Solved: Re: Can not access remote network through ASA Site-to-Site VPN

fgasimzade · ‎03-10-2011

Hello everybody

First I must say I have configured site-to-site vpns million times before. Got stuck with this one. First of all I can not ping outside interface of my remote ASA. Secondly, VPN is up, but no connectivity between LANs

Local ASA:
hostname gyd-asa
domain-name bct.az
enable password XeY1QWHKPK75Y48j encrypted
passwd XeY1QWHKPK75Y48j encrypted
names
dns-guard
!
interface GigabitEthernet0/0
shutdown
nameif vpnswc
security-level 0
ip address 10.254.17.41 255.255.255.248
!
interface GigabitEthernet0/1
description vpn-turan-baku
nameif outside-Baku
security-level 0
ip address 10.254.17.9 255.255.255.248
!
interface GigabitEthernet0/2
description vpn-ganja
nameif outside-Ganja
security-level 0
ip address 10.254.17.17 255.255.255.248
!
interface GigabitEthernet0/2.30
description Remote Access
vlan 30
nameif remote-access
security-level 0
ip address 85.*.*.* 255.255.255.0
!
interface GigabitEthernet0/3
description BCT_Inside
nameif inside-Bct
security-level 100
ip address 10.40.50.65 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.251.1 255.255.255.0
management-only
!
boot system disk0:/asa823-k8.bin
ftp mode passive
dns server-group DefaultDNS
name-server 192.168.1.3
domain-name bct.az
same-security-traffic permit intra-interface
object-group network obj-192.168.121.0
object-group network obj-10.40.60.0
object-group network obj-10.40.50.0
object-group network obj-192.168.0.0
object-group network obj-172.26.0.0
object-group network obj-10.254.17.0
object-group network obj-192.168.122.0
object-group service obj-tcp-eq-22
object-group network obj-10.254.17.18
object-group network obj-10.254.17.10
object-group network obj-10.254.17.26
access-list 110 extended permit ip any any
access-list nat extended permit tcp any host 10.254.17.10 eq ssh
access-list nat extended permit tcp any host 10.254.17.26 eq ssh
access-list nonat extended permit ip any any
access-list icmp_inside extended permit icmp any any
access-list icmp_inside extended permit ip any any
access-list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
access-list rdp extended permit tcp any host 192.168.45.3 eq 3389
access-list rdp extended permit ip any any
access-list nonat-vpn extended permit ip any 192.168.121.0 255.255.255.0
access-list nat-vpn-internet extended permit ip 192.168.121.0 255.255.255.0 any
access-list nat-vpn-internet extended permit ip 172.26.0.0 255.255.255.0 any
access-list nat-vpn-internet extended permit ip 192.168.122.0 255.255.255.0 any
access-list nonat-vpn-city extended permit ip 192.168.121.0 255.255.255.0 10.40.60.0 255.255.255.0
access-list nonat-vpn-city extended permit ip 192.168.121.0 255.255.255.0 10.40.50.0 255.255.255.0
access-list nonat-vpn-city extended permit ip 192.168.121.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list nonat-vpn-city extended permit ip 192.168.121.0 255.255.255.0 172.26.0.0 255.255.255.0
access-list nonat-vpn-city extended permit ip 192.168.121.0 255.255.255.0 10.254.17.0 255.255.255.0
access-list ghc-ganja-internet extended permit ip 192.168.45.0 255.255.255.0 any
access-list Split_Tunnel_List standard permit 192.168.16.0 255.255.255.0
access-list azans extended permit ip 192.168.69.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.121.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0
pager lines 24
logging enable
logging emblem
logging console debugging
logging trap debugging
logging asdm informational
logging host inside-Bct 192.168.1.27
flow-export destination inside-Bct 192.168.1.27 9996
mtu vpnswc 1500
mtu outside-Baku 1500
mtu outside-Ganja 1500
mtu remote-access 1500
mtu inside-Bct 1500
mtu management 1500
ip local pool raccess 192.168.121.60-192.168.121.120 mask 255.255.255.0
ip local pool ssl 192.168.121.130-192.168.121.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside-Baku
icmp permit any remote-access
icmp permit any inside-Bct
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside-Baku) 1 interface
global (outside-Ganja) 2 interface
global (remote-access) 3 interface
nat (outside-Ganja) 3 access-list azans
nat (remote-access) 0 access-list nonat-vpn-city
nat (remote-access) 3 access-list nat-vpn-internet
nat (inside-Bct) 0 access-list inside_nat0_outbound
nat (inside-Bct) 2 access-list nat-ganja
nat (inside-Bct) 1 access-list nat
access-group rdp out interface outside-Ganja
!
router eigrp 2008
no auto-summary
neighbor 10.254.17.10 interface outside-Baku
neighbor 10.40.50.66 interface inside-Bct
network 10.40.50.64 255.255.255.252
network 10.250.25.0 255.255.255.0
network 10.254.17.8 255.255.255.248
network 10.254.17.16 255.255.255.248
redistribute static
!
route remote-access 0.0.0.0 0.0.0.0 85.*.*.* 1
route outside-Baku 10.0.11.0 255.255.255.0 10.254.17.10 1
route outside-Baku 10.0.33.0 255.255.255.0 10.254.17.10 1
route outside-Baku 10.0.150.0 255.255.255.0 10.254.17.10 1
route outside-Baku 10.0.170.0 255.255.255.0 10.254.17.10 1
route outside-Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
route outside-Baku 10.254.17.32 255.255.255.248 10.254.17.10 1
route outside-Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
route outside-Baku 192.168.27.0 255.255.255.0 10.254.17.10 1
route outside-Baku 192.168.39.0 255.255.255.0 10.254.17.10 1
route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
route outside-Ganja 192.168.66.0 255.255.255.0 10.254.17.18 1
route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
route outside-Baku 192.168.80.0 255.255.255.0 10.254.17.11 1
route remote-access 192.168.121.0 255.255.255.0 85.132.43.1 1
route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
route outside-Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
route inside-Bct 192.168.254.0 255.255.255.0 10.40.50.66 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS protocol tacacs+
aaa-server TACACS (inside-Bct) host 192.168.1.8
key *****
aaa-server TACACS (inside-Bct) host 192.168.22.46
key *****
aaa-server TACACS1 protocol radius
aaa-server TACACS1 (inside-Bct) host 192.168.1.8
key *****
aaa-server TACACS1 (inside-Bct) host 192.168.22.46
key *****
aaa authentication ssh console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa accounting ssh console TACACS
aaa accounting telnet console TACACS
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside-Bct
http 192.168.139.0 255.255.255.0 inside-Bct
http 192.168.0.0 255.255.255.0 inside-Bct
snmp-server host inside-Bct 192.168.1.27 poll community *****
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set newset esp-aes esp-md5-hmac
crypto ipsec transform-set myset2 esp-3des esp-sha-hmac
crypto ipsec transform-set raccess esp-3des esp-md5-hmac
crypto ipsec transform-set vpnclienttrans esp-3des esp-sha-hmac
crypto ipsec transform-set vpnclienttrans mode transport
crypto ipsec security-association lifetime seconds 2147483646
crypto ipsec security-association lifetime kilobytes 2147483646
crypto dynamic-map dyn1 1 set transform-set vpnclienttrans raccess
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.10
crypto map mymap 10 set transform-set myset
crypto map mymap 20 match address 110
crypto map mymap 20 set peer 10.254.17.11
crypto map mymap 20 set transform-set myset2
crypto map mymap interface outside-Baku
crypto map ganja 10 match address 110
crypto map ganja 10 set peer 10.254.17.18
crypto map ganja 10 set transform-set myset
crypto map ganja interface outside-Ganja
crypto map vpntest 20 match address 110
crypto map vpntest 20 set peer 10.250.25.1
crypto map vpntest 20 set transform-set newset
crypto map vpntest interface vpnswc
crypto map vpnclientmap 30 ipsec-isakmp dynamic dyn1
crypto map vpnclientmap interface remote-access
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=gyd-asa.bct.az
keypair sslvpnkeypair
crl configure
crypto ca certificate map DefaultCertificateMap 10

crypto isakmp identity address
crypto isakmp enable vpnswc
crypto isakmp enable outside-Baku
crypto isakmp enable outside-Ganja
crypto isakmp enable remote-access
crypto isakmp enable inside-Bct
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
no vpn-addr-assign aaa
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside-Bct
ssh timeout 35
console timeout 0
priority-queue outside-Baku
queue-limit   2046
tx-ring-limit 254
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.3
ssl encryption 3des-sha1 rc4-md5 aes128-sha1 aes256-sha1
ssl trust-point ASDM_TrustPoint0 remote-access vpnlb-ip
ssl trust-point ASDM_TrustPoint0 remote-access
webvpn
enable remote-access
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy ssl internal
group-policy ssl attributes
banner value Welcome to SW
dns-server value 192.168.1.3
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock value SSL
webvpn
url-list value SPS
group-policy vpn internal
group-policy vpn attributes
dns-server value 192.168.1.3
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs disable
default-domain value bct.az
vpn-group-policy ssl
webvpn
url-list value SPS
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 5
tunnel-group DefaultRAGroup general-attributes
address-pool raccess
authentication-server-group TACACS
default-group-policy vpn
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 20 retry 5
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 5
tunnel-group 10.254.17.10 type ipsec-l2l
tunnel-group 10.254.17.10 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 20 retry 5
tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
address-pool ssl
authentication-server-group (remote-access) LOCAL
default-group-policy ssl
username-from-certificate use-entire-name
tunnel-group SSL webvpn-attributes
group-alias SSL enable
group-url https://85.*.*.*/ enable
tunnel-group 10.254.17.18 type ipsec-l2l
tunnel-group 10.254.17.18 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 20 retry 5
tunnel-group 10.254.17.11 type ipsec-l2l
tunnel-group 10.254.17.11 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 20 retry 5
tunnel-group DefaultSWITGroup type remote-access
tunnel-group DefaultSWITGroup general-attributes
address-pool raccess
authentication-server-group TACACS
default-group-policy vpn
tunnel-group DefaultSWITGroup ipsec-attributes
pre-shared-key *****
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect ip-options
class flow_export_cl
flow-export event-type all destination 192.168.1.27
class class-default
flow-export event-type all destination 192.168.1.27
policy-map Voicepolicy
class Voice
priority
class Data
police output 80000000
!
service-policy global_policy global
service-policy Voicepolicy interface outside-Baku
prompt hostname context

Cryptochecksum:4f35f975ba7a0c11f7f46dfd541d266f
: end
gyd-asa#

Remote ASA:
ASA Version 8.2(3)
!
hostname ciscoasa
enable password XeY1QWHKPK75Y48j encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.80.14 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 10.254.17.11 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa823-k8.bin
ftp mode passive
access-list 110 extended permit ip any any
access-list nonat extended permit ip 192.168.80.0 255.255.255.0 192.168.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu management 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
route outside 0.0.0.0 0.0.0.0 10.254.17.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.80.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set newset esp-aes esp-md5-hmac
crypto ipsec transform-set myset2 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 2147483646
crypto ipsec security-association lifetime kilobytes 2147483646
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.9
crypto map mymap 10 set transform-set myset2
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

tunnel-group 10.254.17.9 type ipsec-l2l
tunnel-group 10.254.17.9 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context

Cryptochecksum:1c1ac60e2fb84f65269d15d53f27c21b
: end
ciscoasa# $

Once again, I can not ping Remote ASA outside interface from Local's outside. And there is no connectivity between remote 192.168.80.0 and local's lets say 192.168.1.0. I run out of ideas

Would appreciate any help. Thank you very much in advance..

Federico Coto Fajardo · ‎03-10-2011

If the tunnel is up (phase 1) but no traffic passing the best test is the following:

Add the command management-access inside and then try to PING the peer ASA's inside IP.

ping inside x.x.x.x --> x.x.x.x is the inside IP of the peer ASA

The above test will show if traffic flows through the tunnel (check packets encrypted/decrypted from sh cry ips sa).

Do the test on both directions.

Please post the results.

Federico.

View solution in original post

Federico Coto Fajardo · ‎03-10-2011

Hi,

Is this a private setup (not going through the internet)? I'm asking because of the private IPs on the ASA's outside interfaces.

Either way... if you cannot PING the remote ASA outside, the VPN will not establish.

What devices do you have in between both ASAs or what could be preventing a PING between them to succeed according to your setup?

Federico.

fgasimzade · ‎03-10-2011

No, it is not going through the internet

The thing is that I can see VPN established both from sh crypto isakmp sa and from debug crypto isakmp

There is a switch between 2 ASA with no access lists or any other technique that can prevent pings

Federico Coto Fajardo · ‎03-10-2011

If the tunnel is up (phase 1) but no traffic passing the best test is the following:

Add the command management-access inside and then try to PING the peer ASA's inside IP.

ping inside x.x.x.x --> x.x.x.x is the inside IP of the peer ASA

The above test will show if traffic flows through the tunnel (check packets encrypted/decrypted from sh cry ips sa).

Do the test on both directions.

Please post the results.

Federico.

fgasimzade · ‎03-10-2011

The issue is solved, Ecrypted packets count helped me a lot, I changed crypto map reference number from 20 to 5, lower than the current 10, everyting is working now!

Thank you!

Federico Coto Fajardo · ‎03-10-2011

Glad I could help!

Please consider rating the thread and mark it as answered if you find it helpful :-)

Cheers!

Federico.