Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1977
Views
0
Helpful
7
Replies

ASA to ASA firewall L2L VPN

Go to solution
Marcus Peck
Level 1
Level 1

‎05-27-2016 06:53 AM

Hi experts,

I am currently having issues setting up an easy site-to-site VPN. This is my first time encountering this and I am pulling my hair out for this issue.

Currently the setup is a typical topology below (using ASDM):

Site A (ASA IP 1.1.1.2) <--> (ISP) <--> Site B (ASA IP 2.2.2.2)

All ASA IPs are the outside interface directly connecting to their respective ISPs. Site A has existing VPN tunnels to other networks but Site B is a newly setup network (we can imagine Site A as a Hub and the rest are spokes). Site B outside interface has opened ports IP ESP 50, UDP 500 and UDP 4500 on the interface from any sources connecting to the outside interface (for that matter we allowed all IP protocol for the outside interface for troubleshooting). But however we are having issues having phase 1 up. We carefully matched and double checked all IKEv1 parameters are correct and the same for both sides including the PSK. However Site A can ping Site B's IP but Site B is not able to ping Site A's IP.

We have also checked with our ISPs and they confirmed that they did not block the 3 ports that we require for VPN. Are there anymore insights or points that we have missed out?

Oh, enabling debugging did not return any logs but will generating "interesting traffic" such as pinging Site A's internal subnet from Site B help?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Marcus Peck

‎05-29-2016 09:53 PM

Hi,

Instead of initiating the packet tracer from the interface IP use any other inside IP as I see an interface ifc failure.

Also is it possible for you to take the UDP 500 captures on the outside interfaces on both the ASA 's ?

That would answer a lot of questions.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎05-27-2016 07:49 AM

Hi,

We need the debugs for the VPN traffic from both the ends.

Also what is the state for sh cry isa sa ?

Is it stuck at wait_msg_2 ?

Yes interesting traffic should generate the debugs ideally.

What do captures say ?

Try using UDP 500 captures on the outside interface between the peer IP's and share the output .

If you see bi-directional output good and if not then please check with the ISP.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
Marcus Peck
Level 1
Level 1
In response to Aditya Ganjoo

‎05-27-2016 06:59 PM

Hi Aditya, for the output of debug cry isa as, nothing appeared. But I have not generated traffic yet.

Just to take note that there is no router at Site B, it's a direct connection from the ISP fiber to the ASA. Do we need a router to perform the port forwarding?

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Marcus Peck

‎05-27-2016 07:00 PM

Hi Marcus,

If there is no router then we do not require port forwarding.

You could try using packet-tracer to generate the traffic as well.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
Marcus Peck
Level 1
Level 1
In response to Aditya Ganjoo

‎05-29-2016 08:43 PM

Hi Aditya,

outputs from packet-tracer:

ExtFW# packet-tracer input inside icmp 10.6.76.1 0 8 10.100.0.1 detailed

Phase: 1
May 30 2016 11:24:14: %ASA-1-106021: Deny ICMP reverse path check from 10.6.76.1 to 10.100.0.1 on interface inside
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.100.0.0 255.255.255.0 via 2.2.2.1, VPN

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,VPN) source static NETWORK_OBJ_10.6.76.0_24 NETWORK_OBJ_10.6.76.0_24 destination static 10.100.0.0_24 10.100.0.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface VPN
Untranslate 10.100.0.1/0 to 10.100.0.1/0

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.6.76.1 255.255.255.255 identity

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: VPN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed

ExtFW# 

show crypto ikev1 sa and isakmp sa did not have any outputs.

I have a static route for the remote network via the VPN interface. So I have no clue.

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Marcus Peck

‎05-29-2016 09:53 PM

Hi,

Instead of initiating the packet tracer from the interface IP use any other inside IP as I see an interface ifc failure.

Also is it possible for you to take the UDP 500 captures on the outside interfaces on both the ASA 's ?

That would answer a lot of questions.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
Marcus Peck
Level 1
Level 1
In response to Marcus Peck

‎05-29-2016 10:03 PM

ExtFW# packet-tracer input VPN udp 10.6.66.2 500 10.100.0.1 500 deta$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffed0248870, priority=1, domain=permit, deny=false
hits=76, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=VPN, output_ifc=any

Result:
input-interface: VPN
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

ExtFW# packet-tracer input inside icmp 10.6.66.2 0 8 10.100.0.1 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.100.0.0 255.255.255.0 via 2.2.2.1, VPN

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.6.66.0 255.255.255.0 via 10.6.76.4, inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 101 in interface inside
access-list 101 extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffed02519e0, priority=13, domain=permit, deny=false
hits=9, user_data=0x7ffec7697600, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffece93aa90, priority=0, domain=nat-per-session, deny=true
hits=29, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffecf441770, priority=0, domain=inspect-ip-options, deny=true
hits=19, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffecf591140, priority=70, domain=inspect-icmp, deny=false
hits=8, user_data=0x7ffed0271640, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffecf441000, priority=66, domain=inspect-icmp-error, deny=false
hits=8, user_data=0x7ffecf704200, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 31, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: VPN
output-status: up
output-line-status: up
Action: allow

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Marcus Peck

‎05-29-2016 10:21 PM

I do not see the traffic hitting the VPN phase.

Are you sure you have allowed the subnets in the VPN access-list ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful
Customers Also Viewed These Support Documents