10-30-2024 03:27 PM
I've created multiple site to site VPNs using FPR-1010s.
Cannot ping through the tunnel. Cannot pass traffic through the tunnel.
Show Crypto IPSEC SA shows endpoints connected
Show ISAKMP SA shows endpoints connected with tunnels between networks.
I think I have Identity Nat Enabled between sites.
packet-tracer input inside rawip 192.168.100.18 1 192.168.99.18 xml
gives the following error:
<drop-reason>(inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched</drop-reason>
<drop-detail>Drop-location: frame 0x000056393ef26509 flow (NA)/NA</drop-detail>
Show Route does not show virtual static routes between devices
10-30-2024 03:44 PM
Hi,
Do you use crypto-map / policy-based or VTI / route-based VPN's? If IPsec SA is up/active, you've got to ensure routing is performed as well as NAT exemption (twice NAT in section 1, so called "before"). NAT exemption would mean that if your VPN traffic is between 192.168.10.0/24 and 192.168.20.0/24, you have a "before twice NAT rule" where both real and translated values are the same for both source and destination.
Best,
Cristian.
10-30-2024 06:17 PM
I'm still in an ASA configuration mindset, so I'm using Crypto Map/Policy based VPNs. I still have a few ASAs out there I'm starting to grandfather this year. On those connections, I have one-sided pings working, but that's another issue.
Am I reading it correctly that I'm double Nat exempting traffic? Are you also saying I need to setup separate routing tables (BGP, OSPF, or Static) for each site to site connection?
I have six sites to get online quickly and this one is beating me up a little. If I can get one, I can get the rest in short order.
10-31-2024 01:04 AM
Hi,
If you want to stick with crypto-maps (I recommend not for way too many reasons - aka complications and complexity down the road), you would need to do the following, assuming we have this scenario: 192.168.10.0/24(LAN1)---ASA1------WAN------ASA2---192.168.20.0/24(LAN2)
If you want to move to VTI, recommended, it's same steps, with the following changes:
Best,
Cristian.
10-30-2024 09:36 PM
Can I see packet tracer from
Remote LAN to local LAN
And from
Local LAN to remote LAN
MHM
10-31-2024 06:28 AM
Local to Remote
Packet Tracer from Remote to Local
<Phase>
<id>1</id>
<type>INPUT-ROUTE-LOOKUP</type>
<subtype>Resolve Egress Interface</subtype>
<result>ALLOW</result>
<elapsed-time>38595 ns</elapsed-time>
<config>
</config>
<extra>
Found next-hop xxx.xxx.xxx.65 using egress ifc outside(vrfid:0)
</extra>
</Phase>
<Phase>
<id>2</id>
<type>UN-NAT</type>
<subtype>static</subtype>
<result>ALLOW</result>
<elapsed-time>2790 ns</elapsed-time>
<config>
nat (inside,outside) source static Site2-North Site2-North destination static Site2-Main Site2-Main no-proxy-arp route-lookup
</config>
<extra>
NAT divert to egress interface outside(vrfid:0)
Untranslate 172.16.128.18/0 to 172.16.128.18/0
</extra>
</Phase>
<Phase>
<id>3</id>
<type>ACCESS-LIST</type>
<subtype>log</subtype>
<result>ALLOW</result>
<elapsed-time>7556 ns</elapsed-time>
<config>
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: DefaultInternet
object-group service |acSvcg-268435457
service-object ip
</config>
<extra>
</extra>
</Phase>
<Phase>
<id>4</id>
<type>NAT</type>
<subtype></subtype>
<result>ALLOW</result>
<elapsed-time>7556 ns</elapsed-time>
<config>
nat (inside,outside) source static Site2-North Site2-North destination static Site2-Main Site2-Main no-proxy-arp route-lookup
</config>
<extra>
Static translate 172.16.132.18/0 to 172.16.132.18/0
</extra>
</Phase>
<Phase>
<id>5</id>
<type>NAT</type>
<subtype>per-session</subtype>
<result>ALLOW</result>
<elapsed-time>7556 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>
<Phase>
<id>6</id>
<type>IP-OPTIONS</type>
<subtype></subtype>
<result>ALLOW</result>
<elapsed-time>7556 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>
<Phase>
<id>7</id>
<type>INSPECT</type>
<subtype>np-inspect</subtype>
<result>ALLOW</result>
<elapsed-time>25575 ns</elapsed-time>
<config>
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
</config>
<extra>
</extra>
</Phase>
<Phase>
<id>8</id>
<type>INSPECT</type>
<subtype>np-inspect</subtype>
<result>ALLOW</result>
<elapsed-time>3255 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>
<Phase>
<id>9</id>
<type>VPN</type>
<subtype>encrypt</subtype>
<result>ALLOW</result>
<elapsed-time>11160 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>
<Phase>
<id>10</id>
<type>NAT</type>
<subtype>rpf-check</subtype>
<result>ALLOW</result>
<elapsed-time>2325 ns</elapsed-time>
<config>
nat (inside,outside) source static Site2-North Site2-North destination static Site2-Main Site2-Main no-proxy-arp route-lookup
</config>
<extra>
</extra>
</Phase>
<Phase>
<id>11</id>
<type>FLOW-CREATION</type>
<subtype></subtype>
<result>ALLOW</result>
<elapsed-time>21390 ns</elapsed-time>
<config>
</config>
<extra>
New flow created with id 94610, packet dispatched to next module
</extra>
</Phase>
<result>
<input-interface>inside(vrfid:0)</input-interface>
<input-status>up</input-status>
<input-line-status>up</input-line-status>
<output-interface>outside(vrfid:0)</output-interface>
<output-status>up</output-status>
<output-line-status>up</output-line-status>
<action>drop</action>
<time-taken>135314 ns</time-taken>
<drop-reason>(inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched</drop-reason>
<drop-detail>Drop-location: frame 0x00005582b4531509 flow (NA)/NA</drop-detail>
</result>
<Phase>
<id>1</id>
<type>INPUT-ROUTE-LOOKUP</type>
<subtype>Resolve Egress Interface</subtype>
<result>ALLOW</result>
<elapsed-time>43710 ns</elapsed-time>
<config>
</config>
<extra>
Found next-hop XXX.XXX.XXX.1 using egress ifc outside(vrfid:0)
</extra>
</Phase>
<Phase>
<id>2</id>
<type>UN-NAT</type>
<subtype>static</subtype>
<result>ALLOW</result>
<elapsed-time>3255 ns</elapsed-time>
<config>
nat (inside,any) source static Site2_Main Site2_Main destination static Site2-North Site2-North no-proxy-arp route-lookup
</config>
<extra>
NAT divert to egress interface outside(vrfid:0)
Untranslate 172.16.132.18/0 to 172.16.132.18/0
</extra>
</Phase>
<Phase>
<id>3</id>
<type>ACCESS-LIST</type>
<subtype>log</subtype>
<result>ALLOW</result>
<elapsed-time>8370 ns</elapsed-time>
<config>
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
object-group service |acSvcg-268435457
service-object ip
</config>
<extra>
This packet will be sent to snort for additional processing where a verdict will be reached
</extra>
</Phase>
<Phase>
<id>4</id>
<type>NAT</type>
<subtype></subtype>
<result>ALLOW</result>
<elapsed-time>8370 ns</elapsed-time>
<config>
nat (inside,any) source static Site2_Main Site2_Main destination static Site2-North Site2-North no-proxy-arp route-lookup
</config>
<extra>
Static translate 172.16.128.18/0 to 172.16.128.18/0
</extra>
</Phase>
<Phase>
<id>5</id>
<type>NAT</type>
<subtype>per-session</subtype>
<result>ALLOW</result>
<elapsed-time>8370 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>
<Phase>
<id>6</id>
<type>IP-OPTIONS</type>
<subtype></subtype>
<result>ALLOW</result>
<elapsed-time>8370 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>
<Phase>
<id>7</id>
<type>INSPECT</type>
<subtype>np-inspect</subtype>
<result>ALLOW</result>
<elapsed-time>28830 ns</elapsed-time>
<config>
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
</config>
<extra>
</extra>
</Phase>
<Phase>
<id>8</id>
<type>INSPECT</type>
<subtype>np-inspect</subtype>
<result>ALLOW</result>
<elapsed-time>4185 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>
<Phase>
<id>9</id>
<type>VPN</type>
<subtype>encrypt</subtype>
<result>ALLOW</result>
<elapsed-time>10230 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>
<Phase>
<id>10</id>
<type>NAT</type>
<subtype>rpf-check</subtype>
<result>ALLOW</result>
<elapsed-time>2790 ns</elapsed-time>
<config>
nat (inside,any) source static Site2_Main Site2_Main destination static Site2-North Site2-North no-proxy-arp route-lookup
</config>
<extra>
</extra>
</Phase>
<Phase>
<id>11</id>
<type>FLOW-CREATION</type>
<subtype></subtype>
<result>ALLOW</result>
<elapsed-time>28830 ns</elapsed-time>
<config>
</config>
<extra>
New flow created with id 77258, packet dispatched to next module
</extra>
</Phase>
<Phase>
<id>12</id>
<type>EXTERNAL-INSPECT</type>
<subtype></subtype>
<result>ALLOW</result>
<elapsed-time>40455 ns</elapsed-time>
<config>
</config>
<extra>
Application: 'SNORT Inspect'
</extra>
</Phase>
<Phase>
<id>13</id>
<type>SNORT</type>
<subtype>appid</subtype>
<result>ALLOW</result>
<elapsed-time>51560 ns</elapsed-time>
<config>
</config>
<extra>
service: ICMP(3501), client: (0), payload: (0), misc: ICMP(3501)
</extra>
</Phase>
<Phase>
<id>14</id>
<type>SNORT</type>
<subtype>firewall</subtype>
<result>ALLOW</result>
<elapsed-time>549326 ns</elapsed-time>
<config>
Network 0, Inspection 0, Detection 0, Rule ID 268435457
</config>
<extra>
Starting rule matching, zone 1 -&gt; 2, geo 0 -&gt; 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
Matched rule ids 268435457 - Allow
</extra>
</Phase>
<result>
<input-interface>inside(vrfid:0)</input-interface>
<input-status>up</input-status>
<input-line-status>up</input-line-status>
<output-interface>outside(vrfid:0)</output-interface>
<output-status>up</output-status>
<output-line-status>up</output-line-status>
<action>drop</action>
<time-taken>796651 ns</time-taken>
<drop-reason>(inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched</drop-reason>
<drop-detail>Drop-location: frame 0x000055d6293eb27c flow (NA)/NA</drop-detail>
</result>
Remote to Local
10-31-2024 06:35 AM
Sorry' there is something wrong in packet tracer'
Can I see screenshots of both packet tracer (local to remote) and (remote to local)' I think you missing enter the interface or it not correct
MHM
10-31-2024 06:39 AM
I'm using the web management directly on the device. I can't find "Packet-Tracer".
10-31-2024 06:48 AM
What you enter to get result you share above?
MHM
10-31-2024 06:50 AM
packet-tracer input inside rawip 172.16.132.18 1 172.16.128.18 xml
10-31-2024 08:40 AM
There are two different NAT'
One inside,outside and other inside,any
I think this make issue for vpn.
Remote inside,any and check again
MHM
10-31-2024 08:32 AM
Could you please re-run the packet tracer as follows and share the output for review?
packet-tracer input inside icmp 192.168.100.18 8 0 192.168.99.18
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide