Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1055
Views
0
Helpful
5
Replies

cisco asa ipsec s2s - routing between remote sides

Peter Handke
Level 1
Level 1

‎11-22-2012 01:54 PM - edited ‎02-21-2020 06:30 PM

Hello,

I have asa (8.2) in headquarter as hub, cisco 18xx in branches as spoke. I need make routing between remote LANs. On one side i have 192.168.211.0/24 on the other is 192.168.212.0/24. Ipsec phase 1 and phase 2 are ok but i can't ping from from 192.168.211.0/24 to 192.168.212.0/24 and vice versa. Packet trace says:

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd83fd240, priority=70, domain=encrypt, deny=false

        hits=53, user_data=0x0, cs_id=0xd7b688c8, reverse, flags=0x0,  protocol=0

        src ip=192.168.211.0, mask=255.255.255.0, port=0

        dst ip=192.168.212.0, mask=255.255.255.0, port=0, dscp=0x0

Drop-reason: (acl-drop) Flow is denied by configured rule

My config on asa:

crypto acl:

access-list test-p1-p2 line 1 extended permit ip 192.168.211.0  255.255.255.0 192.168.212.0 255.255.255.0

access-list test-p2-p1 line 2 extended permit ip 192.168.212.0  255.255.255.0 192.168.211.0 255.255.255.0

access-list nonat line 40 extended permit ip 192.168.211.0 255.255.255.0  192.168.212.0 255.255.255.0 (hitcnt=0)

access-list nonat line 41 extended permit ip 192.168.212.0 255.255.255.0  192.168.211.0 255.255.255.0 (hitcnt=0)

#outside interface

access-list outside line 1 extended permit ip 192.168.211.0  255.255.255.0 192.168.212.0 255.255.255.0

access-list outside line 2 extended permit ip 192.168.212.0  255.255.255.0 192.168.211.0 255.255.255.0

routing between remote lan:

route outside 192.168.211.0 255.255.255.0 194.146.123.1 1

route outside 192.168.212.0 255.255.255.0 194.146.123.1 1

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

What i'm doing wrong or what i have missing ?

Thanks for help

Peter

Labels:
0 Helpful
5 Replies 5

Javier Portuguez
Level 9
Level 9

‎11-22-2012 06:13 PM

Peter,

Why do have the ACL in both directions?

May I know the LAN of the ASA?

It should something like:

crypto acl:

access-list test-p1-p2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.212.0 255.255.255.0

access-list nonat line 40 extended permit ip 192.168.211.0 255.255.255.0 192.168.212.0 255.255.255.0 (hitcnt=0)

No need to add an outside interface

access-list outside line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.212.0 255.255.255.0

routing between remote lan:

route outside 192.168.211.0 255.255.255.0 194.146.123.1 1 --> remove it, since it is on the inside.

route outside 192.168.212.0 255.255.255.0 194.146.123.1 1 

Thanks.

Portu.

Thanks in advance.

0 Helpful

Peter Handke
Level 1
Level 1
In response to Javier Portuguez

‎11-23-2012 05:10 AM

LAN behind ASA is 192.168.50.0/24, but i need have comunication between 

192.168.211.0/24 and 192.168.212.0/24

I have ACL in both direction because i need initialize connection from both sides:

192.168.211.0/24 <-> 192.168.212.0/24

i have both acl becasue i have two peers:

crypto map SDM_CMAP_1 211 match address test-p1-p2

crypto map SDM_CMAP_1 211 set peer 8.8.8.8

crypto map SDM_CMAP_1 212 match address test-p2-p1

crypto map SDM_CMAP_1 212 set peer 8.8.4.4

i removed :

route outside 192.168.211.0 255.255.255.0 194.146.123.1 1

but it didn't help

packet-tracer input outside icmp 192.168.211.1 0 3 192.168.212.1

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd83fd240, priority=70, domain=encrypt, deny=false

        hits=81, user_data=0x0, cs_id=0xd7b688c8, reverse, flags=0x0, protocol=0

        src ip=192.168.211.0, mask=255.255.255.0, port=0

        dst ip=192.168.212.0, mask=255.255.255.0, port=0, dscp=0x0

0 Helpful

elepon06
Level 1
Level 1
In response to Peter Handke

‎11-23-2012 08:24 PM

++++++++++++++++++ ASA-P1. +++++++++++++++
crypto acl:
access-list test-p1-p2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.212.0 255.255.255.0

access-list nonat line 40 extended permit ip 192.168.211.0 255.255.255.0 192.168.212.0 255.255.255.0

Tunnel group 8.8.8.8

crypto map SDM_CMAP_1 211 match address test-p1-p2
crypto map SDM_CMAP_1 211 set peer 8.8.8.8



++++++++++++++ ASA-P2. +++++++++++++++
access-list test-p2-p1 line 2 extended permit ip 192.168.212.0 255.255.255.0 192.168.211.0 255.255.255.0

access-list nonat line 41 extended permit ip 192.168.212.0 255.255.255.0 192.168.211.0 255.255.255.0

Tunnel group 8.8.4.4

crypto map SDM_CMAP_1 212 match address test-p2-p1
crypto map SDM_CMAP_1 212 set peer 8.8.4.4

0 Helpful

Peter Handke
Level 1
Level 1
In response to elepon06

‎11-24-2012 04:15 AM

i have already configured in this way and i have still problem with encryption..

0 Helpful

elepon06
Level 1
Level 1
In response to Peter Handke

‎11-25-2012 06:32 AM

Then IKE and IPSEC on both sides are not matching. Set or add the option that match on both sides.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents