06-25-2015 11:48 AM
Both ASA5505 using version 9.2.3, i have tried ikev1 and ikev2, this was working before, but i'm not sure what is wrong now..
I can get tunnel up from dynamic end ASA (default behaviour), i mean i have to ping from asa (DynASA(config)# ping inside 172.22.82.5).
When i try to ping or access resources from any clients behind DynamicASA to StaticASA it shows up in log:
6 | Jun 25 2015 | 21:40:50 | 302020 | 192.168.11.7 | 1 | 172.22.22.21 | 0 | Built outbound ICMP connection for faddr 172.22.82.21/0 gaddr 88.114.6.163/1 laddr 192.168.11.7/1 |
After tunnel is up i can connect from clients behind StaticASA to resources behind DynamicASA, but not vice versa (from clients behind DynamicASA to recourses behind StaticASA, kinda bidirectional is not working?
I have tried with both DefaultL2L and DYNL2L-policies and both work in one direction...
Config from StaticASA
interface Vlan1
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 172.22.22.1 255.255.255.0
!
object network ASA2_LAN
subnet 192.168.11.0 255.255.255.0
object network ASA1_LAN
subnet 172.22.22.0 255.255.255.0
access-list tunneli-ASA2 extended permit ip object ASA1_LAN object ASA2_LAN
nat (inside,outside) source static ASA1_LAN ASA1_LAN destination static ASA2_LAN ASA2_LAN no-proxy-arp route-lookup
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set trans1 ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto dynamic-map DYNL2L-ASA2 4 match address tunneli-ASA2
crypto dynamic-map DYNL2L-ASA2 4 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNL2L-ASA2 4 set ikev2 ipsec-proposal DYNL2L-VPN
crypto dynamic-map DYNL2L-ASA2 4 set reverse-route
crypto map OUTSIDE_MAP 65534 ipsec-isakmp dynamic DYNL2L-ASA2
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_MAP interface outside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
group-policy GroupPolicy_ASA2 internal
group-policy GroupPolicy_ASA2 attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group DYNL2L-ASA2 type ipsec-l2l
tunnel-group DYNL2L-ASA2 general-attributes
default-group-policy GroupPolicy_ASA2
tunnel-group DYNL2L-ASA2 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Config from DynamicASA
interface Vlan1
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
object network ASA1_LAN
subnet 172.22.22.0 255.255.255.0
object network ASA2_LAN
subnet 192.168.11.0 255.255.255.0
access-list tunneli-ASA1 extended permit ip object ASA2_LAN object ASA1_LAN
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup
crypto map mymap 10 match address tunneli-ASA1
crypto map mymap 10 set peer 1.2.3.4
crypto map mymap 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map mymap 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES DYNL2L-VPN
crypto map mymap 10 set reverse-route
group-policy GroupPolicy_1.2.3.4 internal
group-policy GroupPolicy_1.2.3.4 attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
default-group-policy GroupPolicy_1.2.3.4
tunnel-group 1.2.3.4 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
Wbr,
Mr.O
Solved! Go to Solution.
06-29-2015 01:07 AM
Hi,
Looks like you have dynamic nat above static nat exempt on dynamic IP side ASA
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup
change the order to move the static nat above the dynamic nat
no nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup
nat (inside,outside) 1 source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup
HTH
Abaji.
06-29-2015 01:07 AM
Hi,
Looks like you have dynamic nat above static nat exempt on dynamic IP side ASA
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup
change the order to move the static nat above the dynamic nat
no nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup
nat (inside,outside) 1 source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup
HTH
Abaji.
06-29-2015 02:08 AM
Thanks, just needed another eyes to see basic problem..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide