Solved: ASA to ASA Site to Site IPSec VPN Tunnel

Nicholas Beard · ‎01-19-2011

Any help would be greatly appreciated...

I have two Cisco ASA devices with a Site to Site IPSec VPN tunnel setup as follows -

Site #1 - Cisco ASA running version 8.2(1) with an internal range of 10.0.0.x/24

Site #2 - Cisco ASA running version 8.2(1) with an internal range of 10.1.1.x/24

Site #1 is straightforward and has a Dynamic NAT rule which translates everything from inside as the outside (Public IP) of the ASA.

Internet access works fine from all desktops from this site. A static route is configured to forward all traffic to an upstream public router.

Site #2 is slightly more complicated; the Cisco ASA is configured with 10.1.1.254/24 as its inside IP address and 10.1.2.254/24 as its outside IP address. A Dynamic NAT rule is configured to translate everything from inside as the 10.1.2.254 (outside) address of the ASA. A default static route is then configured to forward all traffic to a Draytek device on 10.1.2.253. This device then performs its own Private to Public NAT. Again internet access works fine from all hosts inside the Cisco ASA (10.1.1.x)

The IPSec tunnel is created with the local and remote endpoint networks as above (10.0.0.x/24) and (10.1.1.x/24). The Draytek device at Site #2 is setup with a form of DMZ which basically allows ALL traffic to be forward straight to the outside interface of the ASA (10.1.2.254). The Phase 1 and Phase 2 negotiation of the tunnel complete successfully and the tunnel is formed without any problems. However, any ICMP traffic passing over the networks fails to complete and the Syslog reports the following -

Site #1 -

6

Jan 19 2011

15:27:21

302020

ZEFF-SB-01_LAN

1

10.1.1.51

0

Built outbound ICMP connection for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

6

Jan 19 2011

15:27:23

302021

10.1.1.51

0

ZEFF-SB-01_LAN

1

Teardown ICMP connection for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

Site #2 -

6

Jan 19 2011

15:24:47

302020

10.1.1.51

0

10.0.0.30

1

Built outbound ICMP connection for faddr 10.0.0.30/1 gaddr 10.1.1.51/0 laddr 10.1.1.51/0

6

Jan 19 2011

15:24:49

302021

10.0.0.30

1

10.1.1.51

0

Teardown ICMP connection for faddr 10.0.0.30/1 gaddr 10.1.1.51/0 laddr 10.1.1.51/0

This is the same for any form of traffic passing over the tunnel. The ACL's are setup to allow the LAN network segments outbound to any destination. At this point I am left scratching my head, as my original theory was to blame the Draytek, but after reading the documentation attributed to the DMZ host setup, it would appear when this is configured all traffic is simply passed on to the IP specified (in this instance the Cisco ASA Outside interface).

Can anybody shed any light on a possible cause of this problem?

Thanks

Nick

Yudong Wu · ‎01-19-2011

did you bypass the vpn traffic between 10.0.0 and 10.1.1 from being NAT-ed on both ASA?

Please provide the following info

- bring up the tunnel

- show cry isa sa

- show cry ipsec sa

- ping from site 1 to site 2 via tunnel

- capture "show crypto ipsec sa" again

- ping from site 2 to site 1 via tunnel

- capture "show crypto ipsec sa" again

- configuration from both ASA.

View solution in original post

sean_evershed · ‎01-21-2011

Did you configure sysopt connection permit-vpn on both ASA's in order to allow VPN traffic to bypass the ACL on the outside interface?

The PCs at both sites don't have any local Windows firewalls enabled?

Did you configure the VPN tunnels via the ASDM wizard or manually?

Are the ACLs on both sides of the tunnel used to encrypt the traffic exactly reflective?

From your stats it looks like that traffic is being encrypted across the tunnel on both sides.

Site #2

! Output omitted

2) sh crypto ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: 82.68.11.x

access-list outside_1_cryptomap permit ip ZEFFA-CDF-LAN 255.255.255.0 ZEFFA-BRS-LAN 255.255.255.0

local ident (addr/mask/prot/port): (ZEFFA-CDF-LAN/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ZEFFA-BRS-LAN/255.255.255.0/0/0)

current_peer: 77.107.170.x

#pkts encaps: 11853, #pkts encrypt: 11853, #pkts digest: 11853

! Output omitted

2) sh crypto isakmp sa after ping attempt

Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x

access-list outside_1_cryptomap permit ip ZEFFA-CDF-LAN 255.255.255.0 ZEFFA-BRS-LAN 255.255.255.0

local ident (addr/mask/prot/port): (ZEFFA-CDF-LAN/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ZEFFA-BRS-LAN/255.255.255.0/0/0)

current_peer: 77.107.170.x

#pkts encaps: 11874, #pkts encrypt: 11874, #pkts digest: 11874

Please remember to rate all posts that are helpful.

View solution in original post

Yudong Wu · ‎01-21-2011

Yes, you are correct.

The issue is in the direction from site 1 to site 2.

Could you please check the following?

1. I noticed that site 1 IP 10.1.2.253 is NAT-ed to 77.107.170.x, did you enable NAT-T on both side in your configuration?

2. If you already enabled NAT-T, you need check if UDP 4500 port is blocked somewhere in the middle?

If you ASA is running the recent code, IPSec traffic should be permited by default, you don't need to use "sysopt" to allow it. But you can check your configuration to confirm this.

View solution in original post

Yudong Wu · ‎01-19-2011

did you bypass the vpn traffic between 10.0.0 and 10.1.1 from being NAT-ed on both ASA?

Please provide the following info

- bring up the tunnel

- show cry isa sa

- show cry ipsec sa

- ping from site 1 to site 2 via tunnel

- capture "show crypto ipsec sa" again

- ping from site 2 to site 1 via tunnel

- capture "show crypto ipsec sa" again

- configuration from both ASA.

Nicholas Beard · ‎01-21-2011

Thanks for the reply;

Yes the traffic is exempt from NAT on both ASA devices.

Site #1 -

1) sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 82.68.11.x

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

2) sh crypto ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: 10.1.2.253

access-list outside_1_cryptomap permit ip ZEFFA-BRS-LAN 255.255.255.0 ZEFFA-CDF-LAN 255.255.255.0

local ident (addr/mask/prot/port): (ZEFFA-BRS-LAN/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ZEFFA-CDF-LAN/255.255.255.0/0/0)

current_peer: 82.68.11.x

#pkts encaps: 3786, #pkts encrypt: 3786, #pkts digest: 3786

#pkts decaps: 11443, #pkts decrypt: 11443, #pkts verify: 11443

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 3786, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 10.1.2.253, remote crypto endpt.: 82.68.11.x

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 78ACCF3B

inbound esp sas:

spi: 0x38C45AA2 (952392354)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 106496, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3914885/18748)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFDBFF 0xFFFFF7FF

outbound esp sas:

spi: 0x78ACCF3B (2024591163)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 106496, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3915000/18748)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

3) sh crypto isakmp sa after ping attempt -

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 82.68.11.x

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

4) sh crypto ipsec sa after ping attempt

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: 10.1.2.253

access-list outside_1_cryptomap permit ip ZEFFA-BRS-LAN 255.255.255.0 ZEFFA-CDF-LAN 255.255.255.0

local ident (addr/mask/prot/port): (ZEFFA-BRS-LAN/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ZEFFA-CDF-LAN/255.255.255.0/0/0)

current_peer: 82.68.11.x

#pkts encaps: 3786, #pkts encrypt: 3786, #pkts digest: 3786

#pkts decaps: 11466, #pkts decrypt: 11466, #pkts verify: 11466

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 3786, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 10.1.2.253, remote crypto endpt.: 82.68.11.x

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 78ACCF3B

inbound esp sas:

spi: 0x38C45AA2 (952392354)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 106496, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3914884/18648)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFF7FFF 0xFFFFF7FF

outbound esp sas:

spi: 0x78ACCF3B (2024591163)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 106496, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3915000/18648)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Site #2

1) sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 77.107.170.x

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

2) sh crypto ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: 82.68.11.x

access-list outside_1_cryptomap permit ip ZEFFA-CDF-LAN 255.255.255.0 ZEFFA-BRS-LAN 255.255.255.0

local ident (addr/mask/prot/port): (ZEFFA-CDF-LAN/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ZEFFA-BRS-LAN/255.255.255.0/0/0)

current_peer: 77.107.170.x

#pkts encaps: 11853, #pkts encrypt: 11853, #pkts digest: 11853

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 11853, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 82.68.11.x, remote crypto endpt.: 77.107.170.x

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 38C45AA2

inbound esp sas:

spi: 0x78ACCF3B (2024591163)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 90112, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4374000/18566)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x38C45AA2 (952392354)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 90112, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4373879/18566)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

3) sh crypto isakmp sa after ping attempt

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 77.107.170.x

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

4) sh crypto ipsec sa after ping attempt

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x

access-list outside_1_cryptomap permit ip ZEFFA-CDF-LAN 255.255.255.0 ZEFFA-BRS-LAN 255.255.255.0

local ident (addr/mask/prot/port): (ZEFFA-CDF-LAN/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ZEFFA-BRS-LAN/255.255.255.0/0/0)

current_peer: 77.107.170.x

#pkts encaps: 11874, #pkts encrypt: 11874, #pkts digest: 11874

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 11874, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 82.68.11.x, remote crypto endpt.:77.107.170.x

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 38C45AA2

inbound esp sas:

spi: 0x78ACCF3B (2024591163)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 90112, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4374000/18482)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x38C45AA2 (952392354)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 90112, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4373878/18482)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

As a point of interest, i have found that the data statistics passing over the tunnel are showing as follows -

Site #1 (Draytek upstream)

Bytes Tx - 321061

Bytes Rx - 685920

Site#2

Bytes Tx - 708180

BytesRx - 0

These statistics would indicate that Site #2 is not receiving any information from Site#1 which would again lead me to the upstream Draytek as being the likely course. Unfortunately, the site is a long distance to travel based on speculation; i need hard evidence that the Draytek is the root cause of this problem.

sean_evershed · ‎01-21-2011

Did you configure sysopt connection permit-vpn on both ASA's in order to allow VPN traffic to bypass the ACL on the outside interface?

The PCs at both sites don't have any local Windows firewalls enabled?

Did you configure the VPN tunnels via the ASDM wizard or manually?

Are the ACLs on both sides of the tunnel used to encrypt the traffic exactly reflective?

From your stats it looks like that traffic is being encrypted across the tunnel on both sides.

Site #2

! Output omitted

2) sh crypto ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: 82.68.11.x

access-list outside_1_cryptomap permit ip ZEFFA-CDF-LAN 255.255.255.0 ZEFFA-BRS-LAN 255.255.255.0

local ident (addr/mask/prot/port): (ZEFFA-CDF-LAN/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ZEFFA-BRS-LAN/255.255.255.0/0/0)

current_peer: 77.107.170.x

#pkts encaps: 11853, #pkts encrypt: 11853, #pkts digest: 11853

! Output omitted

2) sh crypto isakmp sa after ping attempt

Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x

access-list outside_1_cryptomap permit ip ZEFFA-CDF-LAN 255.255.255.0 ZEFFA-BRS-LAN 255.255.255.0

local ident (addr/mask/prot/port): (ZEFFA-CDF-LAN/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ZEFFA-BRS-LAN/255.255.255.0/0/0)

current_peer: 77.107.170.x

#pkts encaps: 11874, #pkts encrypt: 11874, #pkts digest: 11874

Please remember to rate all posts that are helpful.

Yudong Wu · ‎01-21-2011

Yes, you are correct.

The issue is in the direction from site 1 to site 2.

Could you please check the following?

1. I noticed that site 1 IP 10.1.2.253 is NAT-ed to 77.107.170.x, did you enable NAT-T on both side in your configuration?

2. If you already enabled NAT-T, you need check if UDP 4500 port is blocked somewhere in the middle?

If you ASA is running the recent code, IPSec traffic should be permited by default, you don't need to use "sysopt" to allow it. But you can check your configuration to confirm this.