10-27-2018 03:03 AM - edited 10-27-2018 03:04 AM
Hi,
Am trying to establish a site-to-site VPN but cannot ping or connect to other end network
Can you let me know which configuration I should verify and further troubleshooting steps I may take?
show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
xx.xx.xx.xx xx.xx.xx.xx QM_IDLE 2002 0 ACTIVE
The ASA is connected to a DSL modem so design is as follows:
10-27-2018 03:06 AM
10-27-2018 03:08 AM
can you clarify which command I should run on respective device to show you just the relevant configuration?
Thanks
10-27-2018 06:41 AM
show run is the command to post the configuration of both ASA and router.
10-27-2018 07:05 AM
In addition to the config it would be helpful to see the output of show crypto ipsec sa.
HTH
Rick
10-28-2018 03:13 PM - edited 10-28-2018 03:19 PM
rout01#show crypto ipsec sa interface: Dialer1 Crypto map tag: remotemap, local addr xx.xx.xx.xx protected vrf: (none) local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0) current_peer xx.xx.xx.xx port 500 PERMIT, flags={} #pkts encaps: 1892, #pkts encrypt: 1892, #pkts digest: 1892 #pkts decaps: 1510, #pkts decrypt: 1510, #pkts verify: 1510 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: xx.xx.xx.xx path mtu 1492, ip mtu 1492, ip mtu idb Dialer1 current outbound spi: 0x27A2677E(664954750) inbound esp sas: spi: 0xE19FACFF(3785338111) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 119, flow_id: Motorola SEC 2.0:119, crypto map: remotemap sa timing: remaining key lifetime (k/sec): (4505914/2948) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x27A2677E(664954750) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 120, flow_id: Motorola SEC 2.0:120, crypto map: remotemap sa timing: remaining key lifetime (k/sec): (4505761/2947) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
ciscoasa# show crypto ipsec sa interface: outside Crypto map tag: outside_map0, seq num: 1, local addr: xx.xx.xx.xx access-list outside_cryptomap extended permit ip 192.168.11.0 255.255.255.0 192.168.4.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0) current_peer: xx.xx.xx.xx #pkts encaps: 1897, #pkts encrypt: 1897, #pkts digest: 1897 #pkts decaps: 2325, #pkts decrypt: 2325, #pkts verify: 2325 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 1897, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 192.168.11.254/0, remote crypto endpt.: xx.xx.xx.xx path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: E19FACFF current inbound spi : 27A2677E inbound esp sas: spi: 0x27A2677E (664954750) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 131072, crypto-map: outside_map0 sa timing: remaining key lifetime (kB/sec): (4373656/2764) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xE19FACFF (3785338111) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 131072, crypto-map: outside_map0 sa timing: remaining key lifetime (kB/sec): (4373796/2764) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001
Manged to get this partly working by adding the source (192.168.11.0/24) and destination (192.168.4.0/24) to the cryptomap access list on the ASA. I say partly working as I want this site-to-site to work (connect) both ways and need to figure out why its not connecting from the other side (router --> ASA)
Let me know if you want to see specific access lists or other config related to the VPN settings
Thanks
10-29-2018 02:18 AM
10-30-2018 01:01 AM
will do further tests, since I am dual natting on one side, how will this impact the configuration to allow for bi-directional communication?
11-02-2018 02:48 PM
The original post has this statement explaining the problem
but cannot ping or connect to other end network
The follow up post has output of show crypto ipsec sa which does demonstrate that there is two way traffic on the vpn and has this statement
Manged to get this partly working by adding the source (192.168.11.0/24) and destination (192.168.4.0/24) to the cryptomap access list on the ASA
The follow up post then has this statement of a new aspect of the issue
need to figure out why its not connecting from the other side (router --> ASA)
Am I correct in understanding that the vpn does come up and does pass traffic if the ASA initiates the vpn to the router. But that the router is not able to initiate the vpn to the ASA? If that is the case then we need to know some things about both peers. Do the router and the ASA have permanent assigned IP addresses or does one of the devices have an IP address that is dynamic (DHCP or popoe, or something). We also need to see the configuration of the crypto map from both devices.
HTH
Rick
11-06-2018 11:33 PM - edited 11-06-2018 11:46 PM
Hi,
The DSL modem connected to the ASA has a dynamic IP whilst the 1801 has a static IP.
I can reach from 192.168.10.0 to 192.168.4.0 (RDP) - although the RDP session disconnects and re-establishes automatically every few minutes.
I also confirm that the remote 1801 router can ping the VLAN11 interface of the ASA which is good news.
In the configuration what determines which IP/subnet I can reach on either side via the IPSec VPN?
From the 1801 I want to reach both the 192.168.11.0/24 and 192.168.10.0/24 (SMB)
The DSL modem will see these packets originating from the 1801 WAN address right? (as these packets are encapsulated)
I think I will also need to make firewall changes on the DSL and ASA to allow such traffic IN.
As I understood what this configuration does is that if the originating router sees that the destination traffic matches the VPN site-to-site interesting traffic, it will encrypt/encapsulate it and send it to the destination address of the VPN peer.
Thanks
11-07-2018 08:59 AM
There are several parts of this response that I want to discuss.
It is quite possible for a device with dynamic assigned IP to establish a site to site vpn with a device with static IP (which seems to be the case here). But one restriction is that the vpn must be initiated from the device with the dynamic IP. In your case it appears that your router has static IP and the ASA has dynamic IP. So ASA must initiate the vpn and then traffic will flow in both directions. If you think about it the ASA knows who its remote peer is (static IP) but the router does not know who its peer is (dynamic IP) until it has received an IP packet from the peer. (what IP the ASA is using is not known until it has sent a packet to the router)
You ask this question
In the configuration what determines which IP/subnet I can reach on either side via the IPSec VPN?
and the answer is that in the crypto map it uses an access list to identify traffic to be encrypted for the vpn. So if you want to reach both 192.168.10.0 and 192.168.11.0 then you put entries into the access list to permit them to communicate with 192.168.4.0.
You also mention the possibility that you need to make changes in the DSL modem or the ASA to allow the traffic in. I would say that if the vpn does come up and if traffic does flow in both directions then there are no changes needed on DSL or ASA. I would also point out that there is a default rule on ASA that permits traffic received on a site to site vpn to access the inside network of the ASA (which is why no changes are needed on ASA).
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: