cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
700
Views
0
Helpful
2
Replies

ASA5505 L2L static-dynamic problem

ohenttonen
Level 1
Level 1

Both ASA5505 using version 9.2.3, i have tried ikev1 and ikev2, this was working before, but i'm not sure what is wrong now..

I can get tunnel up from dynamic end ASA (default behaviour), i mean i have to ping from asa (DynASA(config)# ping inside 172.22.82.5).

When i try to ping or access resources from any clients behind DynamicASA to StaticASA it shows up in log:

6Jun 25 201521:40:50302020192.168.11.71172.22.22.210Built outbound ICMP connection for faddr 172.22.82.21/0 gaddr 88.114.6.163/1 laddr 192.168.11.7/1

 

After tunnel is up i can connect from clients behind StaticASA to resources behind DynamicASA, but not vice versa (from clients behind DynamicASA to recourses behind StaticASA, kinda bidirectional is not working?

I have tried with both DefaultL2L and DYNL2L-policies and both work in one direction...

 

Config from StaticASA

interface Vlan1
 nameif outside
 security-level 0
 ip address 1.2.3.4 255.255.255.0
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 172.22.22.1 255.255.255.0
!

object network ASA2_LAN
 subnet 192.168.11.0 255.255.255.0
object network ASA1_LAN
 subnet 172.22.22.0 255.255.255.0

access-list tunneli-ASA2 extended permit ip object ASA1_LAN object ASA2_LAN
nat (inside,outside) source static ASA1_LAN ASA1_LAN destination static ASA2_LAN ASA2_LAN no-proxy-arp route-lookup

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set trans1 ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto dynamic-map DYNL2L-ASA2 4 match address tunneli-ASA2
crypto dynamic-map DYNL2L-ASA2 4 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNL2L-ASA2 4 set ikev2 ipsec-proposal DYNL2L-VPN
crypto dynamic-map DYNL2L-ASA2 4 set reverse-route
crypto map OUTSIDE_MAP 65534 ipsec-isakmp dynamic DYNL2L-ASA2
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_MAP interface outside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

group-policy GroupPolicy_ASA2 internal
group-policy GroupPolicy_ASA2 attributes
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

tunnel-group DYNL2L-ASA2 type ipsec-l2l
tunnel-group DYNL2L-ASA2 general-attributes
 default-group-policy GroupPolicy_ASA2
tunnel-group DYNL2L-ASA2 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

 

Config from DynamicASA

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.11.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute

object network ASA1_LAN
 subnet 172.22.22.0 255.255.255.0
object network ASA2_LAN
 subnet 192.168.11.0 255.255.255.0

access-list tunneli-ASA1 extended permit ip object ASA2_LAN object ASA1_LAN

nat (inside,outside) source dynamic any interface
nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup

crypto map mymap 10 match address tunneli-ASA1
crypto map mymap 10 set peer 1.2.3.4
crypto map mymap 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map mymap 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES DYNL2L-VPN
crypto map mymap 10 set reverse-route

group-policy GroupPolicy_1.2.3.4 internal
group-policy GroupPolicy_1.2.3.4 attributes
 vpn-tunnel-protocol ikev1 ikev2
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
 default-group-policy GroupPolicy_1.2.3.4
tunnel-group 1.2.3.4 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!

 

Wbr,

Mr.O

1 Accepted Solution

Accepted Solutions

Abaji Rawool
Level 3
Level 3

Hi,

Looks like you have dynamic nat above static nat exempt on dynamic IP side ASA

 

nat (inside,outside) source dynamic any interface
nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup

change the order to move the static nat above the dynamic nat

no nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup


nat (inside,outside) 1 source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup

HTH

Abaji.

 

View solution in original post

2 Replies 2

Abaji Rawool
Level 3
Level 3

Hi,

Looks like you have dynamic nat above static nat exempt on dynamic IP side ASA

 

nat (inside,outside) source dynamic any interface
nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup

change the order to move the static nat above the dynamic nat

no nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup


nat (inside,outside) 1 source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup

HTH

Abaji.

 

ohenttonen
Level 1
Level 1

Thanks, just needed another eyes to see basic problem..