05-01-2013 06:47 AM
I have an ASA 5510 8.2(5) in Site1 and a ASA 5505 8.2(1) Site2 they are setup with a site to site tunnel.
Each site has VPN clients that connect and I would like to allow clients from both sides access to servers on the other side of the site-to-site tunnel.
I enabled same-security-traffic permit intra-interface I also added the remote networks to access-list that is doing the split tunneling.
I think that I'm doing something wrong with nat but I'm not sure, any help would be greatly appreciated.
Site1 (172.17.2.0/24) Clients1 (10.0.254.0/24)
ASA Version 8.2(5)
!
hostname site1
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address site1 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.17.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif DMZ
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list VPN-UK extended permit ip 172.17.2.0 255.255.255.0 172.18.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.2.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.2.0 255.255.255.0 172.18.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.2.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list inside_nat0_outbound remark US Client to UK Server
access-list inside_nat0_outbound extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.123.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.17.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.18.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.123.0 255.255.255.0
access-list Split_Tunnel_List remark UK VPN Client Pool
access-list Split_Tunnel_List standard permit 172.255.2.0 255.255.255.0
access-list outside-2-inside extended permit tcp any any eq smtp
access-list outside-2-inside extended permit tcp any any eq 82
access-list outside-2-inside extended permit tcp any any eq 81
access-list outside-2-inside extended permit tcp any any eq https
access-list outside-2-inside extended permit tcp any any eq imap4
access-list outside-2-inside extended permit tcp any any eq ldaps
access-list outside-2-inside extended permit tcp any any eq pop3
access-list outside-2-inside extended permit tcp any any eq www
access-list outside-2-inside extended permit tcp any any eq 5963
access-list outside-2-inside extended permit tcp any any eq ftp
access-list outside-2-inside extended permit tcp any any eq ftp-data
access-list outside-2-inside extended permit tcp any any eq 3389
access-list outside-2-inside extended deny tcp any any log
access-list outside-2-inside extended deny ip any any log
access-list outside-2-inside extended deny udp any any log
access-list VPN-CLIENTS extended permit ip 172.17.2.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list VPN-CLIENTS extended permit ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list VPN-CLIENTS extended permit ip 192.168.123.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 172.17.2.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 172.18.2.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 192.168.123.0 255.255.255.0
access-list VPNClient_splittunnel remark UK VPN Client Pool
access-list VPNClient_splittunnel standard permit 172.255.2.0 255.255.255.0
access-list VPN-Northwoods extended permit ip 172.17.2.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list outside_nat0_outbound remark AD 5/1/13
access-list outside_nat0_outbound extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPNUserPool 10.0.254.25-10.0.254.45 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.17.2.0 255.255.255.0
static (inside,outside) tcp interface smtp 172.17.2.200 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 82 172.17.2.253 82 netmask 255.255.255.255
static (inside,outside) tcp interface 81 192.168.123.253 81 netmask 255.255.255.255
static (inside,outside) tcp interface https 172.17.2.10 https netmask 255.255.255.255
static (inside,outside) tcp interface imap4 172.17.2.10 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface ldaps 172.17.2.10 ldaps netmask 255.255.255.255
static (inside,outside) tcp interface pop3 172.17.2.10 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www 172.17.2.19 www netmask 255.255.255.255
static (inside,outside) tcp interface 5963 172.17.2.108 5963 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 172.17.2.7 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 172.17.2.7 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface 3389 172.17.2.29 3389 netmask 255.255.255.255
access-group outside-2-inside in interface outside
route outside 0.0.0.0 0.0.0.0 74.213.51.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DCSI_Auth protocol radius
aaa-server DCSI_Auth (inside) host 172.17.2.29
key *****
aaa-server AD protocol nt
aaa-server AD (inside) host 172.16.1.211
aaa-server AD (inside) host 172.17.2.29
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set trans_set esp-des esp-sha-hmac
crypto ipsec transform-set VPN-Client esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 20 set reverse-route
crypto dynamic-map outside_dyn_map 20 set transform-set VPN-Client
crypto map outside_map 20 match address VPN-UK
crypto map outside_map 20 set peer site2
crypto map outside_map 20 set transform-set trans_set
crypto map outside_map 30 match address VPN-Northwoods
crypto map outside_map 30 set peer othersite
crypto map outside_map 30 set transform-set trans_set
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNClients internal
group-policy VPNClients attributes
dns-server value 10.0.1.30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNClient_splittunnel
default-domain value domain.local
user-authentication enable
tunnel-group VPNclient type remote-access
tunnel-group VPNclient general-attributes
address-pool VPNUserPool
authentication-server-group DCSI_Auth
default-group-policy VPNClients
tunnel-group VPNclient ipsec-attributes
pre-shared-key *****
tunnel-group othersite type ipsec-l2l
tunnel-group othersite ipsec-attributes
pre-shared-key *****
tunnel-group site2 type ipsec-l2l
tunnel-group site2 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map p2p
match port tcp eq www
class-map P2P
match port tcp eq www
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
policy-map IM_P2P
class imblock
inspect im impolicy
class P2P
inspect http P2P_HTTP
!
service-policy global_policy global
service-policy IM_P2P interface inside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7717a11f5f2dce11af0f35cee7b4c893
: end
Site2 (172.18.2.0/24) Clients1 (172.255.2.0/24)
ASA Version 8.2(1)
!
names
name 172.18.2.2 UKserver
!
interface Vlan1
nameif inside
security-level 100
ip address 172.18.2.1 255.255.255.0
!
interface Vlan2
nameif GuestWiFi
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
ip address site2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport trunk allowed vlan 1-2
switchport trunk native vlan 2
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit intra-interface
access-list USER_VPN extended permit ip 172.18.2.0 255.255.255.0 172.255.2.0 255.255.255.0
access-list USER_VPN extended permit ip 172.17.2.0 255.255.255.0 172.255.2.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 172.18.2.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 172.17.2.0 255.255.255.0
access-list VPNClient_splittunnel standard permit 172.255.2.0 255.255.255.0
access-list Outside_2_Inside extended permit tcp any host otherhost eq smtp
access-list Outside_2_Inside extended permit tcp any host otherhost eq pop3
access-list Outside_2_Inside extended permit tcp any host otherhost eq imap4
access-list Outside_2_Inside extended permit tcp any host otherhost eq www
access-list Outside_2_Inside extended permit tcp any host otherhost eq https
access-list Outside_2_Inside extended permit tcp any host otherhost eq ldap
access-list Outside_2_Inside extended permit tcp any host otherhost eq ldaps
access-list Outside_2_Inside extended permit tcp any host otherhost eq nntp
access-list Outside_2_Inside extended permit tcp any host otherhost eq 135
access-list Outside_2_Inside extended permit tcp any host otherhost eq 102
access-list Outside_2_Inside extended permit tcp any host otherhost eq 390
access-list Outside_2_Inside extended permit tcp any host otherhost eq 3268
access-list Outside_2_Inside extended permit tcp any host otherhost eq 3269
access-list Outside_2_Inside extended permit tcp any host otherhost eq 993
access-list Outside_2_Inside extended permit tcp any host otherhost eq 995
access-list Outside_2_Inside extended permit tcp any host otherhost eq 563
access-list Outside_2_Inside extended permit tcp any host otherhost eq 465
access-list Outside_2_Inside extended permit tcp any host otherhost eq 691
access-list Outside_2_Inside extended permit tcp any host otherhost eq 6667
access-list Outside_2_Inside extended permit tcp any host otherhost eq 994
access-list Outside_2_Inside extended permit icmp any any echo
access-list Outside_2_Inside extended permit icmp any any echo-reply
access-list Outside_2_Inside extended permit tcp any host site2 eq smtp
access-list Outside_2_Inside extended permit tcp any host site2 eq pop3
access-list Outside_2_Inside extended permit tcp any host site2 eq imap4
access-list Outside_2_Inside extended permit tcp any host site2 eq www
access-list Outside_2_Inside extended permit tcp any host site2 eq https
access-list Outside_2_Inside extended permit tcp any host site2 eq ldap
access-list Outside_2_Inside extended permit tcp any host site2 eq ldaps
access-list Outside_2_Inside extended permit tcp any host site2 eq nntp
access-list Outside_2_Inside extended permit tcp any host site2 eq 135
access-list Outside_2_Inside extended permit tcp any host site2 eq 102
access-list Outside_2_Inside extended permit tcp any host site2 eq 390
access-list Outside_2_Inside extended permit tcp any host site2 eq 3268
access-list Outside_2_Inside extended permit tcp any host site2 eq 3269
access-list Outside_2_Inside extended permit tcp any host site2 eq 993
access-list Outside_2_Inside extended permit tcp any host site2 eq 995
access-list Outside_2_Inside extended permit tcp any host site2 eq 563
access-list Outside_2_Inside extended permit tcp any host site2 eq 465
access-list Outside_2_Inside extended permit tcp any host site2 eq 691
access-list Outside_2_Inside extended permit tcp any host site2 eq 6667
access-list Outside_2_Inside extended permit tcp any host site2 eq 994
access-list Outside_2_Inside extended permit tcp any host site2 eq sip
access-list Outside_2_Inside extended permit tcp any host site2 range 8000 8005
access-list Outside_2_Inside extended permit udp any host site2 range 8000 8005
access-list Outside_2_Inside extended permit udp any host site2 eq sip
access-list Outside_2_Inside extended deny tcp any any log
access-list Outside_2_Inside extended deny udp any any log
access-list VPN-USA extended permit ip 172.255.2.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.2.0 255.255.255.0 172.255.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.255.2.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list Split_Tunnel_List remark Networks to allow over VPN
access-list Split_Tunnel_List standard permit 172.18.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.17.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.255.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.0.254.0 255.255.255.0
pager lines 20
logging enable
logging monitor debugging
logging buffered debugging
logging asdm informational
logging debug-trace
mtu inside 1500
mtu GuestWiFi 1500
mtu outside 1500
ip local pool ClientVPN 172.255.2.100-172.255.2.124
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.18.2.0 255.255.255.0
nat (GuestWiFi) 2 192.168.2.0 255.255.255.0
static (inside,outside) tcp interface smtp UKserver smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 UKserver pop3 netmask 255.255.255.255
static (inside,outside) tcp interface imap4 UKserver imap4 netmask 255.255.255.255
static (inside,outside) tcp interface www UKserver www netmask 255.255.255.255
static (inside,outside) tcp interface https UKserver https netmask 255.255.255.255
static (inside,outside) tcp interface ldap UKserver ldap netmask 255.255.255.255
static (inside,outside) tcp interface ldaps UKserver ldaps netmask 255.255.255.255
static (inside,outside) tcp interface nntp UKserver nntp netmask 255.255.255.255
static (inside,outside) tcp interface 135 UKserver 135 netmask 255.255.255.255
static (inside,outside) tcp interface 102 UKserver 102 netmask 255.255.255.255
static (inside,outside) tcp interface 390 UKserver 390 netmask 255.255.255.255
static (inside,outside) tcp interface 3268 UKserver 3268 netmask 255.255.255.255
static (inside,outside) tcp interface 3269 UKserver 3269 netmask 255.255.255.255
static (inside,outside) tcp interface 993 UKserver 993 netmask 255.255.255.255
static (inside,outside) tcp interface 995 UKserver 995 netmask 255.255.255.255
static (inside,outside) tcp interface 563 UKserver 563 netmask 255.255.255.255
static (inside,outside) tcp interface 465 UKserver 465 netmask 255.255.255.255
static (inside,outside) tcp interface 691 UKserver 691 netmask 255.255.255.255
static (inside,outside) tcp interface 6667 UKserver 6667 netmask 255.255.255.255
static (inside,outside) tcp interface 994 UKserver 994 netmask 255.255.255.255
access-group Outside_2_Inside in interface outside
route outside 0.0.0.0 0.0.0.0 87.224.93.53 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host UKserver
key DCSI_vpn_Key07
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set trans_set esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set trans_set
crypto dynamic-map DYN_MAP 20 set reverse-route
crypto map outside_map 20 match address VPN-USA
crypto map outside_map 20 set peer othersite2 site1
crypto map outside_map 20 set transform-set trans_set
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 25
console timeout 0
dhcpd dns UKserver 8.8.8.8
!
dhcpd address 172.18.2.100-172.18.2.149 inside
dhcpd enable inside
!
dhcpd address 192.168.2.50-192.168.2.74 GuestWiFi
dhcpd enable GuestWiFi
!
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy USER_VPN internal
group-policy USER_VPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
user-authentication enable
tunnel-group othersite2 type ipsec-l2l
tunnel-group othersite2 ipsec-attributes
pre-shared-key *
tunnel-group USER_VPN type remote-access
tunnel-group USER_VPN general-attributes
address-pool ClientVPN
authentication-server-group (outside) vpn
default-group-policy USER_VPN
tunnel-group USER_VPN ipsec-attributes
pre-shared-key *
tunnel-group site1 type ipsec-l2l
tunnel-group site1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d000c75c8864547dfabaf3652d81be71
: end
Solved! Go to Solution.
05-01-2013 07:55 AM
I added access-list VPN-UK extended permit ip 172.17.2.0 255.255.255.0 172.255.2.0 255.255.255.0
like you said and it did not fix it
05-01-2013 08:00 AM
Hi,
To me it seems that most if not all of the configurations should be there already.
Can you reconnect with the VPN Client to the Site 2 ASA and generate traffic to the Site 1 network and different hosts on that LAN network.
Then check and share the output of this command from Site 1 ASA so we can see if there is any traffic coming from Site 2 to Site 1
show crypto ipsec sa peer
Remember to mask the public IP addresses in the output
- Jouni
05-01-2013 08:11 AM
CSI-Corp# show crypto ipsec sa peer site2
peer address: site2
Crypto map tag: outside_map, seq num: 20, local addr: site1
access-list VPN-UK extended permit ip 172.17.2.0 255.255.255.0 172.255.2.0 255.255.255.0
local ident (addr/mask/prot/port): (172.17.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.255.2.0/255.255.255.0/0/0)
current_peer: site2
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: site1, remote crypto endpt.: site2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 139A5D52
current inbound spi : A94C48E7
inbound esp sas:
spi: 0xA94C48E7 (2840348903)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/27779)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x139A5D52 (328883538)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/27779)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 20, local addr: site1
access-list VPN-UK extended permit ip 172.17.2.0 255.255.255.0 172.18.2.0 255.255.255.0
local ident (addr/mask/prot/port): (172.17.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.18.2.0/255.255.255.0/0/0)
current_peer: site2
#pkts encaps: 5009902, #pkts encrypt: 5009902, #pkts digest: 5009902
#pkts decaps: 4774224, #pkts decrypt: 4774224, #pkts verify: 4774224
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5009902, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 73468
#send errors: 0, #recv errors: 0
local crypto endpt.: site1, remote crypto endpt.: site2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8721C911
current inbound spi : 9CE76A79
inbound esp sas:
spi: 0x9CE76A79 (2632411769)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3913274/25051)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x8721C911 (2267138321)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3908143/25051)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 20, local addr: site1
access-list VPN-UK extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.254.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.18.2.0/255.255.255.0/0/0)
current_peer: site2
#pkts encaps: 221, #pkts encrypt: 221, #pkts digest: 221
#pkts decaps: 62, #pkts decrypt: 62, #pkts verify: 62
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 221, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: site1, remote crypto endpt.: site2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: FC60F15E
current inbound spi : 443946EE
inbound esp sas:
spi: 0x443946EE (1144604398)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914996/25305)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x7FFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xFC60F15E (4234211678)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914987/25305)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
I ran this while I had 2 pings running to different hosts.
05-01-2013 08:17 AM
Hi,
As you can see, the very first output of that command lists the Site 1 LAN network and the Site 2 VPN Pool.
The SA on the L2L VPN has been formed but there has been no traffic from through the L2L VPN from Site 2 to Site 1.
So this would point to a problem on the Site 2 ASA still.
- Jouni
05-01-2013 08:24 AM
I guess you could check on Site 2 ASA the following
show crypto ipsec sa peer
show crypto ipsec sa peer user
or
show crypto ipsec sa peer
Or some other variant of the command to confirm if the traffic from the Client computer is coming from VPN Client to the Site2 ASA atleast.
In what network is the host connected to that is trying to use the VPN Client with? I am just wondering if you are connected locally to the network in either of these LANs that could throw of the routing/traffic forwarding.
- Jouni
05-01-2013 08:29 AM
Ariel,
Please ping the output from Site two
run a continous ping from only one site that si the vpn client which si connect to Site A-- from that server Ping somehting in 172.18.2.x (continous one)
1. show crypto ipsec sa peer site2 | beg 10.0.254.0
---------------------------
This shows that the packet si gettin crytpted from site a but nothing coming abck -- issue is at site B
access-list VPN-UK extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.254.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.18.2.0/255.255.255.0/0/0)
current_peer: site2
#pkts encaps: 221, #pkts encrypt: 221, #pkts digest: 221
#pkts decaps: 62, #pkts decrypt: 62, #pkts verify: 62
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 221, #pkts comp failed: 0, #pkts decomp failed: 0
05-01-2013 08:47 AM
Ran this from site1 while pinging 172.18.2.2
show crypto ipsec sa peer site2 | beg 10.0.254.0
access-list VPN-UK extended permit ip 10.0.254.0 255.255.255.0 172.18.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.254.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.18.2.0/255.255.255.0/0/0)
current_peer: site2
#pkts encaps: 59, #pkts encrypt: 59, #pkts digest: 59
#pkts decaps: 55, #pkts decrypt: 55, #pkts verify: 55
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 59, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 74.213.51.130, remote crypto endpt.: 87.224.93.54
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7A97105B
current inbound spi : 579EBE3D
inbound esp sas:
spi: 0x579EBE3D (1470021181)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914996/28703)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x03FFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x7A97105B (2056720475)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914996/28701)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
05-01-2013 09:06 AM
Ariel
Seems like some confusion here.
Before you start anythign please rung this command to clear the counters -- clear crypto ipsec sa counter on both the asa . This will nto affect anything.
Questions:
1. Can u ping from 172.17.2.x to 172.18.2.x ?
2. Can u ping from 10.0.254.x to 172.18.2.x ?
3. If you initiate the ping from the vpn cleint ie 10.0.254.x to 172.18.2.x ..what si the out put of show crypto ipsec sa | beg 10.0.254.0 at Site B
05-01-2013 09:21 AM
Questions:
1. Can u ping from 172.17.2.20 to 172.18.2.2 No
2. Can u ping from 10.0.254.x to 172.18.2.x ? Yes
3. If you initiate the ping from the vpn cleint ie 10.0.254.x to 172.18.2.x ..what si the out put of show crypto ipsec sa | beg 10.0.254.0 at Site B See below
show crypto ipsec sa | beg 10.0.254.0
remote ident (addr/mask/prot/port): (10.0.254.0/255.255.255.0/0/0)
current_peer: site1
#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29
#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 29, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: site2, remote crypto endpt.: site1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 579EBE3D
inbound esp sas:
spi: 0x7A97105B (2056720475)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 73728, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4373875/26616)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x579EBE3D (1470021181)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 73728, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4373875/26612)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 87.224.93.54
local ident (addr/mask/prot/port): (172.18.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.17.2.0/255.255.255.0/0/0)
current_peer: 74.213.51.130
#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29
#pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 29, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 87.224.93.54, remote crypto endpt.: 74.213.51.130
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 9CE76A79
inbound esp sas:
spi: 0x8721C911 (2267138321)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 73728, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4364173/20770)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x9CE76A79 (2632411769)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 73728, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4371346/20769)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 87.224.93.54
access-list VPN-USA permit ip 172.255.2.0 255.255.255.0 172.17.2.0 255.255.255.0
local ident (addr/mask/prot/port): (172.255.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.17.2.0/255.255.255.0/0/0)
current_peer: 74.213.51.130
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 87.224.93.54, remote crypto endpt.: 74.213.51.130
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7CF13256
inbound esp sas:
spi: 0x6E6C1F33 (1852579635)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 73728, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4374000/27545)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x7CF13256 (2096181846)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 73728, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4374000/27545)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
05-01-2013 10:28 AM
Hi,
As Rohit Raj said,
There might be some missunderstandings here.
Can you confirm the networks between which there is problems with connectivity? (List the actual networks)
I understood that you werent able to connect from Site 2 VPN Pool 172.255.2.0/24 to Site 1 Network 172.17.2.0/24?
If this is true then it seems to me that the above screencaptures show a situation where you are actually connected to Site 1 VPN since I can see addresses from its VPN Pool (10.0.254.0/24)
- Jouni
05-01-2013 10:44 AM
Here are the ping test.
10.0.254.x to 172.17.2.x Works
10.0.254.x to 172.18.2.x Works
172.17.2.x to 172.18.2.x Fails
172.255.2.x to 172.18.2.x Works
172.255.2.x to 172.17.2.x Fails
05-01-2013 08:37 AM
DCSI-UK-5505# show crypto ipsec sa peer myip
peer address: myip
Crypto map tag: outside_dyn_map, seq num: 20, local addr: site2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.255.2.118/255.255.255.255/0/0)
current_peer: myip, username: myname
dynamic allocated peer ip: 172.255.2.118
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: site2/4500, remote crypto endpt.: 12.228.116.98/17344
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 5E85DB78
inbound esp sas:
spi: 0xEA39740D (3929633805)
transform: esp-des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 700416, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 3550
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000003F
outbound esp sas:
spi: 0x5E85DB78 (1585830776)
transform: esp-des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 700416, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 3550
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
I am in a different location ssh-ed into the ASAs. I have a vpn client connection that I can connect to either site.
05-01-2013 08:44 AM
Hi,
That output seems to me to point to a situation where you are using Full Tunnel instead of Split Tunnel. Or I am just missing something.
Still there only seems to be really low amount of traffic arrived on the ASA (decapsulated = 3)
What does the VPN Client computers command promt output of "route print" show?
Does the VPN Client statistics and route section show "0.0.0.0 0.0.0.0" or does it list the networks in the Split Tunnel ACL?
- Jouni
05-01-2013 08:52 AM
The route in blue is the site one asa
VPN Client, I'm using shrewsoft on win8.
05-01-2013 10:51 AM
This was while i was connect to the US vpn.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: