Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
0
Helpful
4
Replies

Public-to-Public L2L VPN no return traffic

tsciesinski
Level 1
Level 1

‎04-03-2013 08:08 AM

Hello all,

I'm hoping someone can give me a little help. I've researched the web and have read many forums, but I still can't get this to work. One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them. Any help would be appreciated. Thanks.

Local Network - 10.10.9.0/24

Remote Network - 20.20.41.0/24

Remote Peer - 20.20.60.193

.

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name

names

name 10.10.9.3 VPN description VPN Server

name 10.10.9.4 IntranetMySQL description MySQL For Webserver

name 192.168.0.100 IIS_Webserver

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.9.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 71.***.***.162 255.255.255.0

!

interface Vlan3

nameif dmz

security-level 50

ip address 192.168.0.254 255.255.255.0

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 10.10.9.1

  domain-name

same-security-traffic permit inter-interface

object-group service VPN_TCP

description VPN TCP Connection

service-object tcp eq 1195

object-group service VPN_UDP

description VPN UDP Port

service-object udp eq 1194

object-group service VPN_HTTPS

description VPN HTTPS Web Server

service-object tcp eq 943

service-object udp eq 943

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service WebServer

service-object tcp eq 8001

object-group service DM_INLINE_SERVICE_1

service-object tcp-udp eq www

service-object tcp eq https

object-group service VPN_HTTPS_UDP udp

port-object eq 943

object-group service WCF_WebService tcp

port-object eq 808

object-group service RDP tcp

port-object eq 3389

object-group service RDP_UDP udp

port-object eq 3389

object-group service DM_INLINE_SERVICE_2

service-object tcp-udp eq www

service-object tcp eq https

object-group service *_Apache tcp

port-object eq 8001

object-group service *_ApacheUDP udp

port-object eq 8001

object-group service IIS_SQL_Server tcp

port-object eq 1433

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group service File_Sharing tcp

port-object eq 445

object-group service File_Sharing_UDP udp

port-object eq 445

object-group service MySQL tcp

port-object eq 3306

object-group service Http_Claims_Portal tcp

port-object eq 8080

object-group service Http_Claims_PortalUDP udp

port-object eq 8080

object-group service RTR_Portal tcp

  description Real Time Rating Portal

port-object eq 8081

object-group service RTR_PortalUDP udp

port-object eq 8081

object-group service DM_INLINE_SERVICE_3

service-object tcp-udp eq www

service-object tcp eq https

access-list outside_access_in extended permit udp any 70.***.***.0 255.255.255.0 eq 1194

access-list outside_access_in extended permit tcp any any eq 1195

access-list outside_access_in extended permit object-group VPN_HTTPS any any

access-list outside_access_in extended permit tcp any interface outside eq 943

access-list outside_access_in extended permit tcp any any eq 8001

access-list inside_access_in extended permit tcp any any

access-list outside_access_in_1 extended permit tcp any interface outside eq 943

access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_1 host 71.***.***.165 host 71.***.***.162

access-list outside_access_in_2 extended permit object-group TCPUDP any any inactive

access-list outside_access_in_2 extended permit icmp any any

access-list outside_access_in_2 extended permit object-group VPN_HTTPS any host 71.***.***.162

access-list outside_access_in_2 remark VPN TCP Ports

access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 eq 1195

access-list outside_access_in_2 extended permit udp any host 71.***.***.162 eq 1194

access-list outside_access_in_2 remark Palm Insure Apache Server

access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group *_Apache inactive

access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group *_ApacheUDP inactive

access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group MySQL inactive

access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group Http_Claims_Portal inactive

access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group Http_Claims_PortalUDP inactive

access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group RTR_Portal inactive

access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group RTR_PortalUDP inactive

access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_3 any host 71.***.***.164 inactive

access-list outside_access_in_2 remark RTR Access Rule for Internal VM's

access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 object-group Http_Claims_Portal

access-list outside_access_in_2 remark RTR Access rule for internal VMs

access-list outside_access_in_2 extended permit udp any host 71.***.***.162 object-group Http_Claims_PortalUDP

access-list inside_access_in_1 extended permit object-group TCPUDP any any

access-list inside_access_in_1 extended permit icmp any any

access-list inside_access_in_1 extended permit esp any any

access-list inside_access_in_1 extended permit udp any any eq isakmp

access-list dmz_access_in extended permit ip any any

access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 70.***.***.252

access-list dmz_access_in extended permit tcp any host 70.***.***.252 eq www

access-list dmz_access_in_1 extended permit tcp host IIS_Webserver host 10.10.9.5 object-group DM_INLINE_TCP_1 inactive

access-list dmz_access_in_1 extended permit object-group TCPUDP any host IIS_Webserver eq www inactive

access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq https inactive

access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group *_Apache inactive

access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group *_ApacheUDP inactive

access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq 3389 inactive

access-list dmz_access_in_1 extended permit udp any host IIS_Webserver eq 3389 inactive

access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group IIS_SQL_Server inactive

access-list dmz_access_in_1 extended permit object-group TCPUDP any any inactive

access-list dmz_access_in_1 extended permit tcp host 10.10.9.5 host IIS_Webserver eq ftp inactive

access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group MySQL inactive

access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group Http_Claims_Portal inactive

access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group Http_Claims_PortalUDP inactive

access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group RTR_Portal inactive

access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group RTR_PortalUDP inactive

access-list inside_nat_static extended permit ip host 10.10.9.1 20.20.41.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip host 71.***.***.162 20.20.41.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1 10.10.9.0 255.255.255.0

static (inside,outside) tcp interface 943 VPN 943 netmask 255.255.255.255

static (inside,outside) tcp interface 1195 VPN 1195 netmask 255.255.255.255

static (inside,outside) tcp interface 1194 VPN 1194 netmask 255.255.255.255

static (inside,outside) udp interface 1194 VPN 1194 netmask 255.255.255.255

static (inside,outside) udp interface 1195 VPN 1195 netmask 255.255.255.255

static (inside,outside) tcp interface ssh IntranetMySQL ssh netmask 255.255.255.255

static (inside,outside) tcp interface ftp IntranetMySQL ftp netmask 255.255.255.255

static (dmz,inside) tcp IIS_Webserver 3389 IIS_Webserver 3389 netmask 255.255.255.255

static (inside,outside) tcp interface www 10.10.9.5 www netmask 255.255.255.255

static (dmz,outside) tcp 71.***.***.164 3389 IIS_Webserver 3389 netmask 255.255.255.255

static (dmz,outside) tcp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255

static (dmz,outside) udp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255

static (dmz,outside) tcp 71.***.***.164 www IIS_Webserver www netmask 255.255.255.255

static (dmz,outside) tcp 71.***.***.164 https IIS_Webserver https netmask 255.255.255.255

static (dmz,outside) tcp 71.***.***.164 ftp IIS_Webserver ftp netmask 255.255.255.255

static (dmz,outside) tcp 71.***.***.164 3306 IIS_Webserver 3306 netmask 255.255.255.255

static (dmz,inside) tcp IIS_Webserver 3306 IIS_Webserver 3306 netmask 255.255.255.255

static (dmz,outside) tcp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255

static (dmz,outside) udp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255

static (dmz,inside) tcp IIS_Webserver 8080 IIS_Webserver 8080 netmask 255.255.255.255

static (dmz,outside) tcp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255

static (dmz,outside) udp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255

static (dmz,inside) tcp IIS_Webserver 8081 IIS_Webserver 8081 netmask 255.255.255.255

static (inside,outside) tcp interface 8080 10.10.9.15 8080 netmask 255.255.255.255

static (inside,outside) udp interface 8080 10.10.9.15 8080 netmask 255.255.255.255

static (dmz,outside) 71.***.***.164 IIS_Webserver netmask 255.255.255.255

static (dmz,inside) IIS_Webserver IIS_Webserver netmask 255.255.255.255

static (inside,dmz) 10.10.9.5 10.10.9.5 netmask 255.255.255.255

static (inside,outside) interface  access-list inside_nat_static

access-group inside_access_in_1 in interface inside

access-group outside_access_in_2 in interface outside

access-group dmz_access_in_1 in interface dmz

route outside 0.0.0.0 0.0.0.0 71.***.***.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.10.9.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 20.20.60.193

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 1 set reverse-route

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh 10.10.9.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 20.20.60.193 type ipsec-l2l

tunnel-group 20.20.60.193 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

  class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎04-03-2013 08:30 AM

Hi,

If you are using the public IP address of your ASA (that is used as the PAT address for all outbound traffic) as the only source IP address for the L2L VPN you dont really have to build any additional NAT configurations for the L2L VPN connection. So you shouldnt need the "static" configuration you have made.

static (inside,outside) interface  access-list inside_nat_static

This is because any traffic from your local LAN will be PATed to the "outside" IP address and when the ASA also sees that the destination network for the connection is part of the L2L VPN configurations, then the traffic should be forwarded to the L2L VPN connection just fine.

Did you try the connectivity without the "static" configuration?

For ICMP testing I would add the command

fixup protocol icmp

or

policy-map global_policy

  class inspection_default

   inspect icmp

Should do the same thing

- Jouni

0 Helpful

tsciesinski
Level 1
Level 1
In response to Jouni Forss

‎04-03-2013 08:42 AM

Hi Jouni,

Thinking more about the process, I absolutely agree with you that the static statement shouldn't be there. Any traffic that's destined for the vpn remote network should be picked up by the cryptomap and passed through the tunnel.

I removed the statement and just tried it again, but it didn't make any difference.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to tsciesinski

‎04-03-2013 08:47 AM

Though,

You did state that you see traffic getting encrypted/encapsulated on your site and sent to the L2L VPN connection in question.

Still you were getting TCP SYN Timeout which would point towards a situation where the remote site isnt handling the traffic correctly. Might be a problem related to return routing, firewall rules, etc.

If you use the command "show crypto ipsec sa peer 20.20.60.193" I imagine the "decapsulated" counter is always at "0"? That there is no return traffic from the other site?

- Jouni

0 Helpful

tsciesinski
Level 1
Level 1
In response to Jouni Forss

‎04-03-2013 08:53 AM

That is correct.

0 Helpful
Customers Also Viewed These Support Documents