09-15-2011 07:13 PM
Hello,
I configured ASA5520 and RV042 for site-to-site IPSec VPN tunnel.
Tunnel get connected, but no ping, no traffic between both end network.
Network:
=======
192.168.113.0/24----------192.168.113.6 -ASA--------public, static IP address------Cisco 2821--------Internet
192.168.10.0/24-----------192.168.10.1 -RV042-----public, static IP address------Cisco 2821--------Internet
ASA5520 config:
----------------------
name 192.168.10.0 VPN
!
interface GigabitEthernet0/1
nameif NET
security-level 100
ip address 192.168.113.6 255.255.255.0
!
access-list com_cryptomap extended permit ip VPN 255.255.255.0 192.168.113.0 255.255.255.0
access-list com_nat_outbound extended permit ip 192.168.113.0 255.255.255.0 VPN 255.255.255.0
crypto map com_map0 1 match address com_cryptomap
crypto map com_map0 1 set peer x.x.x.x
crypto map com_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map com_map0 1 set phase1-mode aggressive
crypto map com_map0 interface com
crypto isakmp enable com
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
tunnel-group DefaultL2LGroup ipsec-attributes
peer-id-validate nocheck
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
!
RV042 config very simple.
Any particular reason or config missing?
Solved! Go to Solution.
09-15-2011 07:18 PM
Crypto ACL on the ASA has been configured the other way round.
Currently, it's:
access-list com_cryptomap extended permit ip VPN 255.255.255.0 192.168.113.0 255.255.255.0
It should be:
access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 VPN 255.255.255.0
Clear the tunnel after the changes, and let us know how it goes.
Please share the output of the following if it still doesn't work:
show cry isa sa
show cry ipsec sa
09-15-2011 07:18 PM
Crypto ACL on the ASA has been configured the other way round.
Currently, it's:
access-list com_cryptomap extended permit ip VPN 255.255.255.0 192.168.113.0 255.255.255.0
It should be:
access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 VPN 255.255.255.0
Clear the tunnel after the changes, and let us know how it goes.
Please share the output of the following if it still doesn't work:
show cry isa sa
show cry ipsec sa
09-15-2011 07:51 PM
I tried access-list on ASA same as above, after clear tunnel goes down...
Please find below my ASA information.
---------------------------------
ciscoasa# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 20 days 15 hours
Hardware: ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 001a.6de9.32a8, irq 9
1: Ext: GigabitEthernet0/1 : address is 001a.6de9.32a9, irq 9
2: Ext: GigabitEthernet0/2 : address is 001a.6de9.32aa, irq 9
3: Ext: GigabitEthernet0/3 : address is 001a.6de9.32ab, irq 9
4: Ext: Management0/0 : address is 001a.6de9.32ac, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
Below show command before clear tunnel.
ciscoasa# sh crypto isa sa
=====================
ciscoasa# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 202.x.x.x
Type : L2L Role : responder
Rekey : no State : AM_ACTIVE
ciscoasa#
ciscoasa# sh crypto ipsec sa
======================
interface: com
Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y
access-list com_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.113.0 255.255.255.0
local ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)
current_peer: 202.x.x.x
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.x.x.y, remote crypto endpt.: 202.x.x.x
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 429AE17F
current inbound spi : E9E70AD0
inbound esp sas:
spi: 0xE9E70AD0 (3924232912)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 864256, crypto-map: com_map0
sa timing: remaining key lifetime (sec): 2320
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x429AE17F (1117446527)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 864256, crypto-map: com_map0
sa timing: remaining key lifetime (sec): 2320
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
09-15-2011 07:56 PM
It is still referring to incorrect access base on the output above:
Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y
access-list com_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.113.0 255.255.255.0
local ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)
current_peer: 202.x.x.x
The ACL is the other way round.
Can you clear the tunnel with the following command:
clear cry ipsec sa
clear cry isa sa
Then try to establish the tunnel again by accessing between the 2 LANs.
09-15-2011 08:29 PM
I understand if configure below access-list on ASA,
access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0
then RV042 will be?
Local Secure Group: 192.168.113.0/255.255.255.0
Remote Secure Group: 192/168.10.0/255.255.255.0
Remote Secure Gateway: 202.x.x.y
yes, I did clear cry ipsec sa and clear cry isa sa
09-15-2011 09:01 PM
I done access-list on ASA,
access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0
on RV042,
Local Secure Group: 192.168.10.0/255.255.255.0
Remote Secure Group: 192/168.113.0/255.255.255.0
Remote Secure Gateway: 202.x.x.y
Now it tunnel get connected.
ciscoasa# sh cry isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 202.x.x.x
Type : L2L Role : responder
Rekey : no State : AM_ACTIVE
ciscoasa#
ciscoasa# sh cry ipsec sa
interface: mcscom
Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y
access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)
current_peer: 202.x.x.x
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.x.x.y, remote crypto endpt.: 202.x.x.x
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 429AE187
current inbound spi : 95B9E556
inbound esp sas:
spi: 0x95B9E556 (2511988054)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 897024, crypto-map: com_map0
sa timing: remaining key lifetime (sec): 3418
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x429AE187 (1117446535)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 897024, crypto-map: com_map0
sa timing: remaining key lifetime (sec): 3418
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
But cant ping from rv042 and pc connected to rv042 to 192.168.113.0 network and vice versa same?
If I do traceroute from ASA then it goes to Internet via outside interface of ASA...
Same problem on rv042...
09-15-2011 09:04 PM
OK, that is a good progress... VPN part is now correct.
On RV042, have you configured NAT exemption so traffic from RV042 LAN does not get NATed when it is destined for the ASA LAN network?
09-15-2011 09:48 PM
i enabled advanced settings nat-t traversal on rv042.
are you asking this config?
btw, i can see ASA receiving ping packet from RV042, if I ping from RV042 diagnostic menu.
but from ASA ping to RV042 no transmit packet increase.
btw, i uploaded to complete both side config in my forum Documents folder. you can download it.
09-15-2011 11:36 PM
Can you enable "management-access NET" on your ASA, and see if you can ping 192.168.113.6 from behind RV042?
Also, if you try to ping from the ASA, you would need to originate the ping from the NET interface because the interesting traffic is only between 192.168.113.0/24 and 192.168.10.0/24 subnets.
From ASA, you can issue: ping NET 192.168.10.x
09-16-2011 02:42 PM
After enable management-access on NET, I can ping from RV042 to ASA's NET interface 192.168.113.6 address only.
Also get worked ASA "ping NET 192.168.10.1", which is RV042 LAN interface address only.
Hosts beyond both interfaces unreachable for ping.
For example:
-PC with 192.168.10.101 address unreachable from ASA
-PC with 192.168.113.247, 192.168.113.251 address unreachable from RV042
From ASA:
========
ciscoasa# ping NET 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping NET 192.168.10.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.101, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
From RV042:
==========
Ping host or IP address: | |
Status: | Test Succeeded |
Packets: | 4/4 transmitted, 4/4 received, 0% loss |
Round Trip Time: | Minimun = 2 ms Maximun = 2 ms Average = 2 ms |
Ping host or IP address: | |
Status: | Test Failed |
Packets: | 4/4 transmitted, 0/4 received, 100% loss |
Round Trip Time: | Minimun = 2147483647 ms Maximun = 0 ms Average = 0 ms |
Any suggestion?
09-16-2011 07:06 PM
A few things to check and to pin point where the issue is:
1) When you are pinging from 192.168.10.x host, where is the packet failing? You can check "sh cry ipsec sa" and see if the encrypts/decrypts packet increase as you perform the ping. This will give you an indication on where it could possibly be failing.
2) When you are pinging from 192.168.113.x host, where is the packet failing? same as above, for each scenario, check the "sh cry ipsec sa" and see which counter increases and which stays the same.
Also, check if "inspect icmp" is enabled on your ASA. If it hasn't, please kindly enable it.
From the latest result that you have, the VPN is now working just fine, so anything that we investigate now have to be other feature that is failing, ie: NAT, firewall rules, etc.
09-17-2011 01:03 AM
1. 192.168.10.x before ping
=====================
ciscoasa# sh cry ipsec sa
interface: com
Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y
access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)
current_peer: 202.x.x.x
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.x.x.y, remote crypto endpt.: 202.x.x.x
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 429AE1D3
current inbound spi : EB45F2AC
inbound esp sas:
spi: 0xEB45F2AC (3947229868)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1171456, crypto-map: com_map0
sa timing: remaining key lifetime (sec): 3518
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x429AE1D3 (1117446611)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1171456, crypto-map: com_map0
sa timing: remaining key lifetime (sec): 3518
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
after ping
=======
ciscoasa# sh cry ipsec sa
interface: com
Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y
access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)
current_peer: 202.x.x.x
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.x.x.y, remote crypto endpt.: 202.x.x.x
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 429AE1D3
current inbound spi : EB45F2AC
inbound esp sas:
spi: 0xEB45F2AC (3947229868)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1171456, crypto-map: com_map0
sa timing: remaining key lifetime (sec): 3436
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000001FF
outbound esp sas:
spi: 0x429AE1D3 (1117446611)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1171456, crypto-map: com_map0
sa timing: remaining key lifetime (sec): 3436
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
2.192.168.113.x before ping
=====================
ciscoasa# sh cry ipsec sa
interface: com
Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y
access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)
current_peer: 202.x.x.x
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.x.x.y, remote crypto endpt.: 202.x.x.x
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 429AE1D4
current inbound spi : 0EF1CBF2
inbound esp sas:
spi: 0x0EF1CBF2 (250727410)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1175552, crypto-map: com_map0
sa timing: remaining key lifetime (sec): 3589
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x429AE1D4 (1117446612)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1175552, crypto-map: com_map0
sa timing: remaining key lifetime (sec): 3589
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
after ping
========
ciscoasa# sh cry ipsec sa
interface: com
Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y
access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)
current_peer: 202.x.x.x
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.x.x.y, remote crypto endpt.: 202.x.x.x
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 429AE1D4
current inbound spi : 0EF1CBF2
inbound esp sas:
spi: 0x0EF1CBF2 (250727410)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1175552, crypto-map: com_map0
sa timing: remaining key lifetime (sec): 3428
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x429AE1D4 (1117446612)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1175552, crypto-map: com_map0
sa timing: remaining key lifetime (sec): 3428
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
after ping from ASA
===============
ciscoasa# ping NET 192.168.10.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.101, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa# sh cry ipsec sa
interface: com
Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y
access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)
current_peer: 202.x.x.x
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.x.x.y, remote crypto endpt.: 202.x.x.x
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 429AE1D4
current inbound spi : 0EF1CBF2
inbound esp sas:
spi: 0x0EF1CBF2 (250727410)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1175552, crypto-map: com_map0
sa timing: remaining key lifetime (sec): 3300
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x429AE1D4 (1117446612)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1175552, crypto-map: com_map0
sa timing: remaining key lifetime (sec): 3300
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Seems from ASA it show processing packets, but not from 192.168.113.x hosts.
ASA config:
=========
ciscoasa# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name mydomain.mn
enable password removed encrypted
passwd removed encrypted
names
name 192.168.253.0 linfo description linfo
name 172.16.0.8 linfo1 description linfo1
name 172.16.0.24 linfo2 description linfo2
name 122.x.x.0 gix-support description contract service remote access
name 202.x.0.0 branch-access-adsl description ISP network
name 180.x.x.0 gix-support2 description contract service remote access
name 192.168.10.0 VPN
name 10.0.1.0 VPN2
name 202.x.x.192 com-network2 description Public IP address
!
interface GigabitEthernet0/0
description Interface connected to Cisco 2621XM - to COM Internet provider
nameif com
security-level 0
ip address 202.x.x.202 255.255.255.248
!
interface GigabitEthernet0/1
nameif NET
security-level 100
ip address 192.168.113.6 255.255.255.0
!
interface GigabitEthernet0/2
nameif Servers
security-level 0
ip address 192.168.130.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif Servers2
security-level 0
ip address 192.168.131.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
banner exec Please make sure what you are doing here...
banner login This ..... Department's network system.
banner login
banner login Please disconnect immediately or all your activities will be logged into system.
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone ULAST 8
dns domain-lookup com
dns domain-lookup NET
dns domain-lookup Servers
dns domain-lookup Servers2
dns domain-lookup management
dns server-group DefaultDNS
name-server 202.x.x.x
name-server 122.x.x.x
name-server 180.x.x.x
domain-name mydomain.mn
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host 202.x.x.205
network-object host 202.x.x.206
access-list management_access_in remark network team have all access to security system
access-list management_access_in extended permit ip any any
access-list com_access_in extended permit tcp any host 202.x.x.206 eq ssh
access-list com_access_in extended permit icmp any host 202.x.x.206
access-list com_access_in extended permit tcp any host 202.x.x.206 eq www
access-list com_access_in extended permit tcp any host 202.x.x.205 eq ssh
access-list com_access_in extended permit icmp any host 202.x.x.205
access-list com_access_in extended permit tcp any host 202.x.x.206 eq 8080
access-list com_access_in extended permit tcp any host 202.x.x.206 eq 5432
access-list com_access_in extended permit ip gix-support 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list com_access_in extended permit ip gix-support 255.255.255.0 202.x.x.200 255.255.255.248
access-list NET_nat_outbound extended permit ip 192.168.113.0 255.255.255.0 linfo 255.255.255.248
access-list NET_nat_outbound extended permit ip 192.168.113.0 255.255.255.0 linfo1 255.255.255.248
access-list NET_nat_outbound extended permit ip 192.168.113.0 255.255.255.0 linfo2 255.255.255.248
access-list Servers_access_in extended permit ip any any
access-list NET_nat_outbound_1 extended permit ip 192.168.113.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list Servers2_access_in extended permit ip any any
access-list management_access_in_1 extended permit ip any any
access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 VPN 255.255.255.0
access-list NET_access_in extended permit ip any any
access-list com_nat_outbound extended permit ip 192.168.113.0 255.255.255.0 VPN 255.255.255.0
pager lines 24
logging timestamp
logging asdm informational
mtu com 1500
mtu NET 1500
mtu Servers 1500
mtu Servers2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
nat-control
global (com) 1 interface
global (NET) 2 interface
global (Servers) 3 interface
nat (com) 1 access-list com_nat_outbound dns
nat (NET) 2 access-list NET_nat_outbound
nat (NET) 3 access-list NET_nat_outbound_1
nat (NET) 1 192.168.113.0 255.255.255.0 dns
static (NET,com) 202.x.x.206 192.168.113.254 netmask 255.255.255.255 dns
static (NET,com) 202.x.x.205 192.168.113.253 netmask 255.255.255.255 dns
access-group com_access_in in interface com
access-group NET_access_in in interface NET
access-group Servers_access_in in interface Servers
access-group Servers2_access_in in interface Servers2
access-group management_access_in in interface management control-plane
access-group management_access_in_1 in interface management
route com 0.0.0.0 0.0.0.0 202.x.x.201 1
route NET linfo1 255.255.255.248 192.168.113.251 1
route NET linfo2 255.255.255.248 192.168.113.251 1
route NET linfo 255.255.255.248 192.168.113.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.113.0 255.255.255.0 NET
http gix-support 255.255.255.0 com
snmp-server location ... Department
snmp-server contact Me
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map com_map0 1 match address com_cryptomap
crypto map com_map0 1 set peer 202.x.x.196
crypto map com_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map com_map0 1 set phase1-mode aggressive
crypto map com_map0 1 set reverse-route
crypto map com_map0 interface com
crypto isakmp enable com
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet gix-support2 255.255.255.0 com
telnet gix-support 255.255.255.0 com
telnet 202.x.x.201 255.255.255.255 com
telnet 192.168.113.0 255.255.255.0 NET
telnet 192.168.113.0 255.255.255.0 Servers
telnet 192.168.113.0 255.255.255.0 Servers2
telnet timeout 5
ssh gix-support 255.255.255.0 com
ssh gix-support2 255.255.255.0 com
ssh timeout 5
console timeout 0
management-access NET
dhcpd address 192.168.113.10-192.168.113.200 NET
dhcpd dns 202.x.x.11 122.x.x.5 interface NET
dhcpd domain mydomain.mn interface NET
dhcpd enable NET
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
tunnel-group DefaultL2LGroup ipsec-attributes
peer-id-validate nocheck
tunnel-group 202.x.x.196 type ipsec-l2l
tunnel-group 202.x.x.196 ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:35b6b4146c7f403149be3d91e0845382
: end
09-17-2011 01:21 AM
NAT exemption has not been configured on the ASA, hence it doesn't work.
Here is what needs to be configured on the ASA:
access-list nonat-NET permit ip 192.168.113.0 255.255.255.0 VPN 255.255.255.0
nat (NET) 0 access-list nonat-NET
Then "clear xlate" after the changes.
This should resolve the issue.
09-17-2011 01:27 AM
Thank you very much Jennifer for your time.
What is purpose of this Exempt rule?
Because never I used it.
Is it possible to use exempt between server1,server2 and net interfaces?
09-17-2011 01:36 AM
The NAT exempt rule is to allow communication between subnet with its real IP Address, ie: no NATing (no translation) is happening when you configure the access-list to match between the 2 subnets.
And yes, you can definitely configure NAT exemption between server1, server2 and net interfaces.
The trick is only to configure the NAT exemption in 1 direction because it works bi-directionally, and to configure it on the higher security level interface.
Example:
If you would like to configure NAT exemption between Server2 subnet and NET subnet, then you configure the NAT on NET interface because NET (sec level: 100) has higher security level than Server2 (sec level: 0).
And since you already have a "nat (NET) 0 access-list" configured, all you need to do is add to the existing access-list:
access-list nonat-NET permit ip 192.168.113.0 255.255.255.0 192.168.131.0 255.255.255.0
Hope this makes sense.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide