cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1248
Views
0
Helpful
10
Replies

ASA5505 to 1801 Site-to-Site VPN

aconticisco
Level 2
Level 2

Hi,

Am trying to establish a site-to-site VPN but cannot ping or connect to other end network

 

Can you let me know which configuration I should verify and further troubleshooting steps I may take?

 

show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
xx.xx.xx.xx xx.xx.xx.xx QM_IDLE 2002 0 ACTIVE

 

The ASA is connected to a DSL modem so design is as follows:

image.png

 

10 Replies 10

Hi,
Can you provide the configuration of both the ASA and Router?

can you clarify which command I should run on respective device to show you just the relevant configuration?

 

Thanks

show run is the command to post the configuration of both ASA and router.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

In addition to the config it would be helpful to see the output of show crypto ipsec sa.

 

HTH

 

Rick

HTH

Rick

rout01#show crypto ipsec sa

interface: Dialer1
    Crypto map tag: remotemap, local addr xx.xx.xx.xx

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
   current_peer xx.xx.xx.xx port 500
     PERMIT, flags={}
    #pkts encaps: 1892, #pkts encrypt: 1892, #pkts digest: 1892
    #pkts decaps: 1510, #pkts decrypt: 1510, #pkts verify: 1510
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: xx.xx.xx.xx
     path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
     current outbound spi: 0x27A2677E(664954750)

     inbound esp sas:
      spi: 0xE19FACFF(3785338111)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 119, flow_id: Motorola SEC 2.0:119, crypto map: remotemap
        sa timing: remaining key lifetime (k/sec): (4505914/2948)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x27A2677E(664954750)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 120, flow_id: Motorola SEC 2.0:120, crypto map: remotemap
        sa timing: remaining key lifetime (k/sec): (4505761/2947)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
ciscoasa# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map0, seq num: 1, local addr: xx.xx.xx.xx

      access-list outside_cryptomap extended permit ip 192.168.11.0 255.255.255.0 192.168.4.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
      current_peer: xx.xx.xx.xx

      #pkts encaps: 1897, #pkts encrypt: 1897, #pkts digest: 1897
      #pkts decaps: 2325, #pkts decrypt: 2325, #pkts verify: 2325
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1897, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.11.254/0, remote crypto endpt.: xx.xx.xx.xx
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: E19FACFF
      current inbound spi : 27A2677E

    inbound esp sas:
      spi: 0x27A2677E (664954750)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 131072, crypto-map: outside_map0
         sa timing: remaining key lifetime (kB/sec): (4373656/2764)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xE19FACFF (3785338111)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 131072, crypto-map: outside_map0
         sa timing: remaining key lifetime (kB/sec): (4373796/2764)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

 

Manged to get this partly working by adding the source (192.168.11.0/24) and destination (192.168.4.0/24) to the cryptomap access list on the ASA. I say partly working as I want this site-to-site to work (connect) both ways and need to figure out why its not connecting from the other side (router --> ASA)

 

Let me know if you want to see specific access lists or other config related to the VPN settings

 

Thanks

 

So we can tell the tunnel is up and traffic is passing the tunnels in both directions.
What testing have you done, are you just running a ping? By default the ASA does not allow ping.

We still need to see the configuration of the devices to determine where the issue is.

will do further tests, since I am dual natting on one side, how will this impact the configuration to allow for bi-directional communication?

 

The original post has this statement explaining the problem

but cannot ping or connect to other end network

 

The follow up post has output of show crypto ipsec sa which does demonstrate that there is two way traffic on the vpn and has this statement

Manged to get this partly working by adding the source (192.168.11.0/24) and destination (192.168.4.0/24) to the cryptomap access list on the ASA

 

The follow up post then has this statement of a new aspect of the issue

need to figure out why its not connecting from the other side (router --> ASA)

 

Am I correct in understanding that the vpn does come up and does pass traffic if the ASA initiates the vpn to the router. But that the router is not able to initiate the vpn to the ASA? If that is the case then we need to know some things about both peers. Do the router and the ASA have permanent assigned IP addresses or does one of the devices have an IP address that is dynamic (DHCP or popoe, or something). We also need to see the configuration of the crypto map from both devices.

 

HTH

 

Rick

HTH

Rick

Hi,

The DSL modem connected to the ASA has a dynamic IP whilst the 1801 has a static IP.

I can reach from 192.168.10.0 to 192.168.4.0 (RDP) - although the RDP session disconnects and re-establishes automatically every few minutes.
I also confirm that the remote 1801 router can ping the VLAN11 interface of the ASA which is good news.
In the configuration what determines which IP/subnet I can reach on either side via the IPSec VPN?
From the 1801 I want to reach both the 192.168.11.0/24 and 192.168.10.0/24 (SMB)
The DSL modem will see these packets originating from the 1801 WAN address right? (as these packets are encapsulated)
I think I will also need to make firewall changes on the DSL and ASA to allow such traffic IN.

As I understood what this configuration does is that if the originating router sees that the destination traffic matches the VPN site-to-site interesting traffic, it will encrypt/encapsulate it and send it to the destination address of the VPN peer.

Thanks

There are several parts of this response that I want to discuss.

 

It is quite possible for a device with dynamic assigned IP to establish a site to site vpn with a device with static IP (which seems to be the case here). But one restriction is that the vpn must be initiated from the device with the dynamic IP. In your case it appears that your router has static IP and the ASA has dynamic IP. So ASA must initiate the vpn and then traffic will flow in both directions. If you think about it the ASA knows who its remote peer is (static IP) but the router does not know who its peer is (dynamic IP) until it has received an IP packet from the peer. (what IP the ASA is using is not known until it has sent a packet to the router)

 

You ask this question

In the configuration what determines which IP/subnet I can reach on either side via the IPSec VPN?

and the answer is that in the crypto map it uses an access list to identify traffic to be encrypted for the vpn. So if you want to reach both 192.168.10.0 and 192.168.11.0 then you put entries into the access list to permit them to communicate with 192.168.4.0.

 

You also mention the possibility that you need to make changes in the DSL modem or the ASA to allow the traffic in. I would say that if the vpn does come up and if traffic does flow in both directions then there are no changes needed on DSL or ASA. I would also point out that there is a default rule on ASA that permits traffic received on a site to site vpn to access the inside network of the ASA (which is why no changes are needed on ASA).

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: