06-25-2015 11:48 AM
Both ASA5505 using version 9.2.3, i have tried ikev1 and ikev2, this was working before, but i'm not sure what is wrong now..
I can get tunnel up from dynamic end ASA (default behaviour), i mean i have to ping from asa (DynASA(config)# ping inside 172.22.82.5).
When i try to ping or access resources from any clients behind DynamicASA to StaticASA it shows up in log:
6 | Jun 25 2015 | 21:40:50 | 302020 | 192.168.11.7 | 1 | 172.22.22.21 | 0 | Built outbound ICMP connection for faddr 172.22.82.21/0 gaddr 88.114.6.163/1 laddr 192.168.11.7/1 |
After tunnel is up i can connect from clients behind StaticASA to resources behind DynamicASA, but not vice versa (from clients behind DynamicASA to recourses behind StaticASA, kinda bidirectional is not working?
I have tried with both DefaultL2L and DYNL2L-policies and both work in one direction...
Config from StaticASA
interface Vlan1
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 172.22.22.1 255.255.255.0
!
object network ASA2_LAN
subnet 192.168.11.0 255.255.255.0
object network ASA1_LAN
subnet 172.22.22.0 255.255.255.0
access-list tunneli-ASA2 extended permit ip object ASA1_LAN object ASA2_LAN
nat (inside,outside) source static ASA1_LAN ASA1_LAN destination static ASA2_LAN ASA2_LAN no-proxy-arp route-lookup
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set trans1 ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto dynamic-map DYNL2L-ASA2 4 match address tunneli-ASA2
crypto dynamic-map DYNL2L-ASA2 4 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNL2L-ASA2 4 set ikev2 ipsec-proposal DYNL2L-VPN
crypto dynamic-map DYNL2L-ASA2 4 set reverse-route
crypto map OUTSIDE_MAP 65534 ipsec-isakmp dynamic DYNL2L-ASA2
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_MAP interface outside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
group-policy GroupPolicy_ASA2 internal
group-policy GroupPolicy_ASA2 attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group DYNL2L-ASA2 type ipsec-l2l
tunnel-group DYNL2L-ASA2 general-attributes
default-group-policy GroupPolicy_ASA2
tunnel-group DYNL2L-ASA2 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Config from DynamicASA
interface Vlan1
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
object network ASA1_LAN
subnet 172.22.22.0 255.255.255.0
object network ASA2_LAN
subnet 192.168.11.0 255.255.255.0
access-list tunneli-ASA1 extended permit ip object ASA2_LAN object ASA1_LAN
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup
crypto map mymap 10 match address tunneli-ASA1
crypto map mymap 10 set peer 1.2.3.4
crypto map mymap 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map mymap 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES DYNL2L-VPN
crypto map mymap 10 set reverse-route
group-policy GroupPolicy_1.2.3.4 internal
group-policy GroupPolicy_1.2.3.4 attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
default-group-policy GroupPolicy_1.2.3.4
tunnel-group 1.2.3.4 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
Wbr,
Mr.O
Solved! Go to Solution.
06-29-2015 01:07 AM
Hi,
Looks like you have dynamic nat above static nat exempt on dynamic IP side ASA
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup
change the order to move the static nat above the dynamic nat
no nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup
nat (inside,outside) 1 source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup
HTH
Abaji.
06-29-2015 01:07 AM
Hi,
Looks like you have dynamic nat above static nat exempt on dynamic IP side ASA
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup
change the order to move the static nat above the dynamic nat
no nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup
nat (inside,outside) 1 source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup
HTH
Abaji.
06-29-2015 02:08 AM
Thanks, just needed another eyes to see basic problem..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: