Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5556
Views
0
Helpful
24
Replies

IPSec Tunnel up but local networks not accessable

Go to solution
thorstenn
Level 4
Level 4

‎03-16-2010 02:32 AM - edited ‎02-21-2020 04:33 PM

Hi,

i have a ASA5520 and a Snapgear. The IPSec tunnel is up and running fine. But i`m not able to access the local LANs on both sides. Here are some Configurations:

sh crypt isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.10.10.2
Type    : L2L             Role    : responder
Rekey   : no              State   : AM_ACTIVE

crypto/isakmp:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map IPSECTEST_map0 1 match address IPSECTEST_cryptomap
crypto map IPSECTEST_map0 1 set peer 10.10.10.2
crypto map IPSECTEST_map0 1 set transform-set ESP-3DES-SHA
crypto map IPSECTEST_map0 1 set nat-t-disable
crypto map IPSECTEST_map0 1 set phase1-mode aggressive
crypto map IPSECTEST_map0 interface IPSECTEST
crypto isakmp enable outside
crypto isakmp enable IPSECTEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600

sh route:

C    172.16.3.0 255.255.255.0 is directly connected, VLAN10
C    10.10.10.0 255.255.255.0 is directly connected, IPSECTEST
C    192.168.112.0 255.255.254.0 is directly connected, inside

access-list:

access-list IPSECTEST_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 172.16.3.0 255.255.255.0 object 172.20.20.0

and here the scenario:

Unbenannt.jpg

if i perform a ping from the asa to the remote local network i got this:

ciscoasa(config)# ping 172.20.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.172.20.20.1, timeout is 2 seconds:
No route to host 172.20.20.1

Success rate is 0 percent (0/1)

Any idea what i have missing?

Labels:
0 Helpful
24 Replies 24

Go to solution
thorstenn
Level 4
Level 4
In response to Jennifer Halim

‎03-17-2010 06:13 AM

thanks. i`ll test it.

But later the IPSECTEST interface doesn`t exist anymore. This will be the "outside" interface then. So this looks should be converted from:

nat (IPSECTEST,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-vpn-pool obj-vpn-pool

to:

nat (outside?,outside) source static obj- obj- destination static obj-vpn-pool obj-vpn-pool

At the end i have more than one VLAN which are accessable with VPN with different ip ranges....

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to thorstenn

‎03-17-2010 06:23 AM

Assuming you no longer require the IPSECTEST interface, I will just remove it. Currently your VPN is configured to be terminated on the outside interface anyway.

0 Helpful

Go to solution
thorstenn
Level 4
Level 4
In response to Jennifer Halim

‎03-17-2010 06:48 AM

hmmm seems not to work....

Here are my configuration

ip local pool Vlan10-Pool 172.17.3.10-172.17.3.20 mask 255.255.255.0

tunnel-group Vlan10-VPN general-attributes
    address-pool Vlan10-Pool

object network obj-Vlan10-pool
    subnet 172.17.3.0 255.255.255.0

nat (Vlan10,outside) source static obj-172.16.3.0 obj-172.16.3.0 destination static obj-Vlan10-pool obj-Vlan10-pool
same-security-traffic permit inter-interface

It is not possible to configure a pool from the same subnet?

172.16.3.0/24 subnet (and the other which will be createtd) use only two or three IPs, thats why i`m assigned an ip range from behind.

The IPSECTEST was only for tunnel testing, from the outside interface i try at the moment the vpn connection. So we do not care about the IPSECTEST interface regarding vpn connection.

Do you have any other suggestions why the above solution from you not working for me or what i have missed to configure?

0 Helpful

Go to solution
thorstenn
Level 4
Level 4
In response to thorstenn

‎03-17-2010 07:08 AM

Ok, sorry it worked now without the permit inter-interface but if i ping from the vpn client the internal host i see a reply from the external ip? How can i fix this?

C:\>ping 172.16.3.10

Pinging 172.16.3.10 with 32 bytes of data:

Reply from 10.10.10.20: bytes=32 time=1ms TTL=128
Reply from 10.10.10.20: bytes=32 time=<1ms TTL=128
Reply from 10.10.10.20: bytes=32 time=<1ms TTL=128
Reply from 10.10.10.20: bytes=32 time=<1ms TTL=128

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to thorstenn

‎03-17-2010 08:02 PM

Can you please include the latest configuration. Thanks.

0 Helpful

Go to solution
thorstenn
Level 4
Level 4
In response to Jennifer Halim

‎03-18-2010 12:27 AM

here it is

62295-running-conf.txt.zip
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to thorstenn

‎03-18-2010 01:45 AM

Please change the NAT order in your configuration as follows:

no nat (VLAN10,outside) source static 172.16.3.10 10.10.10.20

object network obj-172.16.3.10
 nat (VLAN10,outside) static 10.10.10.20

Hope that works.
0 Helpful

Go to solution
thorstenn
Level 4
Level 4
In response to Jennifer Halim

‎03-18-2010 03:36 AM

Hmm ok this seems to work. But why i have to create the NAT rule on the network object and than it works? Btw. what is the diffrent from a static nat rule and a static nat rule on a network oject?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to thorstenn

‎03-18-2010 03:42 AM

Format of NAT order of operation has changed from ASA version 8
.3 compared to previous version of ASA.

Prior to 8.3, it's NAT exemption --> Static NAT --> dynamic NAT.

From 8.3, it's Section 1 (Twice NAT) --> Section 2 (Network object NAT) --> Section 3 (Twice NAT).

It seems to be confusing as most people are used to the old format.

Here is some readings on NAT order of operation (version 8.3):

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1118157

0 Helpful

Go to solution
thorstenn
Level 4
Level 4
In response to Jennifer Halim

‎03-18-2010 06:19 AM

Thanks for your support. I`ve started a new thread with a i think little problem with l2tp thread title "L2TP over IPsec with ms client doesn`t work" . Maybe you know the solution.

0 Helpful
Customers Also Viewed These Support Documents