ASA to ASA IPSec VPN not establishing

marioderosa2008 · ‎11-08-2012

Hi,

I am attemoting to set up an IPSec L2L VPN from a remote office in Trinidad & Tobago and our HQ in the UK but I am struggling and I need help in debugging the issue.

Firstly, the site has a /30 subnet. So the ASA is sitting directly on the internet and not behind a NAT firewall.

The inside clients have an IP range of 192.168.1.0/24 and the HQ subnet is 10.0.0.0/8. The VPN is setup so that only traffic destined for the HQ traverses the VPN. All other traffic breaks out the local Internet connection.

Symptom 1... I can ping from the ASA in T&T to the ASA in UK fine, but a traceroute does not get passed the T&T ISP router. If i replace the ASA with a windows machine configured with the same IP settings, pings and traceroutes work fine. proving that there is no routing issue between UK & T&T.

Symptom 2... When I run a capture on both ASA's, I can see the UDP 500 packets leaving the UK ASA and arriving at the T&T ASA and I can see the T&T ASA also sending UDP500 packets back to the UK, however, the UK ASA does not receive these UDP500 packets.

Symptom 3... running a debug crypto isakmp 200 on the ASA in T&T shows that the ASA in T&T accepts the IKE proposal but keeps receiving duplicate phase 1 packets from the UK.

I would like to know what other debugging / troubleshooting commands are useful to help troubleshoot this issue? I cannot run debugging onthe ASA in the UK as it hosts multiple other VPNs.

I am working on replacing the ISP router with a Cisco 877 however I am struggling to get a correct configuration to make this work with the T&T ISP. Any advice on that would be excellent too!

If you want me to provide more information, then please let me know...

Regards

Mario De Rosa

ALIAOF_ · ‎11-08-2012

What do you mean ASA is sitting direction on the internet and not behind a NAT firewall? ASA is a firewall. I'm assuming you mean ASA's "outside" interface is internet facing, there is no router involved?

Secondly your UK site sounds like there is a router that you manage and then you have the ASA sitting behind it? Does that ASA (in UK) have a public IP address on the outside interface as well?

Can you post the VPN configuration from both firewalls? This should be a pretty simple setup, bascially your interesting traffic should be like this:

Site1:

192.168.1.0/24 --> 10.0.0.0/8

Site2:

10.0.0.0/8 --> 192.168.1.0/24

Also confirm that the router in UK is not blocking UDP 4500, what kind of router is that?

shine pothen · ‎11-08-2012

best thing is to post the configuration of both the site and then we can see what is happening

marioderosa2008 · ‎11-09-2012

Hi,

I will paste the config of the T&T site ASA first as this config is different from standard ones that we use.

The UK ASA is our Head End and terminates a lot of other VPNs, so all the necessary protocols are allowed through to this device.

The UK ASA has a public facing IP address on it's outside interface. The T&T ASA also has a public facing IP address on its outside interface... no NATing is involved at all in this particular set up.

-----------T&T ASA Config-------------

!
hostname Trinidad-ASA5505
enable password ######### encrypted
passwd ############ encrypted
names
!
interface Vlan1
description Inside
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
!
interface Vlan2
description Outside
nameif outside
no shut
security-level 0
ip address 190.58.128.210 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
no shut
!
interface Ethernet0/1
no shut
!
interface Ethernet0/2
no shut
!
interface Ethernet0/3
no shut
!
interface Ethernet0/4
no shut
!
interface Ethernet0/5
no shut
!
interface Ethernet0/6
no shut
!
interface Ethernet0/7
no shut
!
nat-control
!
ftp mode passive
object-group network Trinidad_LAN
network-object 192.168.1.0 255.255.255.0
object-group network Remote_LAN
network-object 10.0.0.0 255.0.0.0
access-list s2s-vpn-acl extended permit ip object-group Trinidad_LAN object-group Remote_LAN
pager lines 24
logging enable
logging buffered informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 190.58.128.209 1
nat (inside) 0 access-list s2s-vpn-acl
nat (inside) 1 any any
global (outside) 1 interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
snmp-server host inside 10.0.17.204 poll community ###### version 2c
no snmp-server location
no snmp-server contact
snmp-server community ######
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map outside_map 1 match address s2s-vpn-acl
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 195.59.178.4
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 190.58.128.209 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 196.3.132.154 196.3.132.1
dhcpd wins 10.0.17.31
dhcpd domain #####
!
dhcpd address 192.168.1.50-192.168.1.150 inside
dhcpd enable inside
!

ntp server 10.0.16.100 source inside prefer
username ###### password ########## encrypted privilege 15
tunnel-group 195.59.178.4 type ipsec-l2l
tunnel-group 195.59.178.4 ipsec-attributes
pre-shared-key ########
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1857d485f4c37865a337024c8f9e9b27
: end

Mario

marioderosa2008 · ‎11-14-2012

Please can anyone provide some more assistance with this? I am really stuck.

Jennifer Halim · ‎11-14-2012

From the ASA, try to ping as follows:

ping inside 10.0.17.204

or, ping inside

Pls kindly run debugs on T&T ASA:

debug cry isa

debug cry ipsec

Also the output of:

show cry isa sa

show cry ipsec sa

ALIAOF_ · ‎11-15-2012

What code are you running on this ASA?

Also I think this should be more specific, Jennifer can probably confirm:

"nat (inside) 1 any any"

should be something like

"nat (inside) 1 192.168.1.0 255.255.255.0