cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA VPN Configuration

Mokhalil82
Enthusiast
Enthusiast

Hi

I have configure a site to site VPN on an ASA, At the other site there is a Watchguard firewall.  The VPN has not established. I have no isakmp or ipsec sessions established. Here i the config I am using, can anyone see if I am missing something, its my first VPN using the command line

 

object-group network SITEA
subnet 10.57.254.0 255.255.255.0

object-group network SITEB
NETWORK-OBJECT 10.254.10.0 255.255.255.0

crypto ikev1 enable outside

access-list VPN_TRAFFIC_ALLOWED extended permit ip object-group SITEA Object-Group SITEB

nat (inside,outside) source static SITEA SITEB destination static SITEA SITEB

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key X.X.X.X
exit

crypto ikev1 policy 10
authentication pre-share
Encryption AES 256
hash sha
lifetime 28800

crypto ipsec ikev1 transform-set TS-ESP-AES-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 1 match address VPN_TRAFFIC_ALLOWED
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev1 transform-set TS-ESP-AES-SHA
crypto map outside_map 1 interface outside

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Fabian Ortega
Beginner
Beginner

Hello.

 

Please correct the NAT-0 with this line:

nat (inside,outside) source static SITEA SITEA destination static SITEB SITEB no-proxy-arp route-lookup

 

If you still experience issues send me the output from:

 

packet-tracer input inside icmp 10.57.254.10 8 0 10.254.10.10 detailed.

 

Regards,

View solution in original post

16 REPLIES 16

Fabian Ortega
Beginner
Beginner

Hello.

 

Please correct the NAT-0 with this line:

nat (inside,outside) source static SITEA SITEA destination static SITEB SITEB no-proxy-arp route-lookup

 

If you still experience issues send me the output from:

 

packet-tracer input inside icmp 10.57.254.10 8 0 10.254.10.10 detailed.

 

Regards,

Hi

I have applied the no proxy arp option, it does not let me apply the route lookup, gets the following error "ERROR: Option route-lookup is only allowed for static identity case"

Below is the output of the packet trace

ciscoasa(config)# packet-tracer input inside icmp 10.57.254.10 8 0 10.254.10.1$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffd59e2c50, priority=1, domain=permit, deny=false
        hits=109880, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop X.X.X.X using egress ifc  outside

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Inside_Subnet
 nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.57.254.10/0 to X.X.X.X/14998
 Forward Flow based lookup yields rule:
 in  id=0x7fffd59f90d0, priority=6, domain=nat, deny=false
        hits=33352, user_data=0x7fffd5ba4270, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.57.254.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffd52acfd0, priority=0, domain=nat-per-session, deny=true
        hits=36976, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffd5b9f080, priority=0, domain=inspect-ip-options, deny=true
        hits=33358, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffd5b9e930, priority=66, domain=inspect-icmp-error, deny=false
        hits=1, user_data=0x7fffd59dae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 34449, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Hello,

Please share with me the NAT rule you are trying to apply to I can review it.

Also, share with me the output from "show run NAT"; from the packet-tracer, I can see the VPN traffic is not hitting the NAT-0 statement yet.

 

The traffic is hitting this NAT rule  "nat (inside,outside) dynamic interface"; which is the default rule for going out to the internet (PAT).

 

Try placing this statement at the very top of your NAT rules:

nat (inside,outside) 1 source static SITEA SITEA destination static SITEB SITEB no-proxy-arp route-lookup

Please note that source and destination are static. Make sure you are applying the right statement. And note this part of the statement:

 

source static SITEA SITEA (You are translating SITEA to itself in order to make the NAT-0) On the original statement you are trying to translate SITEA to SITEB which is incorrect and therefore will give you the error "Option route-lookup is only allowed for static identity case"