ASAv5 <> Zywall 310 VPN not passing traffic & policy routing

swilmerism · ‎01-24-2018

Afternoon,

Im after help on a VPN between 2 devices.

Cisco ASAv5

Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(1)

Zyxel Zywall 310 4.30(AAAB.0)

The Zywall is the core router with VPN's out to other sites (other zywall routers) with poilcy routing workign fine. - I can set these up all day long no probs..

Ive setup this new VPN to cisco ASAv . Currently the VPN is up but not passing traffic.

VPN made using the Site-to-Site VPN Wizard in the ASDM. ALl good. but a trace route out from the ASA ges out of the WAN Id expect it to go down some VPN interface but cannot see one. >

Firewall-ASA-xxx# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         xx.xx.xx.xx YES CONFIG up                    up
GigabitEthernet0/1         192.168.202.2   YES CONFIG up                    up
GigabitEthernet0/2         unassigned      YES unset administratively down down
Management0/0              unassigned      YES unset administratively down down
Firewall-ASA-xxx# show ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: xx.xx.xx.xx

      access-list outside_cryptomap extended permit ip 192.168.202.0 255.255.255.0 172.16.100.0 255.255.252.0
      local ident (addr/mask/prot/port): (192.168.202.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.100.0/255.255.252.0/0/0)
      current_peer: xx.xx.xx.xx

Any pointers please?

Bogdan Nita · ‎01-24-2018

The wizard is creating a policy based VPN, so no VPN tunnel interface will be created.

Also a traceroute initiated form the ASA will not be sent over the VPN tunnel.

For testing the VPN tunnel on ASA you can use packet-tracer. It will not actually send a packet through the tunnel, but it should bring it up and you should be able to see that the packet would be encrypted.

Otherwise you will need a device sitting behind the ASA to test.

HTH

Bogdan

swilmerism · ‎01-24-2018

I am doing my test pings from the LAN interfaces of each device so was expecting pings to go through tunnel.

Thanks for the packet-tracer suggestion, ive done it and results below.

Still struggling...

Firewall-ASA-xxxe# packet-tracer input inside icmp 192.168.202.2 8 0 172.16.100.12 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop xxxWAN IP ADDRESSxxx using egress ifc outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 destination static NETWORK_OBJ_172.16.100.0_24 NETWORK_OBJ_172.16.100.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 172.16.100.12/0 to 172.16.100.12/0

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f87e10f2110, priority=501, domain=permit, deny=true
        hits=2, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.202.2, mask=255.255.255.255, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Firewall-ASA-xxxx#

Bogdan Nita · ‎01-24-2018

It looks like you have a ACL rule on the inside acl that is denying traffic from 192.168.202.2 to any.

swilmerism · ‎01-25-2018

Hi,

thanks for the advice,

still struggling. I see its "implicit rule" thats stopping this.

Yet i have added many permit's the only deny is the implicit rule. Ive even added ACL for the hosts im testing too & from

I have followed this and made changes but still having issue > https://www.petenetlive.com/KB/Article/0001108

Packet traces in both directions attatched.

swilmerism · ‎01-25-2018

HAve now factory defaulted the ASA

I only gave it a inside + outside ip addresses then ran the VPN wizzard

Same again

VPN is up ok but not passing pings.

heres my config >>

**********
: Hardware: ASAv, 1024 MB RAM, CPU Xeon E5 series 2600 MHz
:
ASA Version 9.8(1)
!
**********

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 185.********** 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.202.2 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/8
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.200.2 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 9.9.9.9
object network VTS-LEAM
subnet 172.16.100.0 255.255.252.0
description VTS-LEAM
object network Inside-NAT
subnet 192.168.202.0 255.255.255.0
object network NETWORK_OBJ_192.168.202.0_24
subnet 192.168.202.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.202.0 255.255.255.0 object VTS-LEAM
pager lines 23
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source static NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 destination static VTS-LEAM VTS-LEAM no-proxy-arp route-lookup
!
object network Inside-NAT
nat (any,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 185.********** 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.200.0 255.255.255.0 management
http 85********** 255.255.255.255 management
http 85********** 255.255.255.255 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 51.**********
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 85********** 255.255.255.255 outside
ssh 85********** 255.255.255.255 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.200.3-192.168.200.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_********** internal
group-policy GroupPolicy_********** attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
**********
tunnel-group ********** type ipsec-l2l
tunnel-group ********** general-attributes
default-group-policy GroupPolicy_**********
tunnel-group ********** ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context