03-26-2019 08:21 AM
Hi Experts
we have site to site tunnel between 2 ASA firewall. and Site A is not doing encryption from source 10.255.220.0 to destination 192.168.177.0 , rest all is fine.
Site A -------S T S----------Site B
ASA 5512 ASA5525
10.255.220.0 192.168.177.0
10.255.204.0 192.168.173.0
10.255.228.0
VPN is UP and all subnet are able to ping to each other but one subnet 10.255.220.0 on site A is not pinging to subnet 192.168.177.0 on Site B and vice versa.
ther is no connectivty between 10.255.220.0 and 192.168.177.0 rest all is working
on site A its showing that Firewall is not encrypting packet for 192.168.177.0 from 10.255.220.0 subnet but its decrypting packet (which mean its receiving packet from 192.168.177.0 and its doing decryption but its not doing any encryption for the outgoing packet)
i have tried following so far but not succeeded
1- i check ESP on both side and it seems to me ok
2- i given these 2 command clear crypto isakmp sa and clear crypto ipsec sa but no success
3- i put NAT statement on top but no success
4- in packet tracer its showing traffic is going to tunnel and no issue in packet tracing output.
below is the Packet tracer command and IP sec SA command.
Site A firewalll
SITE-A-FW# show crypto ipsec sa
access-list VPN-INTERSTING-TRAFIIC-TO-OSS extended permit ip 10.255.0.0 255.255.0.0 192.168.177.0 255.255.255.0
local ident (addr/mask/prot/port): (10.255.220.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (192.168.177.0/255.255.255.0/0/0)
current_peer: 2.2.2.2 (i changed the public ip)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 42, #pkts decrypt: 42, #pkts verify: 42
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/4500, remote crypto endpt.: 2.2.2.2/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 8C833372
current inbound spi : D4156C75
inbound esp sas:
spi: 0xD4156C75 (3558173813)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv2, }
slot: 0, conn_id: 221184, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4101117/28717)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x000007FF 0xFFFFFFFF
outbound esp sas:
spi: 0x8C833372 (2357408626)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv2, }
slot: 0, conn_id: 221184, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4055040/28717)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 5, local addr: 192.168.255.2
SITE B
SITE-B-FW # sh crypto ipsec sa
access-list crypto-Toyota-Marketing extended permit ip 192.168.177.0 255.255.255.0 10.255.220.0 255.255.252.0
local ident (addr/mask/prot/port): (192.168.177.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.255.220.0/255.255.252.0/0/0)
current_peer: 1.1.1.1 changed the public ip
#pkts encaps: 106, #pkts encrypt: 106, #pkts digest: 106
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 106, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: D4156C75
current inbound spi : 8C833372
inbound esp sas:
spi: 0x8C833372 (2357408626)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv2, }
slot: 0, conn_id: 80916480, crypto-map: outside_map_1
sa timing: remaining key lifetime (kB/sec): (4147200/28597)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xD4156C75 (3558173813)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv2, }
slot: 0, conn_id: 80916480, crypto-map: outside_map_1
sa timing: remaining key lifetime (kB/sec): (4101113/28595)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
NAT Statement on SITE A Firewall
TMS-FW# show nat
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source static INET_NAT_10.255.220.0 INET_NAT_10.255.220.0 destination static OSI_US_VPN_REMOTE OSI_US_VPN_REMOTE no-proxy-arp route-lookup
translate_hits = 4468, untranslate_hits = 4470
Packet-Tracer output on Firewall A Site A
SITE-A-FW# packet-tracer input inside icmp 10.255.220.20 8 0 192.168.77.30 det
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa301ca00, priority=13, domain=capture, deny=false
hits=6061879, user_data=0x7fffa5a407f0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=Inside, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa1d8cab0, priority=1, domain=permit, deny=false
hits=375243922, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Inside, output_ifc=any
Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.177.0 255.255.255.0 via 192.168.255.1, Outside
Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static INET_NAT_10.255.220.0 INET_NAT_10.255.220.0 destination static OSI_US_VPN_REMOTE OSI_US_VPN_REMOTE no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Outside
Untranslate 192.168.177.30/0 to 192.168.177.30/0
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_OUT in interface Inside
access-list INSIDE_OUT extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa1eb03d0, priority=13, domain=permit, deny=false
hits=5968890, user_data=0x7fff9e08a380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) source static INET_NAT_10.255.220.0 INET_NAT_10.255.220.0 destination static OSI_US_VPN_REMOTE OSI_US_VPN_REMOTE no-proxy-arp route-lookup
Additional Information:
Static translate 10.255.220.20/0 to 10.255.220.20/0
Forward Flow based lookup yields rule:
in id=0x7fffa3434200, priority=6, domain=nat, deny=false
hits=2181, user_data=0x7fffa3434810, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.255.220.0, mask=255.255.252.0, port=0, tag=0
dst ip/id=192.168.177.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=Outside
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa13bae20, priority=0, domain=nat-per-session, deny=true
hits=6703064, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa1d947a0, priority=0, domain=inspect-ip-options, deny=true
hits=7796434, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa37ec060, priority=70, domain=inspect-icmp, deny=false
hits=21715, user_data=0x7fffa2c269b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 10
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa1d94030, priority=66, domain=inspect-icmp-error, deny=false
hits=84425, user_data=0x7fffa1d935a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffa2d67750, priority=70, domain=encrypt, deny=false
hits=138117, user_data=0x3174, cs_id=0x7fffa2709690, reverse, flags=0x0, protocol=0
src ip/id=10.255.220.0, mask=255.255.252.0, port=0, tag=0
dst ip/id=192.168.177.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=Outside
Phase: 12
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Outside) source static INET_NAT_10.255.220.0 INET_NAT_10.255.220.0 destination static OSI_US_VPN_REMOTE OSI_US_VPN_REMOTE no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffa2c29040, priority=6, domain=nat-reverse, deny=false
hits=2206, user_data=0x7fffa1a24430, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.255.220.0, mask=255.255.252.0, port=0, tag=0
dst ip/id=192.168.177.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=Outside
Phase: 13
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff9b3f7ee0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=370621, user_data=0x4d94, cs_id=0x7fffa2709690, reverse, flags=0x0, protocol=0
src ip/id=192.168.177.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.255.220.0, mask=255.255.252.0, port=0, tag=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 14
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffa13bae20, priority=0, domain=nat-per-session, deny=true
hits=6703066, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 15
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffa1deeda0, priority=0, domain=inspect-ip-options, deny=true
hits=7871295, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 16
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7770088, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
03-26-2019 09:51 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide