Solved: I tried. The echo gets to

david.torreggiani · ‎04-25-2017

Hello everyone,

i am trying to setup a Site to Site VPN between a branch site and the main campus. i am using the latest cisco packet tracer version since i do not physically have the ASA. Here below my network topology.

i have configured the VPN, but i cannot understand why the tunnel does not come up. Also i do not have most of the tools (like packet-tracer) from this cli version.

Can you help me ?

i am attaching the configuration of the 3 routers and the ASAs.

singhkulbir29881 · ‎04-25-2017

Yes you need to add the following commands

On Router 1:-

ip access-list extented NAT

deny ip 192.168.50.0 0.0.0.255 192.168.25.0 0.0.0.255

permit ip 192.168.50.0 0.0.0.255 any

!

no ip nat inside source list 1 interface GigabitEthernet0/2 overload

ip nat inside source list NAT interface GigabitEthernet0/2 overload

!

On Router 2,

ip access-list extented NAT

deny ip 192.168.25.0 0.0.0.255 192.168.50.0 0.0.0.255

permit ip 192.168.25.0 0.0.0.255 any

!

no ip nat inside source list 1 interface GigabitEthernet0/2 overload

ip nat inside source list NAT interface GigabitEthernet0/2 overload

and check that VPN tunnel is working after changes or not.

Please rate this if it is helpful or marked as correct if you get you answer.

View solution in original post

singhkulbir29881 · ‎04-25-2017

Hi David,

Are you able to ping ASA1 outside interface from ASA0 ?

david.torreggiani · ‎04-25-2017

Yes sir, i can. Both ways.

singhkulbir29881 · ‎04-25-2017

Try continuous ping from any device in 192.168.50.x to any device in 192.168.25.x subnet and on ASA0 enter the command "debug crypto ikev1 25" and check are you see any output in console.

david.torreggiani · ‎04-25-2017

I tried. The echo gets to destination, but the icmp reply gets dropped when entering ASA0:

1. The receiving port has an inbound traffic access-list with an ID of permit_icmp. The device checks the packet against the access-list.

2. The packet matches the criteria of the following statement: permit icmp any any. The packet is permitted.

3. The packet is coming from an outside network. The device looks up its NAT table for necessary translations.

4. The NAT table does not have a matched entry for this packet. It passes the packet through without translations.

5. The device looks up the destination IP address in the CEF table.

6. The CEF table has an entry for the device to receive this packet. The device dispatches the packet to the upper layer.

7. The packet is an ICMP packet. The ICMP process processes it.

8. The ICMP process received an Echo Reply message.

9. The ICMP process has not sent an ICMP message with this identification recently. It drops the message.

Im not really sure what this means. Also "debug crypto ikev1 25" is not available on Packet tracer.

singhkulbir29881 · ‎04-25-2017

Can you please post the "show crypto ikev1 sa" and "show crypto ipsec sa" outputs.

david.torreggiani · ‎04-25-2017

Ok so i understood the ping error i was getting. It was 2 to the router natting the packet before reaching the ASA.

Basically the ASA was not seeing meaningful traffic in order to create the tunnel.

singhkulbir29881 · ‎04-25-2017

Yes you need to add the following commands

On Router 1:-

ip access-list extented NAT

deny ip 192.168.50.0 0.0.0.255 192.168.25.0 0.0.0.255

permit ip 192.168.50.0 0.0.0.255 any

!

no ip nat inside source list 1 interface GigabitEthernet0/2 overload

ip nat inside source list NAT interface GigabitEthernet0/2 overload

!

On Router 2,

ip access-list extented NAT

deny ip 192.168.25.0 0.0.0.255 192.168.50.0 0.0.0.255

permit ip 192.168.25.0 0.0.0.255 any

!

no ip nat inside source list 1 interface GigabitEthernet0/2 overload

ip nat inside source list NAT interface GigabitEthernet0/2 overload

and check that VPN tunnel is working after changes or not.

Please rate this if it is helpful or marked as correct if you get you answer.

david.torreggiani · ‎04-25-2017

First of all thanks, i forgot to remove certain destination from being NATted.

The tunnel still doest not come up.

I see the ISAKMP and IPsec packets between the ASAs, but when i try to ping i get:

1. The routing table finds a routing entry to the destination IP address.

2. The destination network can be reached via 192.168.50.50.

3. The device decrements the TTL on the packet.

4. The packet is going from an inside to an outside network. The device looks up its NAT table for necessary translations.

5. The NAT table does not have a matched entry for this packet. It passes the packet through without translations.

6. The traffic is interesting traffic and needs to be encrypted and encapsulated in IPSec PDUs.

7. The insteresting traffic can not be encrypted, IKE (ISAKMP) needs to negotatiate IPSec SAs.

on ASA 1 i show:

There are no IKEv1 SAs

There are no IKEv2 SAs

On ASA0 i show:

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 80.19.96.98

Type : L2L Role : responder

Rekey : no State : MM_SA_SETUP

There are no IKEv2 SAs

david.torreggiani · ‎04-25-2017

Working!

Thanks for your support!

singhkulbir29881 · ‎04-26-2017

Glad to hear :-). Thanks for rating

emina93 · ‎07-12-2018

Can you send me the .pkt file?

Cisco Packet tracer - Site to Site VPN LAB ASA 5505