03-16-2010 02:32 AM - edited 02-21-2020 04:33 PM
Hi,
i have a ASA5520 and a Snapgear. The IPSec tunnel is up and running fine. But i`m not able to access the local LANs on both sides. Here are some Configurations:
sh crypt isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.10.10.2
Type : L2L Role : responder
Rekey : no State : AM_ACTIVE
crypto/isakmp:
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map IPSECTEST_map0 1 match address IPSECTEST_cryptomap
crypto map IPSECTEST_map0 1 set peer 10.10.10.2
crypto map IPSECTEST_map0 1 set transform-set ESP-3DES-SHA
crypto map IPSECTEST_map0 1 set nat-t-disable
crypto map IPSECTEST_map0 1 set phase1-mode aggressive
crypto map IPSECTEST_map0 interface IPSECTEST
crypto isakmp enable outside
crypto isakmp enable IPSECTEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
sh route:
C 172.16.3.0 255.255.255.0 is directly connected, VLAN10
C 10.10.10.0 255.255.255.0 is directly connected, IPSECTEST
C 192.168.112.0 255.255.254.0 is directly connected, inside
access-list:
access-list IPSECTEST_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 172.16.3.0 255.255.255.0 object 172.20.20.0
and here the scenario:
if i perform a ping from the asa to the remote local network i got this:
ciscoasa(config)# ping 172.20.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.172.20.20.1, timeout is 2 seconds:
No route to host 172.20.20.1
Success rate is 0 percent (0/1)
Any idea what i have missing?
Solved! Go to Solution.
03-17-2010 06:13 AM
thanks. i`ll test it.
But later the IPSECTEST interface doesn`t exist anymore. This will be the "outside" interface then. So this looks should be converted from:
nat (IPSECTEST,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-vpn-pool obj-vpn-pool
to:
nat (outside?,outside) source static obj-
At the end i have more than one VLAN which are accessable with VPN with different ip ranges....
03-17-2010 06:23 AM
Assuming you no longer require the IPSECTEST interface, I will just remove it. Currently your VPN is configured to be terminated on the outside interface anyway.
03-17-2010 06:48 AM
hmmm seems not to work....
Here are my configuration
ip local pool Vlan10-Pool 172.17.3.10-172.17.3.20 mask 255.255.255.0
tunnel-group Vlan10-VPN general-attributes
address-pool Vlan10-Pool
object network obj-Vlan10-pool
subnet 172.17.3.0 255.255.255.0
nat (Vlan10,outside) source static obj-172.16.3.0 obj-172.16.3.0 destination static obj-Vlan10-pool obj-Vlan10-pool
same-security-traffic permit inter-interface
It is not possible to configure a pool from the same subnet?
172.16.3.0/24 subnet (and the other which will be createtd) use only two or three IPs, thats why i`m assigned an ip range from behind.
The IPSECTEST was only for tunnel testing, from the outside interface i try at the moment the vpn connection. So we do not care about the IPSECTEST interface regarding vpn connection.
Do you have any other suggestions why the above solution from you not working for me or what i have missed to configure?
03-17-2010 07:08 AM
Ok, sorry it worked now without the permit inter-interface but if i ping from the vpn client the internal host i see a reply from the external ip? How can i fix this?
C:\>ping 172.16.3.10
Pinging 172.16.3.10 with 32 bytes of data:
Reply from 10.10.10.20: bytes=32 time=1ms TTL=128
Reply from 10.10.10.20: bytes=32 time=<1ms TTL=128
Reply from 10.10.10.20: bytes=32 time=<1ms TTL=128
Reply from 10.10.10.20: bytes=32 time=<1ms TTL=128
03-17-2010 08:02 PM
Can you please include the latest configuration. Thanks.
03-18-2010 12:27 AM
03-18-2010 01:45 AM
Please change the NAT order in your configuration as follows:
no nat (VLAN10,outside) source static 172.16.3.10 10.10.10.20
object network obj-172.16.3.10
nat (VLAN10,outside) static 10.10.10.20
Hope that works.
03-18-2010 03:36 AM
Hmm ok this seems to work. But why i have to create the NAT rule on the network object and than it works? Btw. what is the diffrent from a static nat rule and a static nat rule on a network oject?
03-18-2010 03:42 AM
Format of NAT order of operation has changed from ASA version 8
.3 compared to previous version of ASA.
Prior to 8.3, it's NAT exemption --> Static NAT --> dynamic NAT.
From 8.3, it's Section 1 (Twice NAT) --> Section 2 (Network object NAT) --> Section 3 (Twice NAT).
It seems to be confusing as most people are used to the old format.
Here is some readings on NAT order of operation (version 8.3):
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1118157
03-18-2010 06:19 AM
Thanks for your support. I`ve started a new thread with a i think little problem with l2tp thread title "L2TP over IPsec with ms client doesn`t work" . Maybe you know the solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide