Cisco Community
English
Register
ANNOUNCEMENT - Security Restructure has finished!. Email and Web Notifications are ON now - LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
214
Views
0
Helpful
2
Replies
Highlighted
ohenttonen
ohenttonen Beginner
Beginner
‎06-25-2015 11:48 AM
‎06-25-2015 11:48 AM

ASA5505 L2L static-dynamic problem

Both ASA5505 using version 9.2.3, i have tried ikev1 and ikev2, this was working before, but i'm not sure what is wrong now..

I can get tunnel up from dynamic end ASA (default behaviour), i mean i have to ping from asa (DynASA(config)# ping inside 172.22.82.5).

When i try to ping or access resources from any clients behind DynamicASA to StaticASA it shows up in log:

6Jun 25 201521:40:50302020192.168.11.71172.22.22.210Built outbound ICMP connection for faddr 172.22.82.21/0 gaddr 88.114.6.163/1 laddr 192.168.11.7/1

 

After tunnel is up i can connect from clients behind StaticASA to resources behind DynamicASA, but not vice versa (from clients behind DynamicASA to recourses behind StaticASA, kinda bidirectional is not working?

I have tried with both DefaultL2L and DYNL2L-policies and both work in one direction...

 

Config from StaticASA

interface Vlan1
 nameif outside
 security-level 0
 ip address 1.2.3.4 255.255.255.0
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 172.22.22.1 255.255.255.0
!

object network ASA2_LAN
 subnet 192.168.11.0 255.255.255.0
object network ASA1_LAN
 subnet 172.22.22.0 255.255.255.0

access-list tunneli-ASA2 extended permit ip object ASA1_LAN object ASA2_LAN
nat (inside,outside) source static ASA1_LAN ASA1_LAN destination static ASA2_LAN ASA2_LAN no-proxy-arp route-lookup

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set trans1 ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto dynamic-map DYNL2L-ASA2 4 match address tunneli-ASA2
crypto dynamic-map DYNL2L-ASA2 4 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNL2L-ASA2 4 set ikev2 ipsec-proposal DYNL2L-VPN
crypto dynamic-map DYNL2L-ASA2 4 set reverse-route
crypto map OUTSIDE_MAP 65534 ipsec-isakmp dynamic DYNL2L-ASA2
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_MAP interface outside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

group-policy GroupPolicy_ASA2 internal
group-policy GroupPolicy_ASA2 attributes
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

tunnel-group DYNL2L-ASA2 type ipsec-l2l
tunnel-group DYNL2L-ASA2 general-attributes
 default-group-policy GroupPolicy_ASA2
tunnel-group DYNL2L-ASA2 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

 

Config from DynamicASA

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.11.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute

object network ASA1_LAN
 subnet 172.22.22.0 255.255.255.0
object network ASA2_LAN
 subnet 192.168.11.0 255.255.255.0

access-list tunneli-ASA1 extended permit ip object ASA2_LAN object ASA1_LAN

nat (inside,outside) source dynamic any interface
nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup

crypto map mymap 10 match address tunneli-ASA1
crypto map mymap 10 set peer 1.2.3.4
crypto map mymap 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map mymap 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES DYNL2L-VPN
crypto map mymap 10 set reverse-route

group-policy GroupPolicy_1.2.3.4 internal
group-policy GroupPolicy_1.2.3.4 attributes
 vpn-tunnel-protocol ikev1 ikev2
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
 default-group-policy GroupPolicy_1.2.3.4
tunnel-group 1.2.3.4 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!

 

Wbr,

Mr.O

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Abaji Rawool
Abaji Rawool Participant
Participant
‎06-29-2015 01:07 AM
‎06-29-2015 01:07 AM

Hi,Looks like you have

Hi,

Looks like you have dynamic nat above static nat exempt on dynamic IP side ASA

 

nat (inside,outside) source dynamic any interface
nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup

change the order to move the static nat above the dynamic nat

no nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup


nat (inside,outside) 1 source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup

HTH

Abaji.

 

View solution in original post

0 Helpful
Reply
2 REPLIES 2
Highlighted
Abaji Rawool
Abaji Rawool Participant
Participant
‎06-29-2015 01:07 AM
‎06-29-2015 01:07 AM

Hi,Looks like you have

Hi,

Looks like you have dynamic nat above static nat exempt on dynamic IP side ASA

 

nat (inside,outside) source dynamic any interface
nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup

change the order to move the static nat above the dynamic nat

no nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup


nat (inside,outside) 1 source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN no-proxy-arp route-lookup

HTH

Abaji.

 

View solution in original post

0 Helpful
Reply
Highlighted
ohenttonen
ohenttonen Beginner
Beginner
‎06-29-2015 02:08 AM
‎06-29-2015 02:08 AM

Thanks, just needed another

Thanks, just needed another eyes to see basic problem..

0 Helpful
Reply
Latest Contents
NGFW
Created by starsulaiman21266 on 02-25-2020 01:58 AM
1
0
1
0
Hello All, i have two vm firepower as HA and they are working fine as HA the traffics going through fin but there is a red mark shows on the HA, can someone tell me what does that mean please? This only appears on the HA not in individual device... view more
Meet the Authors FAQ´s - A Cybersecurity Deep Dive with Omar...
Created by ciscomoderator on 02-24-2020 05:28 PM
0
0
0
0
  This event had place on Thursday 23rd, January at 10hrs PDT  Introduction   Featured Author Omar Santos is an active member of the cyber security community, where he leads several industry-wide initiatives and standards bodies. H... view more
Get the Cisco 2020 CISO Benchmark Report
Created by Kelli Glass on 02-24-2020 08:16 AM
0
0
0
0
Securing What's Now and What's Next. With our annual global survey of 2,800 security leaders, we dove deep to compile key benchmark statistics. The 2020 CISO Benchmark Report provides valuable takeaways and data on the most pressing cybersecurity to... view more
Malware Policy
Created by Manu Shankar on 02-24-2020 02:40 AM
0
0
0
0
I have 2 Firepower module (ASA 5525) with Malware and IPS licence. Recently i changed the Malware policy action set to "Block Malware" and "Reset Connection". How to log the event if my policy blocked any files? Please find the attached screen shot f... view more
AnyConnect client statistic from ISE
Created by s.rashid on 02-24-2020 12:04 AM
0
0
0
0
Hi, We have ISE v2.4 installed in production for only 2 month now. we are integrating anyconnect for posturing on all end users machine. I want to get the report or statistics of all the machines on which anyconnect client is installed.
CreatePlease to create content
Discussion
Blog
Document
Video