01-30-2019 02:20 AM
Hello!
I have a new Cisco ASA VPN configuration, it's different from I did before - it's behind NAT and I need some advices if it possible.
So, I have next structure:
Site A:
ASAv (192.168.100.2) -> 1to1 NAT -> VMware Edge Gateway Services -> 1to1 NAT -> Fortigate -> Public address (PUB1)
Site B:
ASA (PUB2) - it's OK.
And I can't create an IPsec between this two sites, ASAv doesn't want to create Phase1 (no messages in debug, PT got en error on VPN phase, also I have some strange sort of asp drops).
ASAv VPN configuration:
crypto map outside 1 match address vpn-acl
crypto map outside 1 set pfs
crypto map outside 1 set peer %PUB2%
crypto map outside 1 set ikev1 transform-set aes256-sha1
crypto map outside interface outside
tunnel-group %PUB2% type ipsec-l2l
tunnel-group %PUB2% ipsec-attributes
ikev1 pre-shared-key *****
access-list vpn-acl extended permit ip object-group local object-group remote log disable
packet-tracer input inside tcp (ip from local object-group) 5555 (ip from remote object-group) 4444
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.100.1 using egress ifc outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote remote no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate (ip from local object-group)/5555 to (ip from local object-group)/5555
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_in in interface inside
access-list inside_in extended permit ip any any
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote remote no-proxy-arp route-lookup
Additional Information:
Static translate (ip from remote object-group)/5555 to (ip from remote object-group)/5555
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
sh asp drop
Frame drop:
Flow is denied by configured rule (acl-drop) 21
IKE new SA limit exceeded (ike-sa-rate-limit) 12
Last clearing: 09:31:40 UTC Jan 30 2019 by enable_15
Flow drop:
Need to start IKE negotiation (need-ike) 42
NAT-T enabled. Ping is OK - site A can ping site B and src&dst are correct.
I'm confused because I have no messages in debug log and I have strange asp drops.
Please, help me to resolve this.
Solved! Go to Solution.
01-30-2019 05:23 AM
01-30-2019 02:31 AM - edited 01-30-2019 02:38 AM
NAT-T is globally enable on the security appliance by default automatically detect NAT and change the phase 1 upd 500 in to 4500.
but load the config of the firewall.
01-30-2019 03:25 AM
sh run
: Saved
:
: Serial Number:
: Hardware: ASAv, 1536 MB RAM, CPU Xeon E5 series 2600 MHz
:
ASA Version 9.10(1)
!
hostname smartcloud
enable password ***** pbkdf2
names
no mac-address auto
!
interface GigabitEthernet0/0
description
nameif outside
security-level 100
ip address 192.168.100.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address %local_addr% 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object-group network local
network-object %local_subnet% 255.255.255.0
object-group network remote
network-object %remote_subnet% 255.255.255.0
access-list outside_in extended permit ip any any
access-list vpn-acl extended permit ip object-group local object-group remote log disable
access-list inside_in extended permit ip any any
access-list inside_out extended permit ip any any
access-list outside_out extended permit ip any any
pager lines 23
logging enable
logging timestamp
logging buffer-size 52428800
logging buffered debugging
logging trap debugging
logging facility 23
logging debug-trace
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source static local ocal destination static remote remote no-proxy-arp route-lookup
access-group outside_in in interface outside
access-group outside_out out interface outside
access-group inside_in in interface inside
access-group inside_out out interface inside
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set aes256-sha1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside 1 match address vpn-acl
crypto map outside 1 set pfs
crypto map outside 1 set peer %PUB2%
crypto map outside 1 set ikev1 transform-set aes256-sha1
crypto map outside interface outside
crypto ca trustpool policy
auto-import
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh stricthostkeycheck
ssh %IP_ADDR% 255.255.255.255 outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 5
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username %USERNAME% password ***** pbkdf2
tunnel-group %PUB2% type ipsec-l2l
tunnel-group %PUB2% ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
call-home
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:eba89603857917c74cbbe89e3b0cae96
: end
01-30-2019 04:23 AM
configuration look ok to me.
when you do a packet tracker after giving command can you show us the out of theses command
show crypto ikev1 sa / show crypto isakmp sa
show crypto ipsec
!
also ask the other side to sent a packet to its interested ACL.
01-30-2019 05:12 AM
01-30-2019 05:23 AM
Fixed.
Need to be enabled ikev1.
crypto ikev1 enable outside
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: