03-16-2010 02:32 AM - edited 02-21-2020 04:33 PM
Hi,
i have a ASA5520 and a Snapgear. The IPSec tunnel is up and running fine. But i`m not able to access the local LANs on both sides. Here are some Configurations:
sh crypt isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.10.10.2
Type : L2L Role : responder
Rekey : no State : AM_ACTIVE
crypto/isakmp:
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map IPSECTEST_map0 1 match address IPSECTEST_cryptomap
crypto map IPSECTEST_map0 1 set peer 10.10.10.2
crypto map IPSECTEST_map0 1 set transform-set ESP-3DES-SHA
crypto map IPSECTEST_map0 1 set nat-t-disable
crypto map IPSECTEST_map0 1 set phase1-mode aggressive
crypto map IPSECTEST_map0 interface IPSECTEST
crypto isakmp enable outside
crypto isakmp enable IPSECTEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
sh route:
C 172.16.3.0 255.255.255.0 is directly connected, VLAN10
C 10.10.10.0 255.255.255.0 is directly connected, IPSECTEST
C 192.168.112.0 255.255.254.0 is directly connected, inside
access-list:
access-list IPSECTEST_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 172.16.3.0 255.255.255.0 object 172.20.20.0
and here the scenario:
if i perform a ping from the asa to the remote local network i got this:
ciscoasa(config)# ping 172.20.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.172.20.20.1, timeout is 2 seconds:
No route to host 172.20.20.1
Success rate is 0 percent (0/1)
Any idea what i have missing?
Solved! Go to Solution.
03-17-2010 03:54 AM
Here is how to configure NAT exemption in ASA 8.3:
object network obj-172.16.3.0
subnet 172.16.3.0 255.255.255.0
object network obj-172.20.20.0
subnet 172.20.20.0 255.255.255.0
nat (inside,outside) source static obj-172.16.3.0 obj-172.16.3.0 destination static obj-172.20.20.0 obj-172.20.20.0
The following is how it looks like in ASA 8.2 and below:
access-list Inside_nat0_outbound extended permit ip 172.16.3.0 255.255.255.0 172.20.20.0 255.255.255.0
nat (inside) 0 access-list Inside_nat0_outbound
03-16-2010 03:46 AM
as you can see in the "sh route" output there is no route to 172.20.20.0, you could add a static route to tell the packets where to go.
This might be needed on both sides, i dont know how snapgear works.
03-16-2010 03:59 AM
I`ve already tried this with this entry:
C 172.16.3.0 255.255.255.0 is directly connected, VLAN10
C 10.10.10.0 255.255.255.0 is directly connected, IPSECTEST
S 172.20.20.0 255.255.255.0 [128/0] via 172.16.3.1, VLAN10
C 192.168.112.0 255.255.254.0 is directly connected, inside
but with no success...
03-16-2010 03:57 AM
Hello
There is no route towards the destination nework, so add a static route for the destination network 172.20.0.0 network on the ASA
and a route to 172.16.3.0 on the FW
03-16-2010 04:10 AM
Hello
You have added 172.20.20.0 255.255.255.255 ( /32 mask) pointing to you VLAN10 interface, you should add a route pointing to 172.20.20.0 with the correct mask pointing to the tunnel interface/nexthop of 10.10.10.2
03-16-2010 04:24 AM
That was a mistake with the /32 mask.... my fault....
With this i`m able to ping the host on the ohther side. But not the gateway 172.20.20.1:
S 172.20.20.0 255.255.255.0 [1/0] via 10.10.10.2, IPSECTEST
The other way the same. Not able to ping the gateway. Any idea?
03-16-2010 04:43 AM
Is there any policy blocking ICMP on the FW, are u able to ping 172.20.20.1 from the host on the same LAN
03-16-2010 05:20 AM
Ok, from a host in the 172.20.20.X range i`m able to ping the gateway on the same subnet 172.20.20.1 but i`m not able to ping any other host on the ASA site.
From the ASA site i`m able to ping the host 172.20.20.5 on the snapgear site, but not the default gateway 172.20.20.1.
The Host on the ASA site is able to ping the default gateway 172.16.3.1.
I`m confused.... :-(
03-17-2010 02:03 AM
Here is the running-config maybe someone see an issue. I figured out that i`m only able to ping the remote site host directly from the ASA and not from a host on the ASA network or a host on the snapgear site.
How could i configure NAT 0 (exemption) in ASA version 8.3.
This doesn`t work anymore:
ciscoasa(config)# nat (inside) 0 access-list Inside_nat0_outbound
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.
03-17-2010 03:53 AM
I found the issue:
nat (any,any) source static 172.16.3.50 10.10.10.20
The client with the ip 172.16.3.50 from which i ping the remote network tried to ping it over the NAT ip. I changed the client IP and traffic goues through the tunnel.
But how can i disable NAT over the ipsec tunnel in ASA version 8.3
03-17-2010 03:54 AM
Here is how to configure NAT exemption in ASA 8.3:
object network obj-172.16.3.0
subnet 172.16.3.0 255.255.255.0
object network obj-172.20.20.0
subnet 172.20.20.0 255.255.255.0
nat (inside,outside) source static obj-172.16.3.0 obj-172.16.3.0 destination static obj-172.20.20.0 obj-172.20.20.0
The following is how it looks like in ASA 8.2 and below:
access-list Inside_nat0_outbound extended permit ip 172.16.3.0 255.255.255.0 172.20.20.0 255.255.255.0
nat (inside) 0 access-list Inside_nat0_outbound
03-17-2010 05:24 AM
Ok, this worked for me. Thanks.
Now i have another problem with the same ip and connecting via VPN Client.
If i connected from a 10.10.10.XXX ip via vpn client to 10.10.10.1 the client got the ip 172.16.3.254 like i configured it for vpn that`s ok BUT i`m not able to ping the inside ip 172.16.3.10 only the NAT address for that ip/host -> 10.10.10.20 is reachable but thats i think is because i`m originaly connected via the same subnet?
If i connected via VPN Client i would be able to ping the inside IP. What is here the problem?
03-17-2010 05:34 AM
VPN Client pool should not be in the same subnet as your internal subnet.
Currently I believe you have your ip pool as 172.16.3.254 which is in the same subnet as vlan10 interface
03-17-2010 05:42 AM
Yes you`re right. If i configure another pool on a diffrent subnet than i have to configure routing for that vpn connection? Could you plz give me an example how to configure that?
03-17-2010 05:55 AM
For example, if you use ip pool of 172.16.35.0/24
Configuration:
ip local pool vpn-pool 172.16.35.1-172.16.35.20 mask 255.255.255.0
tunnel-group VLAN10-VPN general-attributes
no address-pool VLAN10-Pool
address-pool vpn-pool
object network obj-vpn-pool
subnet 172.16.35.0 255.255.255.0
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
nat (vlan10,outside) source static obj-172.16.3.0 obj-172.16.3.0 destination static obj-vpn-pool obj-vpn-pool
nat (IPSECTEST,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-vpn-pool obj-vpn-pool
same-security-traffic permit inter-interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide