let that one be as well. Thanks though.
To make this work, I had to give the BRANCH crypto map statements higher priority by setting its sequence number lower than the sequence number of the default crypto map. So I changed the default crypto map sequence number to 100, and set the BRANCH crypto map sequence number to 10. All changes were made on the HQ side only.
That's it, and now both VPNs work just fine.
I did some tidying up as well, lots of people have been onto this box since it was put to use, and several ACLs were totally superfluous by now.
Below is the final working VPN config for the HQ side...
------------------------------------------------------
HQ:
access-list inside_nat0_outbound extended permit ip 172.16.106.0 255.255.255.0 any
access-list outside_1_cryptomap_1 extended permit ip 172.16.106.0 255.255.255.0 any
access-list BRANCH extended permit ip 172.16.106.0 255.255.255.128 172.16.106.160 255.255.255.248
!
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 191.xx.xx.xx 1
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay disable
crypto map outside_map 10 match address HQ-BRANCH
crypto map outside_map 10 set peer 82.xx.xx.xx
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 100 match address outside_1_cryptomap_1
crypto map outside_map 100 set peer 191.xx.xx.xx
crypto map outside_map 100 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
!
tunnel-group 191.xx.xx.xx type ipsec-l2l
tunnel-group 191.xx.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group 82.xx.xx.xx type ipsec-l2l
tunnel-group 82.xx.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 191.xx.xx.xx
------------------------------------------------------
Best,
Johnny
08-18-2012 11:52 PM
Hello Johnny,
Great to hear that, there you have some points for you
Please mark the question as answered so future users can learn from this as you did
08-19-2012 05:26 AM
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide