- Cisco Community
- Technology and Support
- Security
- VPN
- First shot at site-to-site VPN fails
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2014 12:25 PM
This is my first try at setting up a site-to-site VPN on ASA 5505s. Thankfully I'm able to do so on the bench and not at the actual sites. Once I can confirm connectivity, I'll move them to the physical sites.
Both ASAs are running 8.3(1). I've tried with ASDM and I've tried via CLI. I don't seem to be able to get it done either way.
One ASA is set up with WAN address 10.1.52.1/24, LAN address 192.168.52.1. The other ASA is set up WAN 10.1.200.1/24, LAN 192.168.200.1. Since they're on the bench (lab/whatever) there's a single cable connecting both WAN ports. I have a single workstation on each LAN to test connectivity. I AM able to successfully ping the ASA WAN (10.1.52.1) from the workstation on 192.168.200.1 and vice versa. I'm NOT able to ping the LAN (192.168.52.1) from the workstation on 192.168.200.1 or from the 10.1.200.1 ASA, and vice versa.
Here's the configs for both, and some output from the debug logging:
ASA Version 8.3(1)
!
hostname MAIN
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.1.200.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
object network INSIDE
subnet 192.168.200.0 255.255.255.0
object network CATC
subnet 192.168.52.0 255.255.255.0
object-group icmp-type ICMP_ALLOWED
description allow pings
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
access-list INBOUND extended permit icmp any any object-group ICMP_ALLOWED log d
ebugging
access-list VPN-2-CATC extended permit ip 192.168.52.0 255.255.255.0 192.168.200
.0 255.255.255.0 log debugging
access-list VPN-2-CATC extended permit icmp 192.168.52.0 255.255.255.0 192.168.2
00.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object CATC object INSIDE log
debugging
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static INSIDE INSIDE destination static CATC CATC
!
object network INSIDE
nat (inside,outside) dynamic interface
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.52.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN-2-CATC 1 match address outside_cryptomap_1
crypto map VPN-2-CATC 1 set pfs
crypto map VPN-2-CATC 1 set peer 10.1.52.1
crypto map VPN-2-CATC 1 set transform-set ESP-3DES-MD5
crypto map VPN-2-CATC interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.200.5-192.168.200.99 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-filter value VPN-2-CATC
tunnel-group 10.1.52.1 type ipsec-l2l
tunnel-group 10.1.52.1 ipsec-attributes
pre-shared-key VPN2VPN
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:53060156da27a8404adc45a01ff7324a
: end
==================
ASA Version 8.3(1)
!
hostname CATC
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.52.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.1.52.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network INSIDE
subnet 192.168.52.0 255.255.255.0
object network MAIN
subnet 192.168.200.0 255.255.255.0
object-group icmp-type ICMP_ALLOWED
description Allow pings for testing
icmp-object echo
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
icmp-object echo-reply
access-list INBOUND extended permit icmp any any object-group ICMP_ALLOWED
access-list VPN_TO_MAIN extended permit ip 192.168.200.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list VPN_TO_MAIN extended permit icmp 192.168.200.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object MAIN object INSIDE
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static INSIDE INSIDE destination static MAIN MAIN
!
object network INSIDE
nat (inside,outside) dynamic interface
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.52.0 255.255.255.0 inside
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN_TO_MAIN 1 match address outside_cryptomap_1
crypto map VPN_TO_MAIN 1 set pfs
crypto map VPN_TO_MAIN 1 set peer 10.1.200.1
crypto map VPN_TO_MAIN 1 set transform-set ESP-3DES-MD5
crypto map VPN_TO_MAIN interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.52.5-192.168.52.99 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-filter value VPN_TO_MAIN
tunnel-group 10.1.200.1 type ipsec-l2l
tunnel-group 10.1.200.1 ipsec-attributes
pre-shared-key VPN2VPN
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fb0bfb4b67a8bfb2360a0d4499ce7f3d
: end
no asdm history enable
===================
When I try pinging from CATC's internal network, 192.168.52.0/24 to the ASA MAIN internal interface, 192.168.200.1, I get...
Built outbound ICMP connection for faddr 192.168.200.1/0 gaddr 192.168.52.7/1 laddr 192.168.52.7/1
Teardown ICMP connection for faddr 192.168.200.1/0 gaddr 192.168.52.7/1 laddr 192.168.52.7/1
Built inbound UDP connection 6669 for inside:192.168.52.7/68 (192.168.52.7/68) to identity:255.255.255.255/67 (255.255.255.255/67)
---
I also try to hit a web server address: 192.168.200.5
Built outbound TCP connection 6674 for outside:192.168.200.5/80 (192.168.200.5/80) to inside:192.168.52.7/50956 (192.168.52.7/50956)
Teardown TCP connection 6674 for outside:192.168.200.5/80 to inside:192.168.52.7/50956 duration 0:00:30 bytes 0 SYN Timeout
Deny tcp src outside:192.168.200.5/1632 dst inside:192.168.52.7/80 by access-group "INBOUND" [0x0, 0x0]
I don't get the deny due to INBOUND access-group. I thought with a VPN, the traffic bypasses the standard Access Rules.
No sessions show up in the ASDM's Monitoring>VPN window.
Show ipsec sa AND show isakmp sa both result in "There are no ipsec/isakmp sas".
Also,
In P2 Exchanges: 1997
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 1997
In P2 Sa Delete Requests: 0
Out P2 Exchanges: 360
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 360
=========================
I hope to eventually run occasional http traffic over this VPN, but it will mainly serve to connect our two IP phone systems
Thanks everyone,
Laner
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2014 01:28 PM
Hi Laner,
I have created a configuration according to your setup: please review:
SITE 1
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 10.1.52.1 type ipsec-l2l
tunnel-group 10.1.52.1 ipsec-attributes
pre-shared-key VPN2VPN
object network INSIDE
subnet 192.168.200.0 255.255.255.0
object network CATC
subnet 192.168.52.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object INSIDE object CATC
nat (inside,outside) source static INSIDE INSIDE destination static CATC CATC NO-PROXY-ARP ROUTE-LOOK
crypto map VPN-2-CATC 1 match address outside_cryptomap_1
crypto map VPN-2-CATC 1 set pfs
crypto map VPN-2-CATC 1 set peer 10.1.52.1
crypto map VPN-2-CATC 1 set transform-set ESP-3DES-MD5
//This configuration is not required because you are specifying IP as a protocol and it is going to permit everything through the tunnel
access-list VPN-2-CATC extended permit ip 192.168.52.0 255.255.255.0 192.168.200.0 255.255.255.0
group-policy DfltGrpPolicy attributes
vpn-filter value VPN-2-CATC
//
SITE 2
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 10.1.200.1 type ipsec-l2l
tunnel-group 10.1.200.1 ipsec-attributes
pre-shared-key VPN2VPN
object network INSIDE
subnet 192.168.52.0 255.255.255.0
object network MAIN
subnet 192.168.200.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object INSIDE object MAIN
nat (inside,outside) source static INSIDE INSIDE destination static MAIN MAIN no-proxy-arp route-lookup
crypto map VPN_TO_MAIN 1 match address outside_cryptomap_1
crypto map VPN_TO_MAIN 1 set pfs
crypto map VPN_TO_MAIN 1 set peer 10.1.200.1
crypto map VPN_TO_MAIN 1 set transform-set ESP-3DES-MD5
//This configuration is not required because you are specifying IP as a protocol and it is going to permit everything through the tunnel
access-list VPN_TO_MAIN extended permit ip 192.168.200.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list VPN_TO_MAIN extended permit icmp 192.168.200.0 255.255.255.0 192.168.52.0 255.255.255.0
group-policy DfltGrpPolicy attributes
vpn-filter value VPN_TO_MAIN
//
Match your configuration with my configuration and make changes. VPN filters are not allowed because you are not filtering anything. Remove the VPN filter from both ends and then try pinging across the VPN. Also if you are pinging form inside interface to inside interface of the other device then make sure management access is enabled on both the interfaces else it will not respond to the ping requests.
How to check if management access is enabled or not is by running command:
show run man
If you don;t get anything then enter command "man inside" and then initiate ping.
Let me know if this helps.
Vishnu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2014 01:28 PM
Hi Laner,
I have created a configuration according to your setup: please review:
SITE 1
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 10.1.52.1 type ipsec-l2l
tunnel-group 10.1.52.1 ipsec-attributes
pre-shared-key VPN2VPN
object network INSIDE
subnet 192.168.200.0 255.255.255.0
object network CATC
subnet 192.168.52.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object INSIDE object CATC
nat (inside,outside) source static INSIDE INSIDE destination static CATC CATC NO-PROXY-ARP ROUTE-LOOK
crypto map VPN-2-CATC 1 match address outside_cryptomap_1
crypto map VPN-2-CATC 1 set pfs
crypto map VPN-2-CATC 1 set peer 10.1.52.1
crypto map VPN-2-CATC 1 set transform-set ESP-3DES-MD5
//This configuration is not required because you are specifying IP as a protocol and it is going to permit everything through the tunnel
access-list VPN-2-CATC extended permit ip 192.168.52.0 255.255.255.0 192.168.200.0 255.255.255.0
group-policy DfltGrpPolicy attributes
vpn-filter value VPN-2-CATC
//
SITE 2
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 10.1.200.1 type ipsec-l2l
tunnel-group 10.1.200.1 ipsec-attributes
pre-shared-key VPN2VPN
object network INSIDE
subnet 192.168.52.0 255.255.255.0
object network MAIN
subnet 192.168.200.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object INSIDE object MAIN
nat (inside,outside) source static INSIDE INSIDE destination static MAIN MAIN no-proxy-arp route-lookup
crypto map VPN_TO_MAIN 1 match address outside_cryptomap_1
crypto map VPN_TO_MAIN 1 set pfs
crypto map VPN_TO_MAIN 1 set peer 10.1.200.1
crypto map VPN_TO_MAIN 1 set transform-set ESP-3DES-MD5
//This configuration is not required because you are specifying IP as a protocol and it is going to permit everything through the tunnel
access-list VPN_TO_MAIN extended permit ip 192.168.200.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list VPN_TO_MAIN extended permit icmp 192.168.200.0 255.255.255.0 192.168.52.0 255.255.255.0
group-policy DfltGrpPolicy attributes
vpn-filter value VPN_TO_MAIN
//
Match your configuration with my configuration and make changes. VPN filters are not allowed because you are not filtering anything. Remove the VPN filter from both ends and then try pinging across the VPN. Also if you are pinging form inside interface to inside interface of the other device then make sure management access is enabled on both the interfaces else it will not respond to the ping requests.
How to check if management access is enabled or not is by running command:
show run man
If you don;t get anything then enter command "man inside" and then initiate ping.
Let me know if this helps.
Vishnu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2014 07:16 AM
Vishnu, thank you profusely for your reply.
I have a couple of questions:
When I try to enter the nat statement with no-proxy-arp route-lookup on the end, it is unrecognized. The only options after destination static MAIN MAIN are: description, inactive, service, & unidirectional.
If I try to remove the access-list VPN-2-CATC or VPN_TO_MAIN, I'm warned: "access-list VPN_TO_MAIN is attached to class-map, route-map, username, group-policy...Please remove the relevant configuration before removing the access-list".
Since the VPN_TO_MAIN ACL is referenced in the crypto map, I suppose it won't let me remove it?
I did not have management access enabled, I do now, thanks.
---
Regards,
Laner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2014 07:54 AM
OK, I found a workaround, but I need more information. The global configuration command sysopt noproxyarp needs to be applied to an interface. I'd say it should be outside, but I'd be guessing.
Not sure what to do about the other command, route-lookup.
Thanks,
Laner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2014 11:54 AM
Update: after applying the sysopt noproxyarp command to the outside interfaces, I tried pinging both the CATC ASA and internal workstation to the MAIN ASA LAN port (192.168.200.1). I received replies!! And, the VPN monitoring shows an open tunnel.
I tried to hit the inside website, 192.168.200.5, but was not successful. The log on the MAIN ASA says:
Group=10.1.52.1, IP=10.1.52.1, Automatic NAT Detection Status: Remote end is NOT behind a NAT device. This end is NOT behind a NAT device.
AAA retrieved default group policy (DfltGrpPolicy) for user=10.1.52.1
Group=10.1.52.1, IP=10.1.52.1, PHASE 1 COMPLETED
IPSEC: An outbound LAN-to-LAN SA between 10.1.200.1 and 10.1.52.1 has been created
Group=10.1.52.1, IP=10.1.52.1, PHASE 2 COMPLETED
At this point, the ICMP connections are built and torn down. When I get to the www request, a notification shows:
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside 192.168.52.8 (my workstation) dst inside 192.168.200.5/80 denied due to NAT reverse path failure.
What's up?
Thanks,
Laner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2014 12:58 PM
Hi,
I see that the tunnel is now completing both the phases. Could you please send me output of this command from both the ASA's: show run nat.
Also let me know the ip from which you are initiating the traffic and the ip that you are trying to access i.e. the source and destination ip address.
Vishnu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2014 01:38 PM
Here's the results of sh run nat:
MAIN
nat (inside,outside) source static INSIDE INSIDE destination static CATC CATC
!
object network INSIDE
nat (inside,outside) dynamic interface
---
CATC
nat (inside,outside) source static INSIDE INSIDE destination MAIN MAIN
!
object network INSIDE
nat (inside,outside) dynamic interface
I am on workstation 192.168.52.8, accessing website on 192.168.200.5 (port 80). The log showed the Asymmetric NAT rules match for forward and reverse flows... that I mentioned before.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2014 02:28 PM
Run this command on ASA where 192.168.52.x is the local network.
packet-tracer input inside icmp 192.168.52.8 8 0 192.168.200.5 detail
Paste the output of this command here. Also, paste the output of show crypto ipsec sa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2014 04:11 PM
Success!!
Here's the output:
CATC(config)# packet-tracer input inside icmp 192.168.52.8 0 0 192.168.200.5 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9ddd8c8, priority=1, domain=permit, deny=false
hits=3368, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9de00c0, priority=0, domain=inspect-ip-options, deny=true
hits=583, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca46d918, priority=70, domain=inspect-icmp, deny=false
hits=21, user_data=0xca46d710, cs_id=0x0, use_real_addr, flags=0x0, prot
ocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9ddfd28, priority=66, domain=inspect-icmp-error, deny=false
hits=21, user_data=0xc9ddfc10, cs_id=0x0, use_real_addr, flags=0x0, prot
ocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static INSIDE INSIDE destination static MAIN MAIN
Additional Information:
Static translate 192.168.52.8/0 to 192.168.52.8/0
Forward Flow based lookup yields rule:
in id=0xc9ad7118, priority=6, domain=nat, deny=false
hits=14, user_data=0xc9ad6ba8, cs_id=0x0, use_real_addr, flags=0x0, prot
ocol=0
src ip/id=192.168.52.0, mask=255.255.255.0, port=0
dst ip/id=192.168.200.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xca42e0a8, priority=70, domain=encrypt, deny=false
hits=9, user_data=0x8584, cs_id=0xc9de75a8, reverse, flags=0x0, protocol
=0
src ip/id=192.168.52.0, mask=255.255.255.0, port=0
dst ip/id=192.168.200.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 229, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
And...
CATC(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: VPN_TO_MAIN, seq num: 1, local addr: 10.1.52.1
access-list outside_cryptomap_1 extended permit ip 192.168.52.0 255.255.25
5.0 192.168.200.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.52.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
current_peer: 10.1.200.1
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 15, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.1.52.1/0, remote crypto endpt.: 10.1.200.1/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E24998D5
current inbound spi : DCCED505
inbound esp sas:
spi: 0xDCCED505 (3704542469)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 20480, crypto-map: VPN_TO_MAIN
sa timing: remaining key lifetime (kB/sec): (3914998/28651)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00003FFF
outbound esp sas:
spi: 0xE24998D5 (3796474069)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 20480, crypto-map: VPN_TO_MAIN
sa timing: remaining key lifetime (kB/sec): (3914998/28651)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
I was able to hit the website at 192.168.200.5. This worked when I applied sysopt noproxyarp to the outside interface.
Vishnu, thank you so much for helping me! The only thing I have left now is to drop in the public IPs where they exist, fix telnet access and passwords. I appreciate your troubleshooting!!
Regards,
Laner
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide