10-21-2014 03:52 AM - edited 02-21-2020 07:53 PM
Hi Guys
I am trying to setup a new IPSEC VPN connection between a Cisco ASA 5520 (verion 8.4(4)) and Checkpoint Firewall. I have successfully established IKE and IPSEC phases and I can see tunnel is UP. But I can't see any traffic going through the tunnel. I have verified the cryptomap both ends and trying to test using a contionuous ping from inside network of ASA.
I have done a capture for ICMP packets but cannot see them in ASA. I have allowed icmp on the inside interface of ASA.
I have done a packet tracer and it ends with vpn-filter dropping packets. But cannot see any filter configured ..
Your help is much appreciated..
Thanks
Solved! Go to Solution.
10-21-2014 06:18 AM
you will probably need to add the negate nat statements:- something like.
object-group network OBJ-LOCAL
network 10.155.176.0 255.255.255.0
object-group network OBJ-REMOTE
network-object 192.168.101.0 255.255.255.0
nat (inside,outside) source static OBJ-LOCALOBJ- LOCAL destination static OBJ-REMOTE OBJ-REMOTE -no-proxy-arp
As you are running 8.4 the nat 0 has been depreciated
10-21-2014 04:13 AM
Try to configure an ACL with "permit ip any any" and attach that as a VPN-filter into the used group-policy. That typically solves the problem when packet-tracer shows "dropping" in VPN-filter.
10-21-2014 05:38 AM
Hi , Many thanks for your reply... below is the last output for when I do the packet tracer from CLI.
I beleive that the packets are not encrypting or hitting the cryptoaccess lists .. is that because there is no NAT 0 configuration ? Doesn't ASA automatically create one ? or am I looking into wrong area of troubleshooting?
Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7c603ce8, priority=70, domain=encrypt, deny=false
hits=6, user_data=0x0, cs_id=0x87a97aa8, reverse, flags=0x0, protocol=1
src ip/id=10.155.176.0, mask=255.255.255.0, icmp-type=0
dst ip/id=192.168.101.0, mask=255.255.255.0, icmp-code=0, dscp=0x0
input_ifc=any, output_ifc=outside
10-21-2014 05:55 AM
No the ASA wont "automatically" create a NAT negate rule, you might want to NAT.
Have you looked at the output of the sh crypto ipsec sa ? to see if packets are being encrypted/decrypted?
10-21-2014 06:07 AM
Hi
I have looked in to the ipsec sa and the output is as below ... but cannot see any traffic being encrypted or decrypted ...
internetasa# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 194.168.166.1
access-list outside_cryptomap extended permit tcp 10.155.176.0 255.255.255.0 192.168.101.0 255.255.255.0 range 9005 9015
local ident (addr/mask/prot/port): (10.155.176.0/255.255.255.0/6/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/6/9010)
current_peer: 94.199.235.225
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 194.168.166.1/0, remote crypto endpt.: 94.199.235.225/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: F94D0033
current inbound spi : 1BB937BF
inbound esp sas:
spi: 0x1BB937BF (465123263)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 242356224, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (4374000/27493)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xF94D0033 (4182573107)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 242356224, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (4374000/27493)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
10-21-2014 06:18 AM
you will probably need to add the negate nat statements:- something like.
object-group network OBJ-LOCAL
network 10.155.176.0 255.255.255.0
object-group network OBJ-REMOTE
network-object 192.168.101.0 255.255.255.0
nat (inside,outside) source static OBJ-LOCALOBJ- LOCAL destination static OBJ-REMOTE OBJ-REMOTE -no-proxy-arp
As you are running 8.4 the nat 0 has been depreciated
10-21-2014 06:34 AM
Hi
Adding the Nat Exemption did have a impact and it now checks the NAT and allows in packet tracer ... but still dropped by the VPN-user access list ... any ideas ?
Thanks
10-21-2014 07:19 AM
Hi
What's the VPN-user ACL? an outbound ACL in the inside interface or something else?
if possible could you post a sanitized config?
10-21-2014 08:56 AM
Hi
I got it working and it was quite unusual.
1. I changed the crypto access list to a /19 rather than /24 and tested it and started seeing encrypted packets and not decrypted packets... - problem existed
2. Confirmed with to other end and enabled PFS (group 5) and tested again .. this time packets not encrypted /decrypted.. - problem existed..
3. Removed PFS both ends and tested again... Packets got encrypted and decrypted.. - Problem Resolved.
4. Turned on PFS on both ends and tested again ...Packets got encrypted and decrypted.. - Problem Resolved.
For some reason this has happened and cannot why it has happened... Maybe remote site access list wasn't configured properly ??? and they haven't realised it ??
Thanks all your input in this regards...
10-21-2014 09:02 AM
Great news, vinovinom.
The debug crypto isakmp 255 and debug crypto IPsec 255 commands can help determining phase 1 and phase 2 problems. There can be a lot of output in the debugs, but a good root around usually helps diagnosing the issue.
Glad I could give some input.
10-22-2014 02:17 AM
Hi
I would like to get advise on Static NAT. Customer would like to NAT around 60 IP address one-to-one and they want this to be implemented in ASA. Is this a efficient way of doing it or are there any other options ?
Thanks
10-22-2014 02:56 AM
Have a look at :-
but I would suggest creating a new thread so that it has more visibility.
05-01-2019 01:29 PM
Hi Vinovinom,
I have the same problem but can you send me some screen shot to understand more on the solution you have provided? Thanks
10-21-2014 05:52 AM
Also I had done adding any as you suggested into the group policy and now its denied differently as below...
Phase: 6
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x731b7b38, priority=12, domain=vpn-user, deny=true
hits=19011, user_data=0x6f6ed740, filter_id=0x0(-implicit deny-), protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide