cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2585
Views
0
Helpful
8
Replies

Have one site to site vpn working, added second which has issues

sholiday666
Level 1
Level 1

We have had a successful site to site vpn working for several months now. It is an ASA 5510 at HQ to a ASA 5505 at a branch office in another state. We just added a second site to site vpn in another state this time from HQ to a Sonicwall TZ100. After plugging in the Sonicwall to the Qwest modem in bridge mode the tunnel came right up. I was unable to to ping any off the private IPs at HQ from the new branch, but was able to use remote desktop into the servers and workstations at HQ. Also all the computers show up when browsing the network from the new branch.

At the first branch we are able to ping both ways and use remote desktop both ways.

When using packet tracer in ASDM on the HQ ASA and pinging from one of the IPs in the HQ protected network to an IP in the new branch network NAT-EXEMPT looks good, but when it hits the first NAT it matches on the "dynamic translation to pool 10 (10.1.255.254) [Interface PAT]" (which is the default route for all the vlans to get to the Internet.)

The next NAT (subtype - host-limits) looks better and this one going to the IP address of the outside interface of the HQ ASA 5510, but then the third NAT (Subtype - rpf-check) reverts back to the "10 (10.1.255.254) Interface PAT]" and the packet is DROPPED. Also there is no VPN step in Packet Tracer after NAT.

So obviously the HQ ASA 5510 doesn't consider this to be interesting traffic but I don't know why.

Here is the output of sh crypto ipsec sa ffrom HQ ASA:

interface: outside
    Crypto map tag: outside_map, seq num: 30, local addr: 209.X.X.X

      access-list encrypt_acl-30 permit ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.8.0/255.255.255.0/0/0)
      current_peer: 65.102.14.72

      #pkts encaps: 229450, #pkts encrypt: 229450, #pkts digest: 229450
      #pkts decaps: 172516, #pkts decrypt: 172516, #pkts verify: 172516
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 229450, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 209.X.X.X, remote crypto endpt.: 65.102.X.X

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 91860025

    inbound esp sas:
      spi: 0x88957B9C (2291497884)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2600960, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 59068
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x91860025 (2441478181)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2600960, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 59068
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

    Crypto map tag: outside_map, seq num: 30, local addr: 209.X.X.X

      access-list encrypt_acl-30 permit ip 10.1.10.0 255.255.255.0 10.1.8.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.1.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.8.0/255.255.255.0/0/0)
      current_peer: 65.102.x.x

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 209.X.X.X, remote crypto endpt.: 65.102.X.X

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: A204BAE2

    inbound esp sas:
      spi: 0xDA8C653A (3666634042)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2600960, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 84670
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001
    outbound esp sas:
      spi: 0xA204BAE2 (2718218978)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2600960, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 84621
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

Here is the output from sh crypto isakmp sa on HQ ASA:

3   IKE Peer: 65.102.x.x

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

Here is the config:

ASA Version 8.0(4)
!
hostname COMPASA
domain-name COMPfirm.com
enable password TMACBloMlcBsq1kp encrypted
passwd TMACBloMlcBsq1kp encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 209.X.X.X 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.255.254 255.255.255.248
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.2.2.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone MDT -7
clock summer-time MDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.1
domain-name COMPfirm.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inbound extended permit tcp any host 209.X.X.X eq www
access-list inbound extended permit tcp any host 209.X.X.X eq https
access-list inbound extended permit tcp any host 209.X.X.X eq ftp
access-list inbound extended permit tcp any host 209.X.X.X eq ftp-data
access-list inbound extended permit tcp any host 209.X.X.X eq ssh
access-list inbound extended permit tcp any host 209.X.X.X eq imap4
access-list inbound extended permit tcp any host 209.X.X.X eq pop3
access-list inbound extended permit tcp any host 209.X.X.X eq www
access-list inbound extended permit tcp any host 209.X.X.X eq https
access-list inbound extended permit tcp any host 209.X.X.X eq smtp
access-list inbound extended permit icmp any any
access-list inbound remark MMS-1755
access-list inbound extended permit tcp any eq 1755 host 209.X.X.X inactive
access-list inbound remark MMS-UDP
access-list inbound extended permit udp any eq 1755 host 209.X.X.X inactive
access-list dmz extended permit tcp host 10.2.2.2 host 10.1.1.11 eq smtp
access-list dmz extended permit tcp host 10.2.2.2 host 10.1.1.50 eq 8777
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.1.8.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
access-list vpnsplit extended permit ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0
access-list encrypt_acl extended permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list global_mpc extended permit tcp any any
access-list encrypt_acl-30 extended permit ip 10.1.10.0 255.255.255.0 10.1.8.0 255.255.255.0
access-list encrypt_acl-30 extended permit ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool vpnpool 172.16.22.1-172.16.22.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (outside) 10 209.X.X.X netmask 255.255.255.0
global (inside) 10 interface
global (dmz) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 10 0.0.0.0 0.0.0.0
static (dmz,outside) 209.X.X.X 10.2.2.2 netmask 255.255.255.255
static (inside,outside) 209.X.X.X 10.1.1.11 netmask 255.255.255.255
static (dmz,inside) 10.2.2.2 10.2.2.2 netmask 255.255.255.255
static (inside,dmz) 10.1.1.11 10.1.1.11 netmask 255.255.255.255
static (inside,dmz) 10.1.1.50 10.1.1.50 netmask 255.255.255.255
access-group inbound in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 209.X.X.X 1
route inside 10.1.0.0 255.255.0.0 10.1.255.249 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 10.1.1.12
key -->ZZZZZZ
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 172.16.22.0 255.255.255.0 inside
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
sysopt noproxyarp inside
sysopt noproxyarp dmz
sysopt noproxyarp management
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set HQset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 20 match address encrypt_acl
crypto map outside_map 20 set peer 67.42.X.X
crypto map outside_map 20 set transform-set HQset
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 30 match address encrypt_acl-30
crypto map outside_map 30 set peer 65.102.X.X
crypto map outside_map 30 set transform-set HQset
crypto map outside_map 30 set security-association lifetime seconds 86400
crypto map outside_map 30 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 50
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy vpnclients internal
group-policy vpnclients attributes
wins-server value 10.1.1.12
dns-server value 10.1.1.12
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplit
default-domain value COMPfirm.local
split-dns value COMPfirm.local
address-pools value vpnpool
group-policy clientgroup internal
group-policy clientgroup attributes
wins-server value 10.1.1.12
dns-server value 10.1.1.12
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelall
webvpn
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask none default svc
username ssluser1 password  encrypted
username bcurtis password v encrypted privilege 0
username gtri password  encrypted privilege 15
username admin password  encrypted privilege 15
username XXXXXXX password  encrypted privilege 0
tunnel-group M&J type remote-access
tunnel-group M&J general-attributes
address-pool vpnpool
authentication-server-group vpn
default-group-policy vpnclients
tunnel-group M&J ipsec-attributes
pre-shared-key *
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
authentication-server-group vpn
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable
tunnel-group 67.42.X.X type ipsec-l2l
tunnel-group 67.42.X.X ipsec-attributes
pre-shared-key *
tunnel-group 65.102.X.X type ipsec-l2l
tunnel-group 65.102.X.X ipsec-attributes
pre-shared-key *
!
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 768
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
class global-class
  ips inline fail-open sensor vs0
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ZZZZZZZZZZZZZZZZZZZZZ
: end

Is the problem possibly due to the fact that my 2 new ACLs for "encrypt_acl-30" fall after "access-list global_mpc extended permit tcp any any" in the config and it is running into the implicit deny all?

Thanks for looking at this.

1 Accepted Solution

Accepted Solutions

Instead of replacing the static route, you can just add a new static route for 10.1.8.0/24 as follows:

route outside 10.1.8.0 255.255.255.0 209.X.X.X 1

Because it is more specific it will take precedence over your more generic 10.1.0.0/16 static route towards the inside.

Good spot btw!!!

View solution in original post

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

Does it work if you add inspect icmp:

policy-map global_policy

class inspection_default

  inspect icmp

I will try that, but why can I ping back and forth with the first VPN site to site, and the big issue is we need to use remote desktop to connect to the PCs in the branch office for support as well as the SonicWall TZ100. The issue really seems to be that traffic generated from HQ to the new branch is not being encrypted and passed through the VPN tunnel based on what I'm seeing in Packet Tracer in ASDM.

I just had a chance to add the inspect icmp entries jennifer and still no luck.

sholiday666
Level 1
Level 1

What does anyone think of my

"2 new ACLs for "encrypt_acl-30" fall after "access-list global_mpc extended permit tcp any any" in the config and it is running into the implicit deny all?"

Thoery?

sholiday666
Level 1
Level 1

When doing a continuous ping from a workstation with IP address 10.1.10.8 (in HQ) to 10.1.8.11 (in new branch) this is the message I get in ASDM Syslog.

Err  3 305005 10.1.8.11                       No translation group found for icmp src inside: 10.1.10.48 dst inside: 10.1.8.11 (type 8, code 0)

sholiday666
Level 1
Level 1

In looking over my configuration and showing the routes I see that my issue could be traffic generated for 10.1.8.0 is getting trapped by this static route:

route inside 10.1.0.0 255.255.0.0 10.1.255.249 1

One of my predecesors had a consultant configure this ASA 5510 and we have six vlans all starting with 10.1.x.x /24. So obviously nice and simple to summarize this static route with 10.1.0.0 255.255.0.0

Of course I didn't think about this when coming up with the IP scheme for the new branch office 10.1.8.0 /24

The original site-to-site vpn that is working happens to be for network 10.0.0.0 /24. (second octet 0 instead of 1 duh)

Could I replace the static route above (10.1.0.0 255.255.0.0) with six new static routes

route inside 10.1.1.0 255.255.255.0 10.1.255.249 1

route inside 10.1.10.0 255.255.255.0 10.1.255.249 1

route inside 10.1.11.0 255.255.255.0 10.1.255.249 1

route inside 10.1.2.0 255.255.255.0 10.1.255.249 1

route inside 10.1.254.0 255.255.255.0 10.1.255.249 1

route inside 10.1.255.0 255.255.255.0 10.1.255.249 1

There's no limitation on inside static routes is there? Assuming that's my issue.

Thanks again!

Instead of replacing the static route, you can just add a new static route for 10.1.8.0/24 as follows:

route outside 10.1.8.0 255.255.255.0 209.X.X.X 1

Because it is more specific it will take precedence over your more generic 10.1.0.0/16 static route towards the inside.

Good spot btw!!!

Awesome Jennifer! I forgot about that. Thanks again.