Solved: Re: Hairpining VPN clients through a site-to-site tunnel - Page 2

Ariel Davenport · ‎05-01-2013

I have an ASA 5510 8.2(5) in Site1 and a ASA 5505 8.2(1) Site2 they are setup with a site to site tunnel.

Each site has VPN clients that connect and I would like to allow clients from both sides access to servers on the other side of the site-to-site tunnel.

I enabled same-security-traffic permit intra-interface I also added the remote networks to access-list that is doing the split tunneling.

I think that I'm doing something wrong with nat but I'm not sure, any help would be greatly appreciated.

Site1 (172.17.2.0/24) Clients1 (10.0.254.0/24)

ASA Version 8.2(5)

!

hostname site1

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address site1 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.17.2.1 255.255.255.0

!

interface Ethernet0/2

shutdown

nameif DMZ

security-level 0

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit intra-interface

access-list VPN-UK extended permit ip 172.17.2.0 255.255.255.0 172.18.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.17.2.0 255.255.255.0 192.168.123.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.17.2.0 255.255.255.0 172.18.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.17.2.0 255.255.255.0 10.0.254.0 255.255.255.0

access-list inside_nat0_outbound remark US Client to UK Server

access-list inside_nat0_outbound extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.123.0 255.255.255.0 10.0.254.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0

access-list Split_Tunnel_List standard permit 172.17.2.0 255.255.255.0

access-list Split_Tunnel_List standard permit 172.18.2.0 255.255.255.0

access-list Split_Tunnel_List standard permit 192.168.123.0 255.255.255.0

access-list Split_Tunnel_List remark UK VPN Client Pool

access-list Split_Tunnel_List standard permit 172.255.2.0 255.255.255.0

access-list outside-2-inside extended permit tcp any any eq smtp

access-list outside-2-inside extended permit tcp any any eq 82

access-list outside-2-inside extended permit tcp any any eq 81

access-list outside-2-inside extended permit tcp any any eq https

access-list outside-2-inside extended permit tcp any any eq imap4

access-list outside-2-inside extended permit tcp any any eq ldaps

access-list outside-2-inside extended permit tcp any any eq pop3

access-list outside-2-inside extended permit tcp any any eq www

access-list outside-2-inside extended permit tcp any any eq 5963

access-list outside-2-inside extended permit tcp any any eq ftp

access-list outside-2-inside extended permit tcp any any eq ftp-data

access-list outside-2-inside extended permit tcp any any eq 3389

access-list outside-2-inside extended deny tcp any any log

access-list outside-2-inside extended deny ip any any log

access-list outside-2-inside extended deny udp any any log

access-list VPN-CLIENTS extended permit ip 172.17.2.0 255.255.255.0 10.0.254.0 255.255.255.0

access-list VPN-CLIENTS extended permit ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0

access-list VPN-CLIENTS extended permit ip 192.168.123.0 255.255.255.0 10.0.254.0 255.255.255.0

access-list VPNClient_splittunnel standard permit 172.17.2.0 255.255.255.0

access-list VPNClient_splittunnel standard permit 172.18.2.0 255.255.255.0

access-list VPNClient_splittunnel standard permit 192.168.123.0 255.255.255.0

access-list VPNClient_splittunnel remark UK VPN Client Pool

access-list VPNClient_splittunnel standard permit 172.255.2.0 255.255.255.0

access-list VPN-Northwoods extended permit ip 172.17.2.0 255.255.255.0 192.168.123.0 255.255.255.0

access-list outside_nat0_outbound remark AD 5/1/13

access-list outside_nat0_outbound extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

ip local pool VPNUserPool 10.0.254.25-10.0.254.45 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (outside) 0 access-list outside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.17.2.0 255.255.255.0

static (inside,outside) tcp interface smtp 172.17.2.200 smtp netmask 255.255.255.255

static (inside,outside) tcp interface 82 172.17.2.253 82 netmask 255.255.255.255

static (inside,outside) tcp interface 81 192.168.123.253 81 netmask 255.255.255.255

static (inside,outside) tcp interface https 172.17.2.10 https netmask 255.255.255.255

static (inside,outside) tcp interface imap4 172.17.2.10 imap4 netmask 255.255.255.255

static (inside,outside) tcp interface ldaps 172.17.2.10 ldaps netmask 255.255.255.255

static (inside,outside) tcp interface pop3 172.17.2.10 pop3 netmask 255.255.255.255

static (inside,outside) tcp interface www 172.17.2.19 www netmask 255.255.255.255

static (inside,outside) tcp interface 5963 172.17.2.108 5963 netmask 255.255.255.255

static (inside,outside) tcp interface ftp 172.17.2.7 ftp netmask 255.255.255.255

static (inside,outside) tcp interface ftp-data 172.17.2.7 ftp-data netmask 255.255.255.255

static (inside,outside) tcp interface 3389 172.17.2.29 3389 netmask 255.255.255.255

access-group outside-2-inside in interface outside

route outside 0.0.0.0 0.0.0.0 74.213.51.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server DCSI_Auth protocol radius

aaa-server DCSI_Auth (inside) host 172.17.2.29

key *****

aaa-server AD protocol nt

aaa-server AD (inside) host 172.16.1.211

aaa-server AD (inside) host 172.17.2.29

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set trans_set esp-des esp-sha-hmac

crypto ipsec transform-set VPN-Client esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN_MAP 20 set reverse-route

crypto dynamic-map outside_dyn_map 20 set transform-set VPN-Client

crypto map outside_map 20 match address VPN-UK

crypto map outside_map 20 set peer site2

crypto map outside_map 20 set transform-set trans_set

crypto map outside_map 30 match address VPN-Northwoods

crypto map outside_map 30 set peer othersite

crypto map outside_map 30 set transform-set trans_set

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 28800

crypto isakmp policy 20

authentication pre-share

encryption des

hash md5

group 2

lifetime 28800

telnet timeout 5

ssh timeout 60

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy VPNClients internal

group-policy VPNClients attributes

dns-server value 10.0.1.30

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPNClient_splittunnel

default-domain value domain.local

user-authentication enable

tunnel-group VPNclient type remote-access

tunnel-group VPNclient general-attributes

address-pool VPNUserPool

authentication-server-group DCSI_Auth

default-group-policy VPNClients

tunnel-group VPNclient ipsec-attributes

pre-shared-key *****

tunnel-group othersite type ipsec-l2l

tunnel-group othersite ipsec-attributes

pre-shared-key *****

tunnel-group site2 type ipsec-l2l

tunnel-group site2 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

class-map p2p

match port tcp eq www

class-map P2P

match port tcp eq www

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

drop-connection

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect pptp

policy-map type inspect http P2P_HTTP

parameters

match request uri regex _default_gator

drop-connection log

match request uri regex _default_x-kazaa-network

drop-connection log

policy-map IM_P2P

class imblock

inspect im impolicy

class P2P

inspect http P2P_HTTP

!

service-policy global_policy global

service-policy IM_P2P interface inside

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:7717a11f5f2dce11af0f35cee7b4c893

: end

Site2 (172.18.2.0/24) Clients1 (172.255.2.0/24)

ASA Version 8.2(1)

!

names

name 172.18.2.2 UKserver

!

interface Vlan1

nameif inside

security-level 100

ip address 172.18.2.1 255.255.255.0

!

interface Vlan2

nameif GuestWiFi

security-level 0

ip address 192.168.2.1 255.255.255.0

!

interface Vlan3

nameif outside

security-level 0

ip address site2 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 3

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport trunk allowed vlan 1-2

switchport trunk native vlan 2

switchport mode trunk

speed 100

duplex full

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

same-security-traffic permit intra-interface

access-list USER_VPN extended permit ip 172.18.2.0 255.255.255.0 172.255.2.0 255.255.255.0

access-list USER_VPN extended permit ip 172.17.2.0 255.255.255.0 172.255.2.0 255.255.255.0

access-list VPNClient_splittunnel standard permit 172.18.2.0 255.255.255.0

access-list VPNClient_splittunnel standard permit 172.17.2.0 255.255.255.0

access-list VPNClient_splittunnel standard permit 172.255.2.0 255.255.255.0

access-list Outside_2_Inside extended permit tcp any host otherhost eq smtp

access-list Outside_2_Inside extended permit tcp any host otherhost eq pop3

access-list Outside_2_Inside extended permit tcp any host otherhost eq imap4

access-list Outside_2_Inside extended permit tcp any host otherhost eq www

access-list Outside_2_Inside extended permit tcp any host otherhost eq https

access-list Outside_2_Inside extended permit tcp any host otherhost eq ldap

access-list Outside_2_Inside extended permit tcp any host otherhost eq ldaps

access-list Outside_2_Inside extended permit tcp any host otherhost eq nntp

access-list Outside_2_Inside extended permit tcp any host otherhost eq 135

access-list Outside_2_Inside extended permit tcp any host otherhost eq 102

access-list Outside_2_Inside extended permit tcp any host otherhost eq 390

access-list Outside_2_Inside extended permit tcp any host otherhost eq 3268

access-list Outside_2_Inside extended permit tcp any host otherhost eq 3269

access-list Outside_2_Inside extended permit tcp any host otherhost eq 993

access-list Outside_2_Inside extended permit tcp any host otherhost eq 995

access-list Outside_2_Inside extended permit tcp any host otherhost eq 563

access-list Outside_2_Inside extended permit tcp any host otherhost eq 465

access-list Outside_2_Inside extended permit tcp any host otherhost eq 691

access-list Outside_2_Inside extended permit tcp any host otherhost eq 6667

access-list Outside_2_Inside extended permit tcp any host otherhost eq 994

access-list Outside_2_Inside extended permit icmp any any echo

access-list Outside_2_Inside extended permit icmp any any echo-reply

access-list Outside_2_Inside extended permit tcp any host site2 eq smtp

access-list Outside_2_Inside extended permit tcp any host site2 eq pop3

access-list Outside_2_Inside extended permit tcp any host site2 eq imap4

access-list Outside_2_Inside extended permit tcp any host site2 eq www

access-list Outside_2_Inside extended permit tcp any host site2 eq https

access-list Outside_2_Inside extended permit tcp any host site2 eq ldap

access-list Outside_2_Inside extended permit tcp any host site2 eq ldaps

access-list Outside_2_Inside extended permit tcp any host site2 eq nntp

access-list Outside_2_Inside extended permit tcp any host site2 eq 135

access-list Outside_2_Inside extended permit tcp any host site2 eq 102

access-list Outside_2_Inside extended permit tcp any host site2 eq 390

access-list Outside_2_Inside extended permit tcp any host site2 eq 3268

access-list Outside_2_Inside extended permit tcp any host site2 eq 3269

access-list Outside_2_Inside extended permit tcp any host site2 eq 993

access-list Outside_2_Inside extended permit tcp any host site2 eq 995

access-list Outside_2_Inside extended permit tcp any host site2 eq 563

access-list Outside_2_Inside extended permit tcp any host site2 eq 465

access-list Outside_2_Inside extended permit tcp any host site2 eq 691

access-list Outside_2_Inside extended permit tcp any host site2 eq 6667

access-list Outside_2_Inside extended permit tcp any host site2 eq 994

access-list Outside_2_Inside extended permit tcp any host site2 eq sip

access-list Outside_2_Inside extended permit tcp any host site2 range 8000 8005

access-list Outside_2_Inside extended permit udp any host site2 range 8000 8005

access-list Outside_2_Inside extended permit udp any host site2 eq sip

access-list Outside_2_Inside extended deny tcp any any log

access-list Outside_2_Inside extended deny udp any any log

access-list VPN-USA extended permit ip 172.255.2.0 255.255.255.0 172.17.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 172.17.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 172.255.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.255.2.0 255.255.255.0 172.17.2.0 255.255.255.0

access-list Split_Tunnel_List remark Networks to allow over VPN

access-list Split_Tunnel_List standard permit 172.18.2.0 255.255.255.0

access-list Split_Tunnel_List standard permit 172.17.2.0 255.255.255.0

access-list Split_Tunnel_List standard permit 172.255.2.0 255.255.255.0

access-list Split_Tunnel_List standard permit 10.0.254.0 255.255.255.0

pager lines 20

logging enable

logging monitor debugging

logging buffered debugging

logging asdm informational

logging debug-trace

mtu inside 1500

mtu GuestWiFi 1500

mtu outside 1500

ip local pool ClientVPN 172.255.2.100-172.255.2.124

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.18.2.0 255.255.255.0

nat (GuestWiFi) 2 192.168.2.0 255.255.255.0

static (inside,outside) tcp interface smtp UKserver smtp netmask 255.255.255.255

static (inside,outside) tcp interface pop3 UKserver pop3 netmask 255.255.255.255

static (inside,outside) tcp interface imap4 UKserver imap4 netmask 255.255.255.255

static (inside,outside) tcp interface www UKserver www netmask 255.255.255.255

static (inside,outside) tcp interface https UKserver https netmask 255.255.255.255

static (inside,outside) tcp interface ldap UKserver ldap netmask 255.255.255.255

static (inside,outside) tcp interface ldaps UKserver ldaps netmask 255.255.255.255

static (inside,outside) tcp interface nntp UKserver nntp netmask 255.255.255.255

static (inside,outside) tcp interface 135 UKserver 135 netmask 255.255.255.255

static (inside,outside) tcp interface 102 UKserver 102 netmask 255.255.255.255

static (inside,outside) tcp interface 390 UKserver 390 netmask 255.255.255.255

static (inside,outside) tcp interface 3268 UKserver 3268 netmask 255.255.255.255

static (inside,outside) tcp interface 3269 UKserver 3269 netmask 255.255.255.255

static (inside,outside) tcp interface 993 UKserver 993 netmask 255.255.255.255

static (inside,outside) tcp interface 995 UKserver 995 netmask 255.255.255.255

static (inside,outside) tcp interface 563 UKserver 563 netmask 255.255.255.255

static (inside,outside) tcp interface 465 UKserver 465 netmask 255.255.255.255

static (inside,outside) tcp interface 691 UKserver 691 netmask 255.255.255.255

static (inside,outside) tcp interface 6667 UKserver 6667 netmask 255.255.255.255

static (inside,outside) tcp interface 994 UKserver 994 netmask 255.255.255.255

access-group Outside_2_Inside in interface outside

route outside 0.0.0.0 0.0.0.0 87.224.93.53 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server vpn protocol radius

aaa-server vpn (inside) host UKserver

key DCSI_vpn_Key07

aaa authentication ssh console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set trans_set esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set trans_set

crypto dynamic-map DYN_MAP 20 set reverse-route

crypto map outside_map 20 match address VPN-USA

crypto map outside_map 20 set peer othersite2 site1

crypto map outside_map 20 set transform-set trans_set

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 28800

crypto isakmp policy 20

authentication pre-share

encryption des

hash md5

group 2

lifetime 28800

telnet timeout 5

ssh timeout 25

console timeout 0

dhcpd dns UKserver 8.8.8.8

!

dhcpd address 172.18.2.100-172.18.2.149 inside

dhcpd enable inside

!

dhcpd address 192.168.2.50-192.168.2.74 GuestWiFi

dhcpd enable GuestWiFi

!

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy USER_VPN internal

group-policy USER_VPN attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

user-authentication enable

tunnel-group othersite2 type ipsec-l2l

tunnel-group othersite2 ipsec-attributes

pre-shared-key *

tunnel-group USER_VPN type remote-access

tunnel-group USER_VPN general-attributes

address-pool ClientVPN

authentication-server-group (outside) vpn

default-group-policy USER_VPN

tunnel-group USER_VPN ipsec-attributes

pre-shared-key *

tunnel-group site1 type ipsec-l2l

tunnel-group site1 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d000c75c8864547dfabaf3652d81be71

: end

Ariel Davenport · ‎05-01-2013

I added access-list VPN-UK extended permit ip 172.17.2.0 255.255.255.0 172.255.2.0 255.255.255.0
like you said and it did not fix it

Jouni Forss · ‎05-01-2013

Hi,

To me it seems that most if not all of the configurations should be there already.

Can you reconnect with the VPN Client to the Site 2 ASA and generate traffic to the Site 1 network and different hosts on that LAN network.

Then check and share the output of this command from Site 1 ASA so we can see if there is any traffic coming from Site 2 to Site 1

show crypto ipsec sa peer

Remember to mask the public IP addresses in the output

- Jouni

Ariel Davenport · ‎05-01-2013

CSI-Corp# show crypto ipsec sa peer site2

peer address: site2

Crypto map tag: outside_map, seq num: 20, local addr: site1

access-list VPN-UK extended permit ip 172.17.2.0 255.255.255.0 172.255.2.0 255.255.255.0

local ident (addr/mask/prot/port): (172.17.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.255.2.0/255.255.255.0/0/0)

current_peer: site2

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: site1, remote crypto endpt.: site2

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 139A5D52

current inbound spi : A94C48E7

inbound esp sas:

spi: 0xA94C48E7 (2840348903)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 8192, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3915000/27779)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x139A5D52 (328883538)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 8192, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3915000/27779)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Crypto map tag: outside_map, seq num: 20, local addr: site1

access-list VPN-UK extended permit ip 172.17.2.0 255.255.255.0 172.18.2.0 255.255.255.0

local ident (addr/mask/prot/port): (172.17.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.18.2.0/255.255.255.0/0/0)

current_peer: site2

#pkts encaps: 5009902, #pkts encrypt: 5009902, #pkts digest: 5009902

#pkts decaps: 4774224, #pkts decrypt: 4774224, #pkts verify: 4774224

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 5009902, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 73468

#send errors: 0, #recv errors: 0

local crypto endpt.: site1, remote crypto endpt.: site2

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 8721C911

current inbound spi : 9CE76A79

inbound esp sas:

spi: 0x9CE76A79 (2632411769)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 8192, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3913274/25051)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x8721C911 (2267138321)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 8192, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3908143/25051)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Crypto map tag: outside_map, seq num: 20, local addr: site1

access-list VPN-UK extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0

local ident (addr/mask/prot/port): (10.0.254.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.18.2.0/255.255.255.0/0/0)

current_peer: site2

#pkts encaps: 221, #pkts encrypt: 221, #pkts digest: 221

#pkts decaps: 62, #pkts decrypt: 62, #pkts verify: 62

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 221, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: site1, remote crypto endpt.: site2

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: FC60F15E

current inbound spi : 443946EE

inbound esp sas:

spi: 0x443946EE (1144604398)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 8192, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3914996/25305)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x7FFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0xFC60F15E (4234211678)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 8192, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3914987/25305)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

I ran this while I had 2 pings running to different hosts.

Jouni Forss · ‎05-01-2013

Hi,

As you can see, the very first output of that command lists the Site 1 LAN network and the Site 2 VPN Pool.

The SA on the L2L VPN has been formed but there has been no traffic from through the L2L VPN from Site 2 to Site 1.

So this would point to a problem on the Site 2 ASA still.

- Jouni

Jouni Forss · ‎05-01-2013

I guess you could check on Site 2 ASA the following

show crypto ipsec sa peer

show crypto ipsec sa peer user

or

show crypto ipsec sa peer

Or some other variant of the command to confirm if the traffic from the Client computer is coming from VPN Client to the Site2 ASA atleast.

In what network is the host connected to that is trying to use the VPN Client with? I am just wondering if you are connected locally to the network in either of these LANs that could throw of the routing/traffic forwarding.

- Jouni

rohraj · ‎05-01-2013

Ariel,

Please ping the output from Site two

run a continous ping from only one site that si the vpn client which si connect to Site A-- from that server Ping somehting in 172.18.2.x (continous one)

1. show crypto ipsec sa peer site2 | beg 10.0.254.0

---------------------------

This shows that the packet si gettin crytpted from site a but nothing coming abck -- issue is at site B

access-list VPN-UK extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0

local ident (addr/mask/prot/port): (10.0.254.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.18.2.0/255.255.255.0/0/0)

current_peer: site2

#pkts encaps: 221, #pkts encrypt: 221, #pkts digest: 221

#pkts decaps: 62, #pkts decrypt: 62, #pkts verify: 62

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 221, #pkts comp failed: 0, #pkts decomp failed: 0

Ariel Davenport · ‎05-01-2013

Ran this from site1 while pinging 172.18.2.2

show crypto ipsec sa peer site2 | beg 10.0.254.0

access-list VPN-UK extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0

local ident (addr/mask/prot/port): (10.0.254.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.18.2.0/255.255.255.0/0/0)

current_peer: site2

#pkts encaps: 59, #pkts encrypt: 59, #pkts digest: 59

#pkts decaps: 55, #pkts decrypt: 55, #pkts verify: 55

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 59, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 74.213.51.130, remote crypto endpt.: 87.224.93.54

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 7A97105B

current inbound spi : 579EBE3D

inbound esp sas:

spi: 0x579EBE3D (1470021181)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 8192, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3914996/28703)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x03FFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x7A97105B (2056720475)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 8192, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3914996/28701)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

rohraj · ‎05-01-2013

Ariel

Seems like some confusion here.

Before you start anythign please rung this command to clear the counters -- clear crypto ipsec sa counter on both the asa . This will nto affect anything.

Questions:

1. Can u ping from 172.17.2.x to 172.18.2.x ?

2. Can u ping from 10.0.254.x to 172.18.2.x ?

3. If you initiate the ping from the vpn cleint ie 10.0.254.x to 172.18.2.x ..what si the out put of show crypto ipsec sa | beg 10.0.254.0 at Site B

Ariel Davenport · ‎05-01-2013

Questions:

1. Can u ping from 172.17.2.20 to 172.18.2.2 No

2. Can u ping from 10.0.254.x to 172.18.2.x ? Yes

3. If you initiate the ping from the vpn cleint ie 10.0.254.x to 172.18.2.x ..what si the out put of show crypto ipsec sa | beg 10.0.254.0 at Site B See below

show crypto ipsec sa | beg 10.0.254.0

remote ident (addr/mask/prot/port): (10.0.254.0/255.255.255.0/0/0)

current_peer: site1

#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29

#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 29, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: site2, remote crypto endpt.: site1

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 579EBE3D

inbound esp sas:

spi: 0x7A97105B (2056720475)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 73728, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (kB/sec): (4373875/26616)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x579EBE3D (1470021181)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 73728, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (kB/sec): (4373875/26612)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Crypto map tag: outside_dyn_map, seq num: 20, local addr: 87.224.93.54

local ident (addr/mask/prot/port): (172.18.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.17.2.0/255.255.255.0/0/0)

current_peer: 74.213.51.130

#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29

#pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 29, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 87.224.93.54, remote crypto endpt.: 74.213.51.130

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 9CE76A79

inbound esp sas:

spi: 0x8721C911 (2267138321)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 73728, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (kB/sec): (4364173/20770)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x9CE76A79 (2632411769)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 73728, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (kB/sec): (4371346/20769)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Crypto map tag: outside_dyn_map, seq num: 20, local addr: 87.224.93.54

access-list VPN-USA permit ip 172.255.2.0 255.255.255.0 172.17.2.0 255.255.255.0

local ident (addr/mask/prot/port): (172.255.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.17.2.0/255.255.255.0/0/0)

current_peer: 74.213.51.130

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 87.224.93.54, remote crypto endpt.: 74.213.51.130

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 7CF13256

inbound esp sas:

spi: 0x6E6C1F33 (1852579635)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 73728, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (kB/sec): (4374000/27545)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x7CF13256 (2096181846)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 73728, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (kB/sec): (4374000/27545)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Jouni Forss · ‎05-01-2013

Hi,

As Rohit Raj said,

There might be some missunderstandings here.

Can you confirm the networks between which there is problems with connectivity? (List the actual networks)

I understood that you werent able to connect from Site 2 VPN Pool 172.255.2.0/24 to Site 1 Network 172.17.2.0/24?

If this is true then it seems to me that the above screencaptures show a situation where you are actually connected to Site 1 VPN since I can see addresses from its VPN Pool (10.0.254.0/24)

- Jouni

Ariel Davenport · ‎05-01-2013

Here are the ping test.

10.0.254.x to 172.17.2.x Works

10.0.254.x to 172.18.2.x Works

172.17.2.x to 172.18.2.x Fails

172.255.2.x to 172.18.2.x Works

172.255.2.x to 172.17.2.x Fails

Ariel Davenport · ‎05-01-2013

DCSI-UK-5505# show crypto ipsec sa peer myip

peer address: myip

Crypto map tag: outside_dyn_map, seq num: 20, local addr: site2

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (172.255.2.118/255.255.255.255/0/0)

current_peer: myip, username: myname

dynamic allocated peer ip: 172.255.2.118

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: site2/4500, remote crypto endpt.: 12.228.116.98/17344

path mtu 1500, ipsec overhead 66, media mtu 1500

current outbound spi: 5E85DB78

inbound esp sas:

spi: 0xEA39740D (3929633805)

transform: esp-des esp-sha-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 700416, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 3550

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x0000003F

outbound esp sas:

spi: 0x5E85DB78 (1585830776)

transform: esp-des esp-sha-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 700416, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 3550

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

I am in a different location ssh-ed into the ASAs. I have a vpn client connection that I can connect to either site.

Jouni Forss · ‎05-01-2013

Hi,

That output seems to me to point to a situation where you are using Full Tunnel instead of Split Tunnel. Or I am just missing something.

Still there only seems to be really low amount of traffic arrived on the ASA (decapsulated = 3)

What does the VPN Client computers command promt output of "route print" show?

Does the VPN Client statistics and route section show "0.0.0.0 0.0.0.0" or does it list the networks in the Split Tunnel ACL?

- Jouni

Ariel Davenport · ‎05-01-2013

The route in blue is the site one asa

VPN Client, I'm using shrewsoft on win8.

Ariel Davenport · ‎05-01-2013

This was while i was connect to the US vpn.