Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- Technology and Support
- :
- Security
- :
- VPN
- :
- Re: ASA to ISR l2l VPN not working
Announcements
752
Views
0
Helpful
3
Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-21-2018
03:00 AM
12-21-2018
03:00 AM
ASA to ISR l2l VPN not working
Hi there,
I'm pretty new ASAs, and new to Cisco VPN in general. I'm trying to set up a site to site tunnel. The tunnel is up and traffic is passing one way ( I think) but not able to return.
The Colo location has an ISR 2921 which has several tunnels to branch offices which seem to be working. The ASA is in a new branch office. The colo is on 192.168.170.0/24, the branch office is on 192.168.254.120/29 and connected to a L3 switch which is hosting the subnet 192.168.100.0/22
If I initiate a ping from the branch office switch to an IP on the colo side I get no reply but I do see the ACL on the ISR side increment:
BOSTON-SW01#ping 192.168.170.250 so vlan 100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.170.250, timeout is 2 seconds: Packet sent with a source address of 192.168.254.121 ..... Success rate is 0 percent (0/5) BOSTON-SW01#ping 192.168.170.250 so 192.168.100.21 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.170.250, timeout is 2 seconds: Packet sent with a source address of 192.168.100.21 ..... Success rate is 0 percent (0/5)
ISR:
COLO-ISR01#show access-lists 173
Extended IP access list 173
10 permit ip any 172.20.43.0 0.0.0.255
20 permit ip any 192.168.100.0 0.0.3.255 (4 matches)
30 permit ip any 192.168.254.120 0.0.0.7 (54 matches)
So it definitely looks like the traffic is making it across the tunnel. Additionally a packet tracer on the ASA completes successfully:
BOSTON-ASA# packet-tracer input inside icmp 192.168.100.201 8 0 192.168.170.250 Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 50.195.44.110 using egress ifc outside Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup Additional Information: NAT divert to egress interface outside Untranslate 192.168.170.250/0 to 192.168.170.250/0 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit ip any any Additional Information: Phase: 4 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup Additional Information: Static translate 192.168.100.201/0 to 192.168.100.201/0 Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 7 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Phase: 8 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 9 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 10 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup Additional Information: Phase: 11 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 12 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 13 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 21286, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
Any help would be greatly appreciated. I've just about run out of ideas.
Colo ISR Config:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname COLO-ISR01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
logging rate-limit all 10
enable secret xxxxxx
!
aaa new-model
!
!
aaa authentication login default local group radius
!
!
!
!
!
aaa session-id common
!
clock timezone EST -5 0
clock summer-time EDT recurring
!
no ipv6 cef
ip source-route
ip cef
!
!
!
no ip dhcp use vrf connected
!
!
ip flow-cache timeout active 1
ip domain name xxxxxx
ip name-server 192.168.170.243
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-4215859666
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4215859666
revocation-check none
rsakeypair TP-self-signed-4215859666
!
!
crypto pki certificate chain TP-self-signed-4215859666
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323135 38353936 3636301E 170D3132 30313133 31343133
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313538
35393636 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C362 E90E6F88 EB3DADE1 039660D9 97A0D581 EFFF7908 2CFA6552 0D9A02E7
2936AAF3 24298A6C E1F7A1B8 B2E4F38C 6DA5C920 2B557690 69FBD82A 6A6C06B0
1FE8A0C8 CEE5787E 710BBEBB D42B97E2 2237EB4C 0E07B0D7 552CD417 CA1CA76C
0539F989 40F1822C F549B836 C023E714 E5A64E40 24422C23 5B34AFF3 1FC4382D
42C50203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15434F4C 4F2E6E61 74696F6E 616C636F 72702E63 6F6D301F
0603551D 23041830 168014DE 0A89F2A1 D6E038FC 603FF735 B46AD184 F1684E30
1D060355 1D0E0416 0414DE0A 89F2A1D6 E038FC60 3FF735B4 6AD184F1 684E300D
06092A86 4886F70D 01010405 00038181 00079CAC 098F2A73 38ADACDD 18D54B0C
4EC51525 F5BBD170 2AE65685 C3EA5C3D F5BA2B37 2C192004 20A6327D 8B621932
4BF1869D 39FFDA44 884A666E A4B413BE 999A2311 E37A639D CD390DF0 FD69A129
3D87C08D B56BAE52 9F8894DB 0307E25C 4346BCE3 DC691709 03EF16D3 6333A20F
A21CA1EB 9D7D4791 CE5BE4B2 B3BE4BB1 17
quit
license udi pid CISCO2921/K9 sn FTX1624AK5P
!
!
object-group network NOG-RingCentral
description All RingCentral Networks a/o 20170919
103.44.68.0 255.255.252.0
104.245.56.0 255.255.248.0
185.23.248.0 255.255.252.0
192.209.24.0 255.255.248.0
199.255.120.0 255.255.252.0
199.68.212.0 255.255.252.0
208.87.40.0 255.255.252.0
!
object-group service SOG-RC-SIP
description RingCentral SIP service identifiers a/o 20170919
tcp-udp source range 5060 6000
tcp-udp range 5060 6000
!
username xxxxx
!
redundancy
!
!
!
!
ip ssh version 2
!
track 1 interface GigabitEthernet0/0 line-protocol
!
class-map match-any CM-RTR-IB-RC-Other
description AllRingCentral Originated Traffic
match access-group name ACL-RTR-IB-RC-Networks-All
class-map match-any CM-RTR-IB-RC-SIP
description RingCentral SIP Traffic
match access-group name ACL-RTR-IB-RC-GeneralSIP
class-map match-any CM-GEN-OB-RC-Other
description Elevated Priority
match ip dscp af21
match ip precedence 2
class-map match-any CM-GEN-OB-Video
description Interactive Video
match ip dscp af41
match ip precedence 4
match access-group name ACL-RoutingProtocol
class-map match-any CM-RTR-IB-RC-Video-RT
description RingCentral Originated Traffic Video RTP
match access-group name ACL-RTR-IB-RC-Video-RTP
class-map match-any CM-GEN-OB-Signaling
description Call-Signaling
match ip dscp af31
match ip precedence 3
class-map match-any CM-RTR-IB-RC-Voice-RT
description RingCentral Originated Traffic Voice RTP
match access-group name ACL-RTR-IB-RC-Voice-RTP
class-map match-any CM-RTR-IB-Cust-AF12
description Customer AF12 class traffic
match access-group name ACL-RTR-IB-CustAF12
class-map match-any CM-GEN-OB-RT
description Real-Time Traffic
match ip dscp ef
match ip precedence 5
class-map match-any CM-RTR-IB-Cust-AF13
description Customer AF13 class traffic
match access-group name ACL-RTR-IB-CustAF13
class-map match-any CM-RTR-IB-Cust-AF11
description Customer AF11 class traffic
match access-group name ACL-RTR-IB-CustAF11
class-map match-any CM-GEN-OB-Cust-AF11
match ip dscp af11
class-map match-any CM-GEN-OB-Cust-AF12
match ip dscp af12
class-map match-any CM-GEN-OB-Cust-AF13
match ip dscp af13
!
!
policy-map PM-OB-RCFeed-QoS
class CM-GEN-OB-RT
set dscp ef
priority percent 75
class CM-GEN-OB-Video
set dscp af41
bandwidth percent 10
class CM-GEN-OB-Signaling
set dscp af31
bandwidth percent 9
class CM-GEN-OB-RC-Other
set dscp af21
bandwidth percent 5
class class-default
set dscp default
policy-map PM-RTR-OB-ToRC-100M
class class-default
service-policy PM-OB-RCFeed-QoS
policy-map PM-RTR-IB-Standard-QoS
class CM-RTR-IB-RC-Voice-RT
set dscp ef
class CM-RTR-IB-RC-Video-RT
set dscp af41
class CM-RTR-IB-RC-SIP
set dscp af31
class CM-RTR-IB-RC-Other
set dscp af21
class CM-RTR-IB-Cust-AF13
set dscp af13
class CM-RTR-IB-Cust-AF12
set dscp af12
class CM-RTR-IB-Cust-AF11
set dscp af11
class class-default
set dscp default
policy-map PM-GEN-OB-20-15-5-10
class CM-GEN-OB-RT
set dscp ef
priority percent 20
class CM-GEN-OB-Video
set dscp af41
bandwidth percent 15
class CM-GEN-OB-Signaling
set dscp af31
bandwidth percent 5
class CM-GEN-OB-RC-Other
set dscp af21
bandwidth percent 10
class CM-GEN-OB-Cust-AF13
set dscp af13
bandwidth percent 5
class CM-GEN-OB-Cust-AF12
set dscp af12
bandwidth percent 5
class CM-GEN-OB-Cust-AF11
set dscp af11
bandwidth percent 5
class class-default
set dscp default
policy-map PM-RTR-OB-ToISP-100M
class class-default
shape average 95000000
service-policy PM-GEN-OB-20-15-5-10
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxx address 50.193.128.41
crypto isakmp key xxxxx address 69.193.221.154
crypto isakmp key xxxxx address 173.10.7.249
crypto isakmp key xxxxx address 4.59.148.125
crypto isakmp key xxxxx address 72.43.4.82
crypto isakmp key xxxxx address 50.252.159.221
crypto isakmp key xxxxx address 104.59.39.129
crypto isakmp key xxxxx address 97.105.97.234
crypto isakmp key xxxxx address 70.63.100.74
crypto isakmp key xxxxx address 96.92.217.81
crypto isakmp key xxxxx address 96.83.211.169
crypto isakmp key xxxxx address 96.67.206.169
crypto isakmp key xxxxx address 96.67.168.241
crypto isakmp key xxxxx address 96.79.18.193
crypto isakmp key xxxxx address 50.195.44.107
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set NCR-Transform esp-3des esp-md5-hmac
!
crypto map NCR-MAP 10 ipsec-isakmp
description Tunnel to ISR-Newark
set peer 96.83.211.169
set transform-set NCR-Transform
match address 155
crypto map NCR-MAP 20 ipsec-isakmp
description Tunnel to ISR-Minneapolis
set peer 96.67.168.241
set transform-set NCR-Transform
match address 156
crypto map NCR-MAP 30 ipsec-isakmp
description Tunnel to ISR-Charlotte
set peer 70.63.100.74
set transform-set NCR-Transform
match address 157
crypto map NCR-MAP 40 ipsec-isakmp
description Tunnel to ISR-Chicago
set peer 96.79.18.193
set transform-set NCR-Transform
match address 158
crypto map NCR-MAP 50 ipsec-isakmp
description Tunnel to ISR-Springfield
set peer 96.92.217.81
set transform-set NCR-Transform
match address 159
crypto map NCR-MAP 60 ipsec-isakmp
description Tunnel to ISR-WashDC
set peer 4.59.148.125
set transform-set NCR-Transform
match address 160
crypto map NCR-MAP 70 ipsec-isakmp
description Tunnel to ISR-Dover
set peer 173.10.7.249
set transform-set NCR-Transform
match address 161
crypto map NCR-MAP 80 ipsec-isakmp
description Tunnel to ISR-NyCity
set peer 69.193.221.154
set transform-set NCR-Transform
match address 162
crypto map NCR-MAP 90 ipsec-isakmp
description Tunnel to ISR-LosAngeles
set peer 104.59.39.129
set transform-set NCR-Transform
match address 163
crypto map NCR-MAP 100 ipsec-isakmp
description Tunnel to ISR-Sacramento
set peer 96.67.206.169
set transform-set NCR-Transform
match address 164
crypto map NCR-MAP 110 ipsec-isakmp
description Tunnel to ISR-Dungeon
set peer 50.193.128.41
set transform-set NCR-Transform
match address 165
crypto map NCR-MAP 120 ipsec-isakmp
description Tunnel to ISR-Albany
set peer 72.43.4.82
set transform-set NCR-Transform
match address 166
crypto map NCR-MAP 150 ipsec-isakmp
description Tunnel to ISR-Tallahassee
set peer 50.252.159.221
set transform-set NCR-Transform
match address 169
crypto map NCR-MAP 170 ipsec-isakmp
description Tunnel to Dallas-VPN
set peer 97.105.97.234
set transform-set NCR-Transform
match address 171
crypto map NCR-MAP 180 ipsec-isakmp
description Tunnel to Boston-ASA
set peer 50.195.44.107
set transform-set NCR-Transform
match address 173
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Primary Circuit TWTC Circuit 01/KDGS/001983/TWCS
bandwidth 75000
ip address 64.129.18.30 255.255.255.252
ip flow ingress
ip flow egress
duplex auto
speed auto
service-policy input PM-RTR-IB-Standard-QoS
service-policy output PM-RTR-OB-ToISP-100M
!
interface GigabitEthernet0/1
description SW-01:Gi0/44
no ip address
duplex full
speed 1000
service-policy output PM-GEN-OB-20-15-5-10
!
interface GigabitEthernet0/1.10
description NATIVE/PC
encapsulation dot1Q 10
ip address 192.168.170.28 255.255.255.0
ip flow ingress
ip flow egress
standby 1 ip 192.168.170.21
standby 1 priority 101
standby 1 preempt
standby 1 track 1 decrement 5
!
interface GigabitEthernet0/1.20
description VOICE
encapsulation dot1Q 20
ip address 192.168.171.24 255.255.255.0
standby 2 ip 192.168.171.21
standby 2 priority 101
standby 2 preempt
!
interface GigabitEthernet0/1.30
description COLO-OFFICE
encapsulation dot1Q 30
ip address 192.168.169.24 255.255.255.0
standby 1 preempt
standby 3 ip 192.168.169.21
standby 3 priority 101
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
shutdown
!
interface GigabitEthernet0/2
description Secondary Circuit TWTC 01/KEFN/103161/TWCS
ip address 173.226.250.250 255.255.255.248
ip access-group NCR_OFFICES in
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
crypto map NCR-MAP
!
router bgp 64539
bgp log-neighbor-changes
network 172.20.43.0 mask 255.255.255.0
network 192.168.168.0 mask 255.255.252.0
redistribute static route-map Set-Metric
neighbor 64.129.18.29 remote-as 4323
neighbor 64.129.18.29 prefix-list Outbound-Filter out
neighbor 64.129.18.29 route-map Set-Metric out
default-information originate
!
no ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export source GigabitEthernet0/1.10
ip flow-export version 5
ip flow-export destination 192.168.170.250 2055
!
ip route 0.0.0.0 0.0.0.0 192.168.170.22
ip route 4.30.32.182 255.255.255.255 173.226.250.249
ip route 4.30.58.82 255.255.255.255 173.226.250.249
ip route 4.59.148.125 255.255.255.255 173.226.250.249
ip route 50.193.128.41 255.255.255.255 173.226.250.249
ip route 50.195.44.107 255.255.255.255 173.226.250.249
ip route 50.252.159.216 255.255.255.248 173.226.250.249
ip route 69.193.221.154 255.255.255.255 173.226.250.249
ip route 70.63.100.74 255.255.255.255 173.226.250.249
ip route 72.43.4.82 255.255.255.255 173.226.250.249
ip route 96.67.168.240 255.255.255.240 173.226.250.249
ip route 96.67.206.168 255.255.255.248 173.226.250.249
ip route 96.79.18.192 255.255.255.248 173.226.250.249
ip route 96.83.211.169 255.255.255.255 173.226.250.249
ip route 96.92.217.81 255.255.255.255 173.226.250.249
ip route 97.105.97.232 255.255.255.248 173.226.250.249
ip route 104.59.39.128 255.255.255.248 173.226.250.249
ip route 172.20.43.0 255.255.255.0 192.168.170.22
ip route 173.10.7.249 255.255.255.255 173.226.250.249
ip route 173.10.139.98 255.255.255.255 173.226.250.249
ip route 192.168.4.0 255.255.252.0 173.226.250.249 150
ip route 192.168.8.0 255.255.252.0 173.226.250.249 150
ip route 192.168.20.0 255.255.252.0 173.226.250.249 150
ip route 192.168.28.0 255.255.252.0 173.226.250.249 150
ip route 192.168.40.0 255.255.252.0 173.226.250.249 150
ip route 192.168.48.0 255.255.252.0 173.226.250.249 150
ip route 192.168.60.0 255.255.252.0 173.226.250.249 150
ip route 192.168.80.0 255.255.252.0 173.226.250.249 150
ip route 192.168.120.0 255.255.252.0 173.226.250.249 150
ip route 192.168.132.0 255.255.252.0 173.226.250.249 150
ip route 192.168.140.0 255.255.252.0 173.226.250.249 150
ip route 192.168.148.0 255.255.252.0 173.226.250.249 150
ip route 192.168.152.0 255.255.252.0 173.226.250.249 150
ip route 192.168.160.0 255.255.252.0 173.226.250.249 150
ip route 192.168.168.0 255.255.252.0 Null0
ip route 192.168.180.0 255.255.252.0 173.226.250.249 150
ip route 192.168.184.0 255.255.255.0 192.168.170.26
ip route 192.168.254.16 255.255.255.248 173.226.250.249 150
ip route 192.168.254.24 255.255.255.248 173.226.250.249 150
ip route 192.168.254.32 255.255.255.248 173.226.250.249 150
ip route 192.168.254.40 255.255.255.248 173.226.250.249 150
ip route 192.168.254.48 255.255.255.248 173.226.250.249 150
ip route 192.168.254.56 255.255.255.248 173.226.250.249 150
ip route 192.168.254.64 255.255.255.248 173.226.250.249 150
ip route 192.168.254.72 255.255.255.248 173.226.250.249 150
ip route 192.168.254.80 255.255.255.248 173.226.250.249 150
ip route 192.168.254.88 255.255.255.248 173.226.250.249 150
ip route 192.168.254.96 255.255.255.248 173.226.250.249 150
ip route 192.168.254.104 255.255.255.248 173.226.250.249 150
ip route 192.168.254.112 255.255.255.248 173.226.250.249 150
ip route 210.5.169.133 255.255.255.255 173.226.250.249
!
ip access-list extended ACL-RTR-IB-Cust-AF11
remark Identify customer traffic for AF11 Classification
deny udp any any
deny tcp any any
ip access-list extended ACL-RTR-IB-RC-GeneralSIP
remark RingCentral SIP Signaling a/o 20170919
permit object-group SOG-RC-SIP object-group NOG-RingCentral any
ip access-list extended ACL-RTR-IB-RC-Networks-All
remark RingCentral ALL traffic a/o 20170919
permit ip object-group NOG-RingCentral any
remark Identify Customer Traffic for AF11 Classification
ip access-list extended ACL-RTR-IB-RC-Video-RTP
remark RingCentral Video Real-Time a/o 20170919
permit udp object-group NOG-RingCentral any range 8801 8802
ip access-list extended ACL-RTR-IB-RC-Voice-RTP
remark RingCentral Voice Real-Time a/o 20170919
permit udp object-group NOG-RingCentral range 9000 64999 any
ip access-list extended ACL-RoutingProtocol
permit udp any any eq rip
permit udp any eq rip any
permit eigrp any any
permit ospf any any
permit tcp any any eq bgp
permit tcp any eq bgp any
ip access-list extended NCR_OFFICES
permit icmp host 173.226.250.249 host 173.226.250.250
remark Dover
permit ip host 173.10.7.249 host 173.226.250.250
remark Dungeon
permit ip host 50.193.128.41 host 173.226.250.250
remark NYCity
permit ip host 69.193.221.154 host 173.226.250.250
remark WashDC
permit ip host 4.59.148.125 host 173.226.250.250
remark Albany
permit ip host 72.43.4.82 host 173.226.250.250
remark Tallahassee
permit ip host 50.252.159.221 host 173.226.250.250
remark Chicago
permit ip host 96.79.18.193 host 173.226.250.250
remark Los Angeles
permit ip host 104.59.39.129 host 173.226.250.250
remark Dallas
permit ip host 97.105.97.234 host 173.226.250.250
remark Charlotte
permit ip host 70.63.100.74 host 173.226.250.250
remark Springfield
permit ip host 96.92.217.81 host 173.226.250.250
remark Minneapolis
permit ip host 96.67.168.241 host 173.226.250.250
remark Newark
permit ip host 96.83.211.169 host 173.226.250.250
remark Sacramento
permit ip host 96.67.206.169 host 173.226.250.250
remark Boston
permit ip host 50.195.44.107 host 173.226.250.250
deny ip any any
!
!
ip prefix-list Outbound-Filter seq 5 permit 192.168.168.0/22
ip prefix-list Outbound-Filter seq 10 permit 0.0.0.0/0
ip prefix-list Outbound-Filter seq 15 permit 192.168.0.0/16
!
ip prefix-list Set-Metric seq 10 permit 192.168.0.0/16
ip prefix-list Set-Metric seq 20 permit 0.0.0.0/0
ip prefix-list Set-Metric seq 30 permit 192.168.168.0/22
no logging trap
access-list 23 remark : VTY control
access-list 23 remark : ASA interface
access-list 23 permit 64.128.232.98
access-list 23 remark : Dungeon external circuit
access-list 23 permit 50.193.128.41
access-list 23 remark : NCR internal Admin VPN
access-list 23 permit 172.30.16.0 0.0.0.255
access-list 23 remark : NCR internal
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 deny any log
access-list 133 remark : trap bad IPs
access-list 133 deny ip 169.254.0.0 0.0.255.255 any
access-list 133 permit ip any any
access-list 155 remark : Newark
access-list 155 permit ip any 192.168.140.0 0.0.3.255
access-list 155 permit ip any 192.168.254.72 0.0.0.7
access-list 156 remark : Minneapolis
access-list 156 permit ip any 192.168.148.0 0.0.3.255
access-list 156 permit ip any 192.168.254.32 0.0.0.7
access-list 156 permit ip any 192.168.152.0 0.0.3.255
access-list 157 remark : Charlotte
access-list 157 permit ip any 192.168.180.0 0.0.3.255
access-list 157 permit ip any 192.168.254.8 0.0.0.7
access-list 158 remark : Chicago
access-list 158 permit ip any 192.168.120.0 0.0.3.255
access-list 158 permit ip any 192.168.254.104 0.0.0.7
access-list 159 remark : Springfield
access-list 159 permit ip any 192.168.160.0 0.0.3.255
access-list 159 permit ip any 192.168.254.64 0.0.0.7
access-list 160 remark : WashDC
access-list 160 permit ip any 192.168.80.0 0.0.3.255
access-list 160 permit ip any 192.168.254.56 0.0.0.7
access-list 161 remark : Dover
access-list 161 permit ip any 192.168.8.0 0.0.3.255
access-list 161 permit ip any 192.168.254.48 0.0.0.7
access-list 162 remark : NyCity
access-list 162 permit ip any 192.168.4.0 0.0.3.255
access-list 162 permit ip any 192.168.254.24 0.0.0.7
access-list 162 permit ip 172.20.43.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 163 remark : LosAngeles
access-list 163 permit ip any 192.168.40.0 0.0.3.255
access-list 163 permit ip any 192.168.254.88 0.0.0.7
access-list 164 remark : Sacramento
access-list 164 permit ip any 192.168.48.0 0.0.3.255
access-list 164 permit ip any 192.168.254.40 0.0.0.7
access-list 165 remark : Dungeon
access-list 165 permit ip any 192.168.28.0 0.0.3.255
access-list 165 permit ip any 192.168.254.80 0.0.0.7
access-list 165 permit ip 172.20.43.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 166 remark : Albany
access-list 166 permit ip any 192.168.20.0 0.0.3.255
access-list 166 permit ip any 192.168.254.16 0.0.0.7
access-list 169 remark : Tallahassee
access-list 169 permit ip any 192.168.60.0 0.0.3.255
access-list 169 permit ip any 192.168.254.96 0.0.0.7
access-list 171 remark : Dallas-VPN
access-list 171 permit ip any 192.168.132.0 0.0.3.255
access-list 171 permit ip any 192.168.254.112 0.0.0.7
access-list 173 remark : Boston-VPN
access-list 173 permit ip any 172.20.43.0 0.0.0.255
access-list 173 permit ip any 192.168.100.0 0.0.3.255
access-list 173 permit ip any 192.168.254.120 0.0.0.7
access-list 199 remark TEMP-PBR-ACL-DOV
access-list 199 permit ip host 192.168.170.190 host 192.168.10.52
access-list 199 permit ip host 192.168.170.225 host 192.168.10.52
!
!
!
!
route-map TEMP-PBR-RM-DOV permit 10
match ip address 199
set ip next-hop 66.195.78.17
!
route-map Set-Metric permit 10
match ip address prefix-list Set-Metric
set metric 100
!
!
snmp-server community xxxx RW
snmp-server ifindex persist
snmp-server location CoLo
radius-server host 192.168.170.203 key 7 xxxxx
!
!
!
control-plane
!
!
privilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 rlogin
privilege exec level 15 show ip access-lists
privilege exec level 1 show ip
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 1 show
banner exec ^CC
NOTICE!!! NOTICE!!! NOTICE!!! NOTICE!!! NOTICE!!!
This system is solely for the use of authorized users performing
official duties. You have no expectation of privacy in its use
and to ensure that the system is functioning properly individuals
using this system are subject to having all of their activities
monitored and recorded. Use of this system evidences an express
consent to such monitoring and agreement that if such monitoring
reveals evidence of possible abuse or criminal activity the results
of such monitoring may be provided to the appropriate officials.
^C
banner login ^CC
WARNING!!! WARNING!!! WARNING!!! WARNING!!! WARNING!!!
This system is solely for the use of authorized users performing
official duties. You have no expectation of privacy in its use
and to ensure that the system is functioning properly individuals
using this system are subject to having all of their activities
monitored and recorded. Use of this system evidences an express
consent to such monitoring and agreement that if such monitoring
reveals evidence of possible abuse or criminal activity the results
of such monitoring may be provided to the appropriate officials.
^C
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 30 0
privilege level 15
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
ntp server 192.168.170.243
end
ASA Config:
ASA Version 9.8(2) ! hostname BOSTON-ASA enable password xxxxx xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names ! interface GigabitEthernet1/1 description Comcast nameif outside security-level 0 ip address 50.195.44.107 255.255.255.248 ! interface GigabitEthernet1/2 description MPLS shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/3 nameif inside security-level 100 ip address 192.168.254.123 255.255.255.248 ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only no nameif no security-level no ip address ! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring object-group network local-network network-object 192.168.100.0 255.255.252.0 network-object 192.168.254.120 255.255.255.248 object-group network remote-network network-object 192.168.170.0 255.255.255.0 network-object 172.20.43.0 255.255.255.0 access-list outside_access_in extended deny udp any4 any4 eq netbios-ns access-list outside_access_in extended deny udp any4 any4 eq netbios-dgm access-list outside_access_in extended deny tcp any4 any4 eq netbios-ssn access-list outside_access_in extended deny tcp any4 any4 eq 445 access-list outside_access_in extended permit icmp any4 any4 log disable access-list inside_access_in extended permit ospf any4 any4 access-list inside_access_in extended permit ip any any access-list asa-router-vpn extended permit ip object-group local-network object-group remote-network access-list inside_nat0_outobund extended permit ip object-group local-network object-group remote-network pager lines 24 mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any echo-reply outside icmp permit any outside icmp permit any inside no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup ! nat (inside,outside) after-auto source dynamic any interface access-group outside_access_in in interface outside access-group inside_access_in in interface inside ! route outside 0.0.0.0 0.0.0.0 50.195.44.110 1 route inside 192.168.100.0 255.255.252.0 192.168.254.121 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication login-history http server enable http 192.168.1.0 255.255.255.0 inside http 64.128.232.96 255.255.255.224 outside http 192.168.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec security-association pmtu-aging infinite crypto map outside_map 10 match address asa-router-vpn crypto map outside_map 10 set peer 173.226.250.250 crypto map outside_map 10 set ikev1 transform-set ESP-3DES-MD5 crypto map outside_map interface outside crypto ca trustpool policy crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 telnet timeout 5 ssh stricthostkeycheck ssh 64.128.232.96 255.255.255.224 outside ssh 192.168.0.0 255.255.0.0 inside ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless dynamic-access-policy-record DfltAccessPolicy username xxxxx tunnel-group 173.226.250.250 type ipsec-l2l tunnel-group 173.226.250.250 ipsec-attributes ikev1 pre-shared-key xxxxx ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect dns preset_dns_map inspect icmp policy-map type inspect dns migrated_dns_map_2 parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 no tcp-inspection ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:91bc890529fddd925570c35b4baa1d1a : end
Labels:
- Labels:
-
VPN
3 REPLIES 3
.jpg "VIP Advisor"){kind=icon}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-22-2018
01:07 PM
12-22-2018
01:07 PM
Hi GreekTechnica,
From the ASA packet tracer output your configuration looks okay as its show packet is passing. in that case you can rule out if ASA is the issue. it would be great if you could provide a logical diagram of your network it would help me to understand and pin point the issue with your network. as you have put over information. which is good but also very easy for us to destruct. you need to proved the public ip address (fake the ip addresses) from the ISR to ASA.
to my understanding
BOSTON-SW01 is connected to BOSTON- ASA.
if this is correct, and you also did a packet-tracer on ASA to remote ip address, which ASA confirm it is allowed. here i would strongly suggest you to check if the switch had an route 192.168.170.0/24 as its next hope to ASA.
BOSTON-SW01
!
ip route 192.168.170.0 255.255.255.0 192.168.254.123
!
if the switch is a layer 2 than could you check your layer3 switch has a route.
when you ping from BOSTON-SW01 could you issue the command on ISR
show crypto isakmp sa peer x.x.x.x (your ASA public IP) what output it show you?
please do not forget to rate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-22-2018
01:10 PM
12-22-2018
01:10 PM
From your ASA your configuration look good. as packet tracer confirm the traffic is allowed and the process of VPN encryption is happening.
it would be great if you could provide a logical diagram of your network with Public ip address (Fake the Public IP). as you have put too much information but is very easy for us to get us lost. for example you have not mention what is the public ip address at your ISR pointing to ASA. just curious as per my understanding in between ASA there is a BOSTON-SW and you pinging from BOSTON SW to your remote network. if this is correct can you confirm the routing is placed accordingly. for example does your switch have a static route to your ASA.
BOSTON-SW
!
ip route 192.168.170.0 255.255.255.0 192.168.254.123
!
or if there is a layer 3 switch make sure you have a static route. it could be ASA know how to encrypt an decrypt (vpn configuration are correct) but he do not see the packet coming from inside going to remote side.
could you show these command while you in BOSTON-SW ping to remote network.
on ISR show crypto ipsec peer X.X.X.X X=ASA public ip address.
please do not forget to rate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-23-2018
12:49 AM
12-23-2018
12:49 AM
Hi,
Since the traffic flow you are chasing is from the branch office where the ASA is located to the Colo side where the router is installed and the packet tracer looks fine on the ASA i suggest you proceed with the following for now:
1- share the output of show cry ipsec sa from both the ASA and the router to ensure that we have ESP packets leaving the ASA and received at the router. We should see encaps on the ASA and decaps on the router.
2- after that and if we see encaps and decaps we will try to ping the router interface itself. From the devices behind the ASA try to ping the Router inside address and see if this one works.
3- we should have a route on the router that sends back to the outside interface when the destination is the inside interface of the ASA.
4- if the ping to the router works but to the inside network it fails then we need to check the network on the inside of the router, does it have a correct route back to the router when trying to reach the subnet behind the ASA.
5- depending on what you find on point number 4 we may troubleshoot further data path issues on the router.
HTH.
Moh,
Latest Contents
Created by S Nath
on 06-27-2022
01:56 PM
0
0
0
0
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
view more
Created by Sohaib Ahmed
on 06-23-2022
05:19 PM
0
0
0
0
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
view more
Created by betswang
on 06-23-2022
03:05 PM
0
15
0
15
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
view more
Created by Meddane
on 06-23-2022
06:59 AM
0
0
0
0
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
view more
Created by ahollifield
on 06-22-2022
06:23 PM
4
10
4
10
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...
view more
Find more resources
Related support document topics
Recognize Your Peers
Content for Community-Ad
