06-04-2013 04:58 PM - edited 02-21-2020 06:57 PM
Hi all,
Im doing a lab to test on ipsec site-to-site between ASA and IOS.
I hit this problem where i couldnt figure out.
Im able to ping the LAN of the router but from router, im unable to ping the LAN in ASA. and im seeing drop packets from ASA.
Please assist.
Here is the configuration from both device.
Router show run
==================
Router#sh run
Building configuration...
Current configuration : 1458 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
dot11 syslog
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 5
encr aes
authentication pre-share
group 2
crypto isakmp key tabunghaji address 192.168.10.2
!
!
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
!
crypto map VPN-TUNNEL 1 ipsec-isakmp
set peer 192.168.10.2
set transform-set AES-SHA
match address ACL-VPN
!
!
!
!
!
!
interface FastEthernet0/0
description P2P with ASA
ip address 192.168.10.1 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN-TUNNEL
!
interface FastEthernet0/1
description LAN
ip address 10.1.10.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.10.2
ip route 10.1.20.0 255.255.255.0 192.168.10.2
!
!
ip http server
no ip http secure-server
ip nat inside source list ACL-NAT interface FastEthernet0/0 overload
!
ip access-list extended ACL-NAT
deny ip 10.1.10.0 0.0.0.255 10.1.20.0 0.0.0.255
permit ip any any
ip access-list extended ACL-VPN
permit ip 10.1.10.0 0.0.0.255 10.1.20.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
Router#
Router#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: VPN-TUNNEL, local addr 192.168.10.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.0/255.255.255.0/0/0)
current_peer 192.168.10.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10, #recv errors 0
local crypto endpt.: 192.168.10.1, remote crypto endpt.: 192.168.10.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
=========================================
ASA config
HQ-ASA# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname HQ-ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.10.2 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.20.2 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list IPSEC_VPN extended permit ip 10.1.20.0 255.255.255.0 any
access-list ACL-INSIDE-NONAT extended permit ip 10.1.20.0 255.255.255.0 10.1.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list ACL-INSIDE-NONAT
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MAP_outside 20 match address IPSEC_VPN
crypto map MAP_outside 20 set peer 192.168.10.1
crypto map MAP_outside 20 set transform-set ESP-AES128-SHA
crypto map MAP_outside 20 set security-association lifetime seconds 28800
crypto map MAP_outside 20 set security-association lifetime kilobytes 10000
crypto map MAP_outside interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 192.168.10.2 type ipsec-l2l
tunnel-group 192.168.10.2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:65869f07e8dafe7ab63dd9528a2fb6bf
: end
HQ-ASA#
HQ-ASA# show crypto isakmp stats
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 3984
In Packets: 14
In Drop Packets: 10
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 944
Out Packets: 12
Out Drop Packets: 0
Out Notifys: 10
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 2
System Capacity Fails: 0
Auth Fails: 2
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 10
HQ-ASA#
06-04-2013 07:16 PM
Hi,
If VPN is UP and all policy are fine..
Try this once,
Go to asa device management tab - >interface and there select your management interface as ur inside interface...
I guess it will work..
06-04-2013 08:22 PM
Thank you arun, i will check again on the ASA later today.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide