cisco asa ipsec s2s - routing between remote sides

Peter Handke · ‎11-22-2012

Hello,

I have asa (8.2) in headquarter as hub, cisco 18xx in branches as spoke. I need make routing between remote LANs. On one side i have 192.168.211.0/24 on the other is 192.168.212.0/24. Ipsec phase 1 and phase 2 are ok but i can't ping from from 192.168.211.0/24 to 192.168.212.0/24 and vice versa. Packet trace says:

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd83fd240, priority=70, domain=encrypt, deny=false

hits=53, user_data=0x0, cs_id=0xd7b688c8, reverse, flags=0x0, protocol=0

src ip=192.168.211.0, mask=255.255.255.0, port=0

dst ip=192.168.212.0, mask=255.255.255.0, port=0, dscp=0x0

Drop-reason: (acl-drop) Flow is denied by configured rule

My config on asa:

crypto acl:

access-list test-p1-p2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.212.0 255.255.255.0

access-list test-p2-p1 line 2 extended permit ip 192.168.212.0 255.255.255.0 192.168.211.0 255.255.255.0

access-list nonat line 40 extended permit ip 192.168.211.0 255.255.255.0 192.168.212.0 255.255.255.0 (hitcnt=0)

access-list nonat line 41 extended permit ip 192.168.212.0 255.255.255.0 192.168.211.0 255.255.255.0 (hitcnt=0)

#outside interface

access-list outside line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.212.0 255.255.255.0

access-list outside line 2 extended permit ip 192.168.212.0 255.255.255.0 192.168.211.0 255.255.255.0

routing between remote lan:

route outside 192.168.211.0 255.255.255.0 194.146.123.1 1

route outside 192.168.212.0 255.255.255.0 194.146.123.1 1

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

What i'm doing wrong or what i have missing ?

Thanks for help

Peter

Javier Portuguez · ‎11-22-2012

Peter,

Why do have the ACL in both directions?

May I know the LAN of the ASA?

It should something like:

crypto acl:

access-list test-p1-p2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.212.0 255.255.255.0

access-list nonat line 40 extended permit ip 192.168.211.0 255.255.255.0 192.168.212.0 255.255.255.0 (hitcnt=0)

No need to add an outside interface

access-list outside line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.212.0 255.255.255.0

routing between remote lan:

route outside 192.168.211.0 255.255.255.0 194.146.123.1 1 --> remove it, since it is on the inside.

route outside 192.168.212.0 255.255.255.0 194.146.123.1 1

Thanks.

Portu.

Thanks in advance.

Peter Handke · ‎11-23-2012

LAN behind ASA is 192.168.50.0/24, but i need have comunication between

192.168.211.0/24 and 192.168.212.0/24

I have ACL in both direction because i need initialize connection from both sides:

192.168.211.0/24 <-> 192.168.212.0/24

i have both acl becasue i have two peers:

crypto map SDM_CMAP_1 211 match address test-p1-p2

crypto map SDM_CMAP_1 211 set peer 8.8.8.8

crypto map SDM_CMAP_1 212 match address test-p2-p1

crypto map SDM_CMAP_1 212 set peer 8.8.4.4

i removed :

route outside 192.168.211.0 255.255.255.0 194.146.123.1 1

but it didn't help

packet-tracer input outside icmp 192.168.211.1 0 3 192.168.212.1

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd83fd240, priority=70, domain=encrypt, deny=false

hits=81, user_data=0x0, cs_id=0xd7b688c8, reverse, flags=0x0, protocol=0

src ip=192.168.211.0, mask=255.255.255.0, port=0

dst ip=192.168.212.0, mask=255.255.255.0, port=0, dscp=0x0

elepon06 · ‎11-23-2012

++++++++++++++++++ ASA-P1. +++++++++++++++
crypto acl:
access-list test-p1-p2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.212.0 255.255.255.0

access-list nonat line 40 extended permit ip 192.168.211.0 255.255.255.0 192.168.212.0 255.255.255.0

Tunnel group 8.8.8.8

crypto map SDM_CMAP_1 211 match address test-p1-p2
crypto map SDM_CMAP_1 211 set peer 8.8.8.8

++++++++++++++ ASA-P2. +++++++++++++++
access-list test-p2-p1 line 2 extended permit ip 192.168.212.0 255.255.255.0 192.168.211.0 255.255.255.0

access-list nonat line 41 extended permit ip 192.168.212.0 255.255.255.0 192.168.211.0 255.255.255.0

Tunnel group 8.8.4.4

crypto map SDM_CMAP_1 212 match address test-p2-p1
crypto map SDM_CMAP_1 212 set peer 8.8.4.4

Peter Handke · ‎11-24-2012

i have already configured in this way and i have still problem with encryption..

elepon06 · ‎11-25-2012

Then IKE and IPSEC on both sides are not matching. Set or add the option that match on both sides.