Solved: IPsec VPN between ASA 5505 and Cisco 1941 router problem

Vey Vryy · ‎06-03-2017

Hi fellow Cisco learners and experts

I'm currently studying CCNA Security at the moment.

I have a problem with IPsec in ASA 5505. Both Inside LAN (PCA/PCB) and Site (PCC) can ping each other and it means "interesting" traffic is permitted and IPsec tunnel should be active.

when i check the isakmp sa and ipsec sa in ASA 5505.

It does not show anything.

For R3, isakmp sa doesn't show anything. BUT, the ipsec sa, it has something in it.

this is the topology that i have:

And this is the .pkt file : https://drive.google.com/open?id=0B41dYfwXEKDzczdrYzdDUmV1aFE

If anyone could help, would be really appreciated.
Thank you in advance.

Pulkit Saxena · ‎06-03-2017

Hi,

The access-list SITE which is the crypto ACL is incorrect.
It should be

access-list SITE extended permit icmp 30.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list SITE extended permit tcp 30.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list SITE extended permit ip 30.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list SITE extended permit icmp 192.168.1.0 255.255.255.0 30.30.30.0 255.255.255.0
access-list SITE extended permit tcp 192.168.1.0 255.255.255.0 30.30.30.0 255.255.255.0
access-list SITE extended permit ip 192.168.1.0 255.255.255.0 30.30.30.0 255.255.255.0

Or you can even just put :
access-list SITE extended permit ip 192.168.1.0 255.255.255.0 30.30.30.0 255.255.255.0
as it includes TCP/IP/ICMP all.

You do not need this :
access-group SITE in interface outside

Please do a :
no access-group SITE in interface outside

Also apply access-list on inside interface to allow traffic :

access-list inside_access_in permit ip any any
access-group inside_access_in in interface inside

This completes ASA configuration. After this you should definitely see the tunnel trying to come up.

Now on Router 3 :

The ISAKMP policy needs to change, we need to have group 2 just like on ASA.

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

The access-list 122 will be like :

access-list 122 permit icmp 30.30.30.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit ip 30.30.30.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit tcp 30.30.30.0 0.0.0.255 192.168.1.0 0.0.0.255

After this tunnel should definitely come up and if not then for test purpose, remove ZBF configuration from the router.
Just remove zone member from interfaces and you should be good.
As of now, the IPSEC SA output on this router is of no use and there are no encaps/decaps.

Please ensure when you remove ACL and apply it again, it is still linked to the VPN configuration.
Let me know how it goes.

Regards,
Pulkit

View solution in original post

Pulkit Saxena · ‎06-03-2017

Hi,

I am unable to open the .pkt file. It should be .pcap to check in wirehsark.

Also, can you please "show run", "sh crypto isakmp" "show crypto ipsec" from ASA and router both ?

Regards,

Pulkit

Vey Vryy · ‎06-03-2017

Hi Pulkit,

Thank you for your reply.

It's a packet tracer file (.pkt) and i'm using packet tracer version 7.

This is the show run in ASA:

ASA Version 8.4(2)

hostname ciscoasa

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 1.1.1.2 255.255.255.252

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

access-list SITE extended permit icmp 30.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list SITE extended permit tcp 30.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list SITE extended permit ip 30.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

access-group SITE in interface outside

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

telnet timeout 5

ssh timeout 5

dhcpd auto_config outside

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd enable inside

crypto ipsec ikev1 transform-set VPN-TRANS esp-3des esp-sha-hmac

crypto map CRYPTO-MAP 10 match address SITE

crypto map CRYPT0-MAP 10 set peer 3.3.3.2

crypto map CRYPT0-MAP 10 set ikev1 transform-set VPN-TRANS

crypto map CRYPT0-MAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 2

encr 3des

authentication pre-share

group 2

tunnel-group 3.3.3.2 type ipsec-l2l

tunnel-group 3.3.3.2 ipsec-attributes

ikev1 pre-shared-key cisco123

#show crypto isakmp sa in ASA

There are no IKEv1 SAs

There are no IKEv2 SAs

#show crypto ipsec sa in ASA

There are no ipsec sas

R1 #show run:

hostname R1

interface GigabitEthernet0/0

ip address 20.20.20.1 255.255.255.0

duplex auto

speed auto

interface GigabitEthernet0/1

ip address 1.1.1.1 255.255.255.252

duplex auto

speed auto

interface Serial0/0/0

ip address 3.3.3.1 255.255.255.252

clock rate 128000

interface Serial0/0/1

no ip address

clock rate 2000000

shutdown

interface Vlan1

no ip address

shutdown

ip classless

ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/1

ip route 30.30.30.0 255.255.255.0 Serial0/0/0

ip flow-export version 9

no cdp run

logging 20.20.20.10

line con 0

line aux 0

line vty 0 4

login

ntp authentication-key 1 md5 0822455D0A16544541 7

ntp authenticate

ntp trusted-key 1

ntp server 20.20.20.10 key 1

!

end

R3 #show run:

hostname R3

username Admin1 secret 5 $1$mERr$uvBzTxfWW.Iz063iT95nM.

license udi pid CISCO1941/K9 sn FTX152489OH

license boot module c1900 technology-package securityk9

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key cisco123 address 1.1.1.2

crypto ipsec transform-set VPN-TRANSFORM esp-3des esp-sha-hmac

crypto map CRYPTO-MAP 10 ipsec-isakmp

description VPN connection to PCA-B

set peer 1.1.1.2

set transform-set VPN-TRANSFORM

match address 122

ip ssh version 2

ip ssh authentication-retries 5

ip ssh time-out 60

ip domain-name ccnasecurity.com

spanning-tree mode pvst

class-map type inspect match-all IN-NET-CLASS-MAP

match access-group 101

class-map type inspect match-all REMOTE-NET-CLASS-MAP

match access-group 122

policy-map type inspect IN-2-OUT-PMAP

class type inspect IN-NET-CLASS-MAP

inspect

policy-map type inspect REMOTE-2-IN-PMAP

class type inspect REMOTE-NET-CLASS-MAP

inspect

zone security INZONE

zone security OUTZONE

zone-pair security IN-2-OUT-ZPAIR source INZONE destination OUTZONE

service-policy type inspect IN-2-OUT-PMAP

zone-pair security REMOTE-2-IN-ZPAIR source OUTZONE destination INZONE

service-policy type inspect REMOTE-2-IN-PMAP

interface GigabitEthernet0/0

ip address 30.30.30.1 255.255.255.0

zone-member security INZONE

duplex auto

speed auto

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

shutdown

interface Serial0/0/0

ip address 3.3.3.2 255.255.255.252

zone-member security OUTZONE

crypto map CRYPTO-MAP

interface Serial0/0/1

no ip address

clock rate 2000000

shutdown

interface Vlan1

no ip address

shutdown

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

ip flow-export version 9

!

access-list 101 permit icmp 30.30.30.0 0.0.0.255 any

access-list 101 permit ip 30.30.30.0 0.0.0.255 any

access-list 101 permit tcp 30.30.30.0 0.0.0.255 any

access-list 101 remark INSIDE TRAFFIC GO ANYWHERE

access-list 122 permit icmp 192.168.1.0 0.0.0.255 30.30.30.0 0.0.0.255

access-list 122 permit ip 192.168.1.0 0.0.0.255 30.30.30.0 0.0.0.255

access-list 122 permit tcp 192.168.1.0 0.0.0.255 30.30.30.0 0.0.0.255

access-list 122 remark BEHIND ASA TRAFFIC GO INSIDE

!

no cdp run

logging 20.20.20.10

line con 0

exec-timeout 3 0

password 7 08124945081026383C5F5E50

login local

!

line aux 0

!

line vty 0 4

exec-timeout 3 0

password 7 08124945081033232B5F5E50

login local

transport input ssh

!

ntp authentication-key 1 md5 0822455D0A16544541 7

ntp authenticate

ntp trusted-key 1

ntp server 20.20.20.10 key 1

!

end

R3 #show crypto isakmp sa:

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

R3 #show crypto ipsec sa:

interface: Serial0/0/0

Crypto map tag: CRYPTO-MAP, local addr 3.3.3.2

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/1/0)

remote ident (addr/mask/prot/port): (30.30.30.0/255.255.255.0/1/0)

current_peer 1.1.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 3.3.3.2, remote crypto endpt.:1.1.1.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (30.30.30.0/255.255.255.0/0/0)

current_peer 1.1.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 3.3.3.2, remote crypto endpt.:1.1.1.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/6/0)

remote ident (addr/mask/prot/port): (30.30.30.0/255.255.255.0/6/0)

current_peer 1.1.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 3.3.3.2, remote crypto endpt.:1.1.1.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

As you can see, only ipsec sa in R3 has something, and the rest is nothing...

Pulkit Saxena · ‎06-03-2017

Hi,

The access-list SITE which is the crypto ACL is incorrect.
It should be

access-list SITE extended permit icmp 30.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list SITE extended permit tcp 30.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list SITE extended permit ip 30.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list SITE extended permit icmp 192.168.1.0 255.255.255.0 30.30.30.0 255.255.255.0
access-list SITE extended permit tcp 192.168.1.0 255.255.255.0 30.30.30.0 255.255.255.0
access-list SITE extended permit ip 192.168.1.0 255.255.255.0 30.30.30.0 255.255.255.0

Or you can even just put :
access-list SITE extended permit ip 192.168.1.0 255.255.255.0 30.30.30.0 255.255.255.0
as it includes TCP/IP/ICMP all.

You do not need this :
access-group SITE in interface outside

Please do a :
no access-group SITE in interface outside

Also apply access-list on inside interface to allow traffic :

access-list inside_access_in permit ip any any
access-group inside_access_in in interface inside

This completes ASA configuration. After this you should definitely see the tunnel trying to come up.

Now on Router 3 :

The ISAKMP policy needs to change, we need to have group 2 just like on ASA.

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

The access-list 122 will be like :

access-list 122 permit icmp 30.30.30.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit ip 30.30.30.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit tcp 30.30.30.0 0.0.0.255 192.168.1.0 0.0.0.255

After this tunnel should definitely come up and if not then for test purpose, remove ZBF configuration from the router.
Just remove zone member from interfaces and you should be good.
As of now, the IPSEC SA output on this router is of no use and there are no encaps/decaps.

Please ensure when you remove ACL and apply it again, it is still linked to the VPN configuration.
Let me know how it goes.

Regards,
Pulkit

Vey Vryy · ‎06-04-2017

Hi Pulkit,

Thank you so much for finding out mistakes that i made. I didn't check enough the IPsec parameters such as aes and diffie-hellman group.

I followed everything you told me, except this ACL:

access-list inside_access_in permit ip any any
access-group inside_access_in in interface inside

It's because permit ip (source = any) (destination = any) is like disabling firewall's job. and also firewall by default is letting inside traffic to go outside.

It's working well now and again, thank you for your help :)

Pulkit Saxena · ‎06-04-2017

Hi,

I am glad that everything is working fine now.

Yes you are right that by putting "ip any any" is like disabling firewall's job, it was more for test purpose, just to ensure that once we can have the tunnel up. However if we do not have anything on inside, everything is already allowed by default, since it is permitted from high to low.

P.S -- Please rate helpful posts.

Regards,

Pulkit