cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
248
Views
0
Helpful
1
Replies

Can't pass L2L traffic over ASA 5505 Site-to-Site VPN

Juan Murillo
Level 1
Level 1

Having problems passing L2L traffic over an ASA 5505 Site-to-Site VPN. The config should be pretty straight forward… two identical ASA 5505’s, static public IP’s from the same ISP on each end, single private subnets on each end (192.168.10.x and 192.168.11.x). The tunnel comes up without error and after adding “same-security-traffic permit intra-interface” to both configs I can now ping the inside interface of the corresponding ASA (e.g. ping from Site A host 192.168.10.10 to 192.168.11.1 = success and vice versa) but still can’t ping host to host (ping 192.168.10.10 to 192.168.11.10 = failure) and cannot browse shares on remote hosts. I need to ensure that all L2L traffic flows over the VPN seamlessly to support TCP/IP, NetBIOS, NBT, SMB, CIFS, UDP, SSH, Telnet, DNS, DHCP (future), Active Directory and QuickBooks traffic (which I believe is all TCP). I’ve poured over and over the configs but I must be missing something. Any suggestions would be greatly appreciated. I’ve posted both configs below – just changed the public IP’s to protect the client’s identity. Also attached a screenshot of a packet trace from host to host which seems to indicate that it’s NAT issue which is being denied by an implicit ACL rule.

Site A config:

: Saved
:
ASA Version 8.2(5) 
!
names
name 192.168.10.0 Oakland-Subnet
name 192.168.11.0 Richmond-Subnet
name 45.129.65.123 Richmond-Firewall
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0 
!
interface Vlan2
nameif outside
security-level 0
ip address 142.18.121.16 255.255.255.252 
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip Oakland-Subnet 255.255.255.0 Richmond-Subnet 255.255.255.0 
access-list inside_nat0_outbound extended permit ip Oakland-Subnet 255.255.255.0 Richmond-Subnet 255.255.255.0 
access-list NONAT extended permit ip Oakland-Subnet 255.255.255.0 Richmond-Subnet 255.255.255.0 
access-list outside_nat0_outbound extended permit ip Oakland-Subnet 255.255.255.0 Richmond-Subnet 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list NONAT
route outside 0.0.0.0 0.0.0.0 173.13.151.18 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 142.18.121.0 255.255.255.0 outside
http Oakland-Subnet 255.255.255.0 inside
http Richmond-Subnet 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer Richmond-Firewall 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.10.10-192.168.10.199 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd lease 28800 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group Richmond-Firewall type ipsec-l2l
tunnel-group Richmond-Firewall ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map 
inspect ftp 
inspect h323 h225 
inspect h323 ras 
inspect rsh 
inspect rtsp 
inspect esmtp 
inspect sqlnet 
inspect skinny 
inspect sunrpc 
inspect xdmcp 
inspect sip 
inspect netbios 
inspect tftp 
inspect ip-options 
inspect icmp 
inspect icmp error 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
: end

 

Site B Config:

: Saved
:
ASA Version 8.2(5) 
!
names
name 192.168.10.0 Oakland-Subnet
name 192.168.11.0 Richmond-Subnet
name 142.18.121.16 Oakland-Firewall
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0 
!
interface Vlan2
nameif outside
security-level 0
ip address 45.129.65.123 255.255.255.252 
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip Richmond-Subnet 255.255.255.0 Oakland-Subnet 255.255.255.0 
access-list outside_1_cryptomap extended permit ip Richmond-Subnet 255.255.255.0 Oakland-Subnet 255.255.255.0 

access-list NONAT extended permit ip Richmond-Subnet 255.255.255.0 Oakland-Subnet 255.255.255.0 
access-list outside_nat0_outbound extended permit ip Richmond-Subnet 255.255.255.0 Oakland-Subnet 255.255.255.0 
pager lines 24
loggin g enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list NONAT
route outside 0.0.0.0 0.0.0.0 75.149.45.174 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http Richmond-Subnet 255.255.255.0 inside
http Oakland-Subnet 255.255.255.0 inside
http 45.129.65.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer Oakland-Firewall 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.11.10-192.168.11.199 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd lease 28800 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group Oakland-Firewall type ipsec-l2l
tunnel-group Oakland-Firewall ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map 
inspect ftp 
inspect h323 h225 
inspect h323 ras 
inspect rsh 
inspect rtsp 
inspect esmtp 
inspect sqlnet 
inspect skinny 
inspect sunrpc 
inspect xdmcp 
inspect sip 
inspect netbios 
inspect tftp 
inspect ip-options 
inspect icmp 
inspect icmp error 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
: end

1 Reply 1

pjain2
Cisco Employee
Cisco Employee

Hey Juan,

the packet tracer output you attached to the case has an incorrect ip 192.165.11.x instead of 192.168.11.x.

also apply captures on the inside interfaces of the firewalls and initiate traffic from the host behind one of the firewalls and attach the packet capture:

capture <name> interface inside match ip host <ip> host <ip>

capture asp type asp all