cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5247
Views
0
Helpful
24
Replies

IPSec Tunnel up but local networks not accessable

thorstenn
Level 4
Level 4

Hi,

i have a ASA5520 and a Snapgear. The IPSec tunnel is up and running fine. But i`m not able to access the local LANs on both sides. Here are some Configurations:

sh crypt isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.10.10.2
Type    : L2L             Role    : responder
Rekey   : no              State   : AM_ACTIVE

crypto/isakmp:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map IPSECTEST_map0 1 match address IPSECTEST_cryptomap
crypto map IPSECTEST_map0 1 set peer 10.10.10.2
crypto map IPSECTEST_map0 1 set transform-set ESP-3DES-SHA
crypto map IPSECTEST_map0 1 set nat-t-disable
crypto map IPSECTEST_map0 1 set phase1-mode aggressive
crypto map IPSECTEST_map0 interface IPSECTEST
crypto isakmp enable outside
crypto isakmp enable IPSECTEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600

sh route:

C    172.16.3.0 255.255.255.0 is directly connected, VLAN10
C    10.10.10.0 255.255.255.0 is directly connected, IPSECTEST
C    192.168.112.0 255.255.254.0 is directly connected, inside

access-list:

access-list IPSECTEST_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 172.16.3.0 255.255.255.0 object 172.20.20.0

and here the scenario:

Unbenannt.jpg

if i perform a ping from the asa to the remote local network i got this:

ciscoasa(config)# ping 172.20.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.172.20.20.1, timeout is 2 seconds:
No route to host 172.20.20.1

Success rate is 0 percent (0/1)

Any idea what i have missing?

1 Accepted Solution

Accepted Solutions

Here is how to configure NAT exemption in ASA 8.3:

object network obj-172.16.3.0
  subnet 172.16.3.0 255.255.255.0

object network obj-172.20.20.0
  subnet 172.20.20.0 255.255.255.0

nat (inside,outside) source static obj-172.16.3.0 obj-172.16.3.0 destination static obj-172.20.20.0 obj-172.20.20.0

The following is how it looks like in ASA 8.2 and below:

access-list Inside_nat0_outbound extended permit ip 172.16.3.0 255.255.255.0 172.20.20.0 255.255.255.0
nat (inside) 0 access-list Inside_nat0_outbound

View solution in original post

24 Replies 24

StanDamen
Level 1
Level 1

as you can see in the "sh route" output there is no route to 172.20.20.0, you could add a static route to tell the packets where to go.

This might be needed on both sides, i dont know how snapgear works.

I`ve already tried this with this entry:

C    172.16.3.0 255.255.255.0 is directly connected, VLAN10
C    10.10.10.0 255.255.255.0 is directly connected, IPSECTEST
S    172.20.20.0 255.255.255.0 [128/0] via 172.16.3.1, VLAN10
C    192.168.112.0 255.255.254.0 is directly connected, inside

but with no success...

ozzyosbu1
Level 1
Level 1

Hello

There is no route towards the destination nework, so add a static route for the destination network 172.20.0.0 network on the ASA

and a route to 172.16.3.0 on the FW

Hello

You have added 172.20.20.0 255.255.255.255 ( /32 mask) pointing to you VLAN10 interface, you should add a route pointing to 172.20.20.0 with the correct mask pointing to the tunnel interface/nexthop of 10.10.10.2

That was a mistake with the /32 mask.... my fault....

With this i`m able to ping the host on the ohther side. But not the gateway 172.20.20.1:

S    172.20.20.0 255.255.255.0 [1/0] via 10.10.10.2, IPSECTEST

The other way the same. Not able to ping the gateway. Any idea?

Is there any policy blocking ICMP on the FW, are u able to ping 172.20.20.1 from the host on the same LAN

Ok, from a host in the 172.20.20.X range i`m able to ping the gateway on the same subnet 172.20.20.1 but i`m not able to ping any other host on the ASA site.

From the ASA site i`m able to ping the host 172.20.20.5 on the snapgear site, but not the default gateway 172.20.20.1.

The Host on the ASA site is able to ping the default gateway 172.16.3.1.

I`m confused.... :-(

Here is the running-config maybe someone see an issue. I figured out that i`m only able to ping the remote site host directly from the ASA and not from a host on the ASA network or a host on the snapgear site.

How could i configure NAT 0 (exemption) in ASA version 8.3.

This doesn`t work anymore:

ciscoasa(config)# nat (inside) 0 access-list Inside_nat0_outbound
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.

I found the issue:

nat (any,any) source static 172.16.3.50 10.10.10.20

The client with the ip 172.16.3.50 from which i ping the remote network tried to ping it over the NAT ip. I changed the client IP and traffic goues through the tunnel.

But how can i disable NAT over the ipsec tunnel in ASA version 8.3

Here is how to configure NAT exemption in ASA 8.3:

object network obj-172.16.3.0
  subnet 172.16.3.0 255.255.255.0

object network obj-172.20.20.0
  subnet 172.20.20.0 255.255.255.0

nat (inside,outside) source static obj-172.16.3.0 obj-172.16.3.0 destination static obj-172.20.20.0 obj-172.20.20.0

The following is how it looks like in ASA 8.2 and below:

access-list Inside_nat0_outbound extended permit ip 172.16.3.0 255.255.255.0 172.20.20.0 255.255.255.0
nat (inside) 0 access-list Inside_nat0_outbound

Ok, this worked for me. Thanks.

Now i have another problem with the same ip and connecting via VPN Client.

If i connected from a 10.10.10.XXX ip via vpn client to 10.10.10.1 the client got the ip 172.16.3.254 like i configured it for vpn that`s ok BUT i`m not able to ping the inside ip 172.16.3.10 only the NAT address for that ip/host -> 10.10.10.20 is reachable but thats i think is because i`m originaly connected via the same subnet?

If i connected via VPN Client i would be able to ping the inside IP. What is here the problem?

VPN Client pool should not be in the same subnet as your internal subnet.

Currently I believe you have your ip pool as 172.16.3.254 which is in the same subnet as vlan10 interface

Yes you`re right. If i configure another pool on a diffrent subnet than i have to configure routing for that vpn connection? Could you plz give me an example how to configure that?

For example, if you use ip pool of 172.16.35.0/24

Configuration:

ip local pool vpn-pool 172.16.35.1-172.16.35.20 mask 255.255.255.0

tunnel-group VLAN10-VPN general-attributes

    no address-pool VLAN10-Pool

    address-pool vpn-pool

object network obj-vpn-pool

    subnet 172.16.35.0 255.255.255.0

object network obj-10.10.10.0

    subnet 10.10.10.0 255.255.255.0

nat (vlan10,outside) source static obj-172.16.3.0 obj-172.16.3.0 destination static obj-vpn-pool obj-vpn-pool

nat (IPSECTEST,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-vpn-pool obj-vpn-pool

same-security-traffic permit inter-interface

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: