Re: Issue in site to site VPN between Cisco ASA and Cisco Router

Beginnerrr · ‎11-21-2023

Hi All,

I am performing configuration to achieve site to site VPN between Cisco ASA and Cisco Router. I want to allow the external or outside network to access the Internal network.

I configure the ASA interface, route, ikev1 policy and enable it on the outside interface. I configured the tunnel-group, ACL, NAT, ikev1 transform set, crypto map and apply it to an interface.

I configured the router interface, route, IKEVv1 policy, ISAKMP key, ACL, NAT, transform set, crypto map and apply it to an interface.

I am unable to ping from external network to internal network.

I have shown the configuration for ASA and Router.

interface e0/0

nameif inside

security-level 100

ip addr 192.168.20.1 255.255.255.0

interface e0/1

nameif outside

ip addr 172.16.1.1 255.255.255.0

security-level 0

route outside 0.0.0.0 0.0.0.0 (next router hop ip)

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 enable outside

tunnel-group 172.17.1.1 type ipsec-l2l

tunnel-group 172.17.1.1 ipsec-attributes

ikev1 pre-shared-key cisco12345

object network inside-net

subnet 192.168.20.0 255.255.255.0

object network remote-net

subnet 192.168.10 0 255.255.255.0

access-list asa-router-vpn extended permit ip object inside-net

object remote-net

nat (inside,outside) source static inside-net inside-net destination static

remote-net remote-net no-proxy-arp route-lookup

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto map outside_map 10 match address asa-router-vpn

crypto map outside_map 10 set peer 172.17.1.1

crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA

crypto map outside_map interface outside

Configuration for Cisco Router

interface e0/0
ip addr 172.17.1.1 255.255.255.0
no shut

interface e0/1
ip addr 192.168.10.1 255.255.255.0
no shut

route 0.0.0.0 0.0.0.0 next hop router

crypto isakmp policy 10
authentcation pre-share
encryption aes
group 2
hash sha
lifetime 86400
exit

crypto isakmp key cisco12345 address 172.16.1.1
crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

crypto MAP VPN-MAP 10 ipsec-isakmp
set peer 172.16.1.1
set transform-set VPN-SET
match address VPN-ACL

ip access-list extended VPN-ACL
permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 111 remark NAT exemption access-list
access-list 111 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 111 permit ip 192.168.10.0 0.0.0.255 any

route-map nonat permit 10
match ip address 111

ip nat inside source route-map nonat interface ethernet0/0 overload

interface e0/0
crypto map VPN-MAP

Please kindly advise and assist.

Rob Ingram · ‎11-21-2023

@Beginnerrr is a VPN tunnel established, run "show crypto ipsec sa" on both the ASA and router to confirm. If it is established are the encap|decaps counters both increasing?

Do you have NAT configured on the router? If so are you excluding (denying) traffic between the local and remote VPN networks?

Beginnerrr · ‎11-21-2023

@Rob Ingram , I have NAT configured on the router.

@MHM Cisco World , it is always showing no IKEV1 sa.

access-list 111 remark NAT exemption access-list
access-list 111 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 111 permit ip 192.168.10.0 0.0.0.255 any

route-map nonat permit 10
match ip address 111

ip nat inside source route-map nonat interface ethernet0/0 overload

ciscoasa(config)# show crypto isakmp

There are no IKEv1 SAs

There are no IKEv2 SAs

Global IKEv1 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 100
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 0
In-Negotiation SAs Rejected: 0

Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0

IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 252
Cookie Challenge Threshold: Never
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0

Global IKEv1 IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

MHM Cisco World · ‎11-21-2023

All config is correct.

Can you share

Show crypto isakmp

In router

Beginnerrr · ‎11-21-2023

@MHM Cisco World , it is always showing no IKEV1 sa.

ciscoasa(config)# show crypto isakmp

There are no IKEv1 SAs

There are no IKEv2 SAs

Global IKEv1 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 100
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 0
In-Negotiation SAs Rejected: 0

Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0

IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 252
Cookie Challenge Threshold: Never
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0

Global IKEv1 IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

MHM Cisco World · ‎11-21-2023

From router

Ping (internal of asa) source (external).

And check

Show crypto isakmp

Again

Beginnerrr · ‎11-21-2023

@MHM Cisco World ping failed and the show crypto isakmp showed the same output.

There are no ikev1

MHM Cisco World · ‎11-21-2023

Do you config any ACL to outside of asa?

Beginnerrr · ‎11-21-2023

@MHM Cisco World ,

yes I configured ACL on router.

The VPN is working. I did not configure ACL on the router and that is why the VPN is not working.

access-list 111 remark NAT exemption access-list
access-list 111 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 111 permit ip 192.168.10.0 0.0.0.255 any

route-map nonat permit 10
match ip address 111

ip nat inside source route-map nonat interface Ethernet0/0 overload

I am able to see the output for the show isakmp sa.

@MHM Cisco World @Rob Ingram ,
If I want FTP to pass through VPN, which access list I should configure?

For router,

ip access-list extended VPN-ACL
permit tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq ftp

access-list asa-router-vpn extended permit tcp object inside-net

object remote-net eq ftp

Is that correct?

MHM Cisco World · ‎11-21-2023

The acl must be mirror

You add acl in router add mirrors to asa.

Mirror meaning make source destination and make destiantion source.

Beginnerrr · ‎11-21-2023

@MHM Cisco World ,

I have just added the ACL on the router and the ASA.

It is working now. If I want to add another ACL to allow FTP?

How do I achieve this?

MHM Cisco World · ‎11-21-2023

It can work or can not check below comment

ip access-list extended VPN-ACL
permit tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq ftp

ip access-list extended asa-router-vpn
permit tcp 192.168.20.0 0.0.0.255 eq ftp 192.168.10.0 0.0.0.255

Beginnerrr · ‎11-21-2023

@MHM Cisco World , is there a need to configure NAT for FTP?

MHM Cisco World · ‎11-21-2023

@Rob Ingram mention restrictions about use l4 port' I check he is right' ios router reject use l4 port.

Check link below

So only solution is allow subnet then use vpn-filter or apply acl to inside of asa.

https://www.firewall.cx/cisco/cisco-routers/cisco-router-vpn-client-acls.html

Rob Ingram · ‎11-21-2023

@Beginnerrr Cisco does not recommend defining interesting traffic based on ports, amend your VPN ACL to establish the IPSec SA on IP.

If you want to restrict FTP then apply an interface ACL or assign a VPn filter on the ASA configuration.