Issues with S2S Tunnel

osoriojoe · ‎08-21-2015

When attempting to bring the tunnel up w/ packet tracer the packets are being dropped by an implicit rule.. Is there a need for another ACL that would permit this traffic over the tunnel? Please see the relevant configurations below..

Thank you for any help!

ASA1

packet-tracer input inside icmp 192.168.10.1 1 1 192.168.20.1

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.20.1/0 to 192.168.20.1/0

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

---------------------------------------------------------------------------------------------

names
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 100
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan50
nameif management
security-level 0
no ip address
!
interface Vlan100
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
domain-name lab
object network obj-172.20.1.1
object network REMOTE-LAN
subnet 192.168.20.0 255.255.255.0
object network LOCAL-LAN
subnet 192.168.10.0 255.255.255.0
access-list S2S_VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 log
access-list S2S_VPN extended permit icmp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 log
access-list ACL-OUTSIDE extended permit icmp any any
mtu outside 1500
mtu management 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN
access-group ACL-OUTSIDE in interface outside
route outside 192.168.20.0 255.255.255.0 x.x.x.x.x
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map S2S_CRYPTO_MAP 1 match address S2S_VPN
crypto map S2S_CRYPTO_MAP 1 set peer 184.89.3.187
crypto map S2S_CRYPTO_MAP 1 set ikev1 transform-set ESP-AES-SHA
crypto map S2S_CRYPTO_MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512

ASA2

names

!
interface Ethernet0/0
description OUTSIDE
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.6 255.255.255.0
!
ftp mode passive
object network obj-outside
subnet 192.168.1.0 255.255.255.0
object network obj-inside
subnet 192.168.20.0 255.255.255.0
object network obj-remote
subnet 192.168.10.0 255.255.255.0
access-list VPN-S2S-JOEY extended permit ip object obj-inside object obj-remote
access-list VPN-S2S-JOEY extended permit icmp object obj-inside object obj-remote
pager lines 24
logging enable
logging timestamp
logging buffer-size 10000
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj-inside obj-inside destination static obj-remote obj-remote no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside 192.168.10.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt noproxyarp outside
sysopt noproxyarp inside
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map S2S_VPN 1 match address VPN-S2S-JOEY
crypto map S2S_VPN 1 set peer x.x.x.x
crypto map S2S_VPN 1 set ikev1 transform-set ESP-AES-SHA
crypto map S2S_VPN interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.1.175 255.255.255.255 outside
ssh 192.168.1.48 255.255.255.255 outside
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!

Dinesh Moudgil · ‎08-21-2015

Hello osoriojoe,

Firstly , I will suggest you to delete these entries :
access-list VPN-S2S-JOEY extended permit icmp object obj-inside object obj-remote
access-list S2S_VPN extended permit icmp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 log .

as these are already included in these entries :
access-list VPN-S2S-JOEY extended permit ip object obj-inside object obj-remote
access-list S2S_VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 log

Then try running the command below and share the output.
"packet-tracer input inside icmp 192.168.10.10 8 0 192.168.20.10 detailed "

NOTE:- ASA interfaces do not take part in NAT. So always make sure:-
1. Packet tracer is run for type 8 code 0 in case you want to test ICMP reply.
2. Use IPs other than ASA's own interface assigned IPs.
3. These IPs can be random as long as they are part of crypto access-list.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

osoriojoe · ‎08-24-2015

Dinesh,

Thank you kindly for the response.

After implementing your suggestions the tunnel has come up and we are able to ping over the tunnel from the switches coming off of the ASA's. From the ASA's when initiating a ping to the other side it dies unless we source it from the inside interface. Would this be typical behavior?

asaFW# ping 192.168.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

asaFW# ping inside 192.168.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/62/70 ms

Please note that since my first post the following has been added to both ASA's

policy-map global_policy

class inspection_default

inspect icmp

"no-proxy-arp route-lookup" has also been added to the self nat statement

Dinesh Moudgil · ‎08-24-2015

Hello osoriojoe ,

You have configured "route outside 192.168.20.0 255.255.255.0 x.x.x.x.x " in the above snippet.
That means whenever you write "ping 192.168.20.X" , it tries to source the ping from outside interface as 192.168.20.0 is reachable via outside as listed in above route statement.

Since your crypto access-list does not contain traffic from your outisde interface to remote subnet , thus the ping fails. And when you specify inside inteface, and since it is part of crypto access-list , the ping goes through. So this is expected.

If it is just about being able to ping from your public IP to remote subnet , you can add this statement:-
access-list VPN-S2S-JOEY extended permit ip object <your_public_ip> object obj-remote

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/