Re: L2L IPSec Tunnel - ASA to Cisco 3800 Router - Page 2

aaron.johnson · ‎03-03-2011

Hi everyone,

I have been struggling for a few days with getting site-to-site traffic working across a L2L IPSec tunnel. At this point, I have the tunnel up, and I see packets being decrypted on the correct IPSec SA's when I ping from a local network computer on the ASA side to a local network computer on the router side. I cannot ping from one side to the other, but those packets are getting through. We have another L2L tunnel that is from that ASA to another remote site's ASA, and that is functional. I have mirrored the configuration for ACLs, etc. from that site, so I believe that the issue is with the packets getting incorrectly translated by the NAT/NONAT statements/ACLs on the router side.

The ASA is:
Cisco Adaptive Security Appliance Software Version 8.2(2)
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

The router is:
Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9_SNA-M), Version 12.4(20)YA3, RELEASE SOFTWARE (fc2)

Router Config:
!
version 12.4
!
card type t1 0 0
!
no ip cef
!
ip multicast-routing 
no ipv6 cef
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxx address nn.nn.12.130
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac 
!
crypto map NOLA 11 ipsec-isakmp 
 set peer nn.nn.12.130
 set transform-set 3DES-SHA 
 set pfs group2
 match address VPN-ACL
!
controller T1 0/0/0
 fdl both
 cablelength long 0db
 channel-group 1 timeslots 1-24
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.252
 ip virtual-reassembly
 no ip route-cache
 crypto map NOLA
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 description Connection to RSD-LINEAR-4507
 no ip address
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1.1
 encapsulation dot1Q 1 native
 ip address 10.240.4.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.240.5.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.240.6.2 255.255.255.128
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0/1.21
 encapsulation dot1Q 21
 ip address 10.240.6.130 255.255.255.128
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0/1.40
 encapsulation dot1Q 40
 ip address 10.240.8.2 255.255.252.0
 ip nat inside
 ip virtual-reassembly
!
interface Serial0/0/0:1
 bandwidth 1536
 ip address nn.nn.236.6 255.255.255.252
 no ip redirects
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no fair-queue
 no cdp enable
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 nn.nn.236.5
!
ip nat inside source list 101 interface Serial0/0/0:1 overload
ip nat inside source list NONAT-ACL interface Loopback0 overload
ip nat inside source static 1.1.1.1 nn.nn.244.210
!
ip access-list extended NONAT-ACL
 deny   ip 10.240.4.0 0.0.3.255 10.32.244.0 0.0.3.255
 deny   ip 10.240.4.0 0.0.3.255 10.32.248.0 0.0.3.255
 deny   ip 10.240.8.0 0.0.3.255 10.32.244.0 0.0.3.255
 deny   ip 10.240.8.0 0.0.3.255 10.32.248.0 0.0.3.255
 deny   ip 10.240.4.0 0.0.3.255 host 10.6.4.56
 deny   ip 10.240.4.0 0.0.3.255 host 10.6.4.57
 deny   ip 10.240.8.0 0.0.3.255 host 10.6.4.56
 deny   ip 10.240.8.0 0.0.3.255 host 10.6.4.57
 permit ip any any
ip access-list extended VPN-ACL
 permit ip 10.240.4.0 0.0.3.255 10.32.244.0 0.0.3.255
 permit ip 10.240.4.0 0.0.3.255 10.32.248.0 0.0.3.255
 permit ip 10.240.8.0 0.0.3.255 10.32.244.0 0.0.3.255
 permit ip 10.240.8.0 0.0.3.255 10.32.248.0 0.0.3.255
 permit ip 10.240.4.0 0.0.3.255 host 10.6.4.56
 permit ip 10.240.4.0 0.0.3.255 host 10.6.4.57
 permit ip 10.240.8.0 0.0.3.255 host 10.6.4.56
 permit ip 10.240.8.0 0.0.3.255 host 10.6.4.57
!
access-list 101 permit ip any any
!
end

ASA Config:

ASA Version 8.2(2) 
!
hostname RSD-FIREWALL
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address nn.nn.12.130 255.255.255.248 standby nn.nn.12.131 
!
access-list NONAT extended permit ip 10.32.248.0 255.255.252.0 10.240.4.0 255.255.252.0 
access-list NONAT extended permit ip 10.32.248.0 255.255.252.0 10.240.8.0 255.255.252.0 
access-list NONAT extended permit ip 10.32.244.0 255.255.252.0 10.240.4.0 255.255.252.0 
access-list NONAT extended permit ip 10.32.244.0 255.255.252.0 10.240.8.0 255.255.252.0 
access-list NONAT extended permit ip host 10.6.4.57 10.240.4.0 255.255.252.0 
access-list NONAT extended permit ip host 10.6.4.57 10.240.8.0 255.255.252.0 
access-list NONAT extended permit ip host 10.6.4.56 10.240.4.0 255.255.252.0 
access-list NONAT extended permit ip host 10.6.4.56 10.240.8.0 255.255.252.0 
access-list PAT extended permit ip 10.0.0.0 255.0.0.0 any 
access-list LINEARVPN extended permit ip 10.32.248.0 255.255.252.0 10.240.8.0 255.255.252.0 
access-list LINEARVPN extended permit ip host 10.6.4.56 10.240.4.0 255.255.252.0 
access-list LINEARVPN extended permit ip host 10.6.4.57 10.240.8.0 255.255.252.0 
access-list LINEARVPN extended permit ip host 10.6.4.57 10.240.4.0 255.255.252.0 
access-list LINEARVPN extended permit ip 10.32.244.0 255.255.252.0 10.240.4.0 255.255.252.0 
access-list LINEARVPN extended permit ip 10.32.244.0 255.255.252.0 10.240.8.0 255.255.252.0 
access-list LINEARVPN extended permit ip 10.32.248.0 255.255.252.0 10.240.4.0 255.255.252.0 
!
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit attack action drop
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 nn.nn.223.251
nat (inside) 0 access-list NONAT
nat (inside) 1 access-list PAT
!
route outside 0.0.0.0 0.0.0.0 nn.nn.12.129 1
route inside 10.0.0.0 255.0.0.0 10.32.248.1 1
route outside 10.240.4.0 255.255.252.0 nn.nn.12.129 1
route outside 10.240.8.0 255.255.252.0 nn.nn.12.129 1
!
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac 
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNAMICMAP 10 set transform-set 3DES
crypto map outside_map 1 match address LINEARVPN
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer nn.nn.244.210 
crypto map outside_map 1 set transform-set 3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 1 set phase1-mode aggressive 
crypto map outside_map 40 set peer nn.nn.160.10 
crypto map outside_map 40 set transform-set 3DES
crypto map outside_map 9999 ipsec-isakmp dynamic DYNAMICMAP
crypto map outside_map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group nn.nn.244.210 type ipsec-l2l
tunnel-group nn.nn.244.210 ipsec-attributes
 pre-shared-key xxxxxxx
!
: end

.........................................

Any ideas? ACL changes?

THANKS SO MUCH! =)

- Aaron.

aaron.johnson · ‎03-10-2011

Changing the routes on both sides finally solved everything!

On the ASA:

My previous routes were

route outside 10.200.0.0 255.255.0.0 nn.nn.12.129 1

route outside 10.240.4.0 255.255.252.0 nn.nn.12.129 1

This had worked for our previous L2L connection from this ASA to another ASA. The route specified points to the external address of that ASA (Side A). For the ASA-to-Router connection, however, the route had to be changed to the external address of the router (Side B):

route outside 10.240.4.0 255.255.252.0 nn.nn.244.210 1

route outside 10.240.8.0 255.255.252.0 nn.nn.244.210 1

On the router side (Side B), the routes for the internal subnets on Side A also had to be pointed to the external address of the ASA on Side A:

ip route 10.6.4.56 255.255.255.255 nn.nn.12.130
ip route 10.6.4.57 255.255.255.255 nn.nn.12.130
ip route 10.32.244.0 255.255.252.0 nn.nn.12.130
ip route 10.32.248.0 255.255.252.0 nn.nn.12.130

The last change was that somehow the access list NONAT-ACL had become disordered, so that the permit statements were at the start. I corrected the access list to the following:

Extended IP access list NONAT-ACL

30 deny ip 10.240.4.0 0.0.3.255 10.32.244.0 0.0.3.255
40 deny ip 10.240.4.0 0.0.3.255 10.32.248.0 0.0.3.255

    50 deny ip 10.240.8.0 0.0.3.255 10.32.244.0 0.0.3.255
    60 deny ip 10.240.8.0 0.0.3.255 10.32.248.0 0.0.3.255
    70 deny ip 10.240.4.0 0.0.3.255 host 10.6.4.56
    80 deny ip 10.240.4.0 0.0.3.255 host 10.6.4.57
    90 deny ip 10.240.8.0 0.0.3.255 host 10.6.4.56

   100 deny ip 10.240.8.0 0.0.3.255 host 10.6.4.57
    110 permit ip 10.240.4.0 0.0.3.255 any
    120 permit ip 10.240.8.0 0.0.3.255 any

Connectivity is now functional on both sides!

Thanks everyone for all of your help, and I hope that this can help someone else in the future. =)

- Aaron.