cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
556
Views
15
Helpful
9
Replies

S2S VPN Issues

AJPujol
Beginner
Beginner

Hello Cisco Community:

 

I have the following issue which is making me feel really frustrated.

 

I need to have a S2S VPN tunnel up and running between to FWs.

 

One side is a 5525 and the other is a 5505

 

Since i do not have access to the CLI on the 5505 (the one that, as far as i can see, it's presenting some issues) i will have to manually explain:

 

Tunnel is able to establish.

 

5525 have the following networks: 33.0/24 , 34.0/24 and 35.0/24

5505 have the following networks: 90.0/24 and 80.0/24

 

Once the tunnel is established, i can see that, from the 5505 side, i can RX packets from the network 33.0/24 but i cannot TX packets from network 90.0/24

 

Basically, when i go to ASDM, i can see how the RX counter keeps going up but TX is zero.

 

I've been trying and trying to see whats going on and i am really confused about the NAT rules i should set up.

 

If the scenario is this, what would be the basic configuration you guys would try? I have access to both ASA's ASDM managers but no CLI access. that's why i cannot copy/paste any output.

 

As i mentioned before, ASA 5505 hosts network 90.0/24 and 80.0/24, when people in the office are working, i can see TX and RX only from network 80.0/24 to network 33.0/24 and 35.0/24, but no normal traffic between 90.0/24 and the network ranges on the 5525.

 

Can anyone please help me? And sorry if this post is not too technical, i really don't know how much more i can explain since i cannot access the CLI and show the config

 

Thank you

2 Accepted Solutions

Accepted Solutions

@AJPujol isn't this nat rule incorrect?

 

nat (outside,inside-90) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup

 

shouldn't the source be inside-90 and destination outside? As red-80 and red-90 networks are local

 

nat (inside-90,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup

 

That probably explain the asymetric nat error

 

FYI, this rule is an NAT exemption rule.

View solution in original post

@AJPujol 

 

nat (inside-80,outside) source static Red-80 Red-80 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup

View solution in original post

9 Replies 9

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

 - No cli-access is definitely a disadvantage in troubleshooting and testing, checkout  : https://www.youtube.com/watch?v=lGbsQJOxjsI  which at some point also uses CLI

 M.

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@AJPujol if "can see how the RX counter keeps going up but TX is zero." this is probably a NAT issue, where you have another NAT rule that is unintentially translating the traffic. You need a NAT exemption rule, here is an example.

AJPujol
Beginner
Beginner

Thank you so much for the information! It seems that, whether i like it or not, the 4 hosts on the 90.0/24 that were not responding , were specific asterisks that "suddenly" started to inject TX ...

This scenario does not make me happy since now the VPN tunnel has no NAT exception, still, it "works"

 

While being logged on a 33.0/24 host, i try to ping a 90.0/24 hosts and it say something about asymmetric  NAT rules matched.... (which i cannot see an ICMP response) but i guess i should ask that question on another post on a new topic ?

 

Thank you again!

@AJPujol something about asymmetric nat...would indicte you need to nat exempt traffic, because traffic is being translated!!

Run packet-tracer from the cli to simulate traffic and provide the output for review.

Rob, thank you so much! I will now run the packet-tracer command from the CORE FW and paste it here.

If i go to the monitor logging on ASDM (from the OFFICE side) i can see that asymmetric NAT rule issue

AJPujol
Beginner
Beginner

And FINALLY, this is the sh run output

 

Result of the command: "show running-config"

 

: Saved

:

: Serial Number: JMX190540J6

: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz

:

ASA Version 9.2(3)

!

hostname FW-HOSTNAME

enable password kwn0Q1zI.A6CxRDI encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport trunk allowed vlan 83,87-89

switchport mode trunk

shutdown

!

interface Ethernet0/2

!

interface Ethernet0/3

description INSIDE-OFFICE

switchport trunk allowed vlan 1,80,90

switchport mode trunk

!

interface Ethernet0/4

switchport access vlan 80

!

interface Ethernet0/5

switchport access vlan 90

switchport trunk allowed vlan 80,90

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.79.1 255.255.255.0

!

interface Vlan2

description Internet-Office

nameif outside

security-level 0

ip address 190.210.195.241 255.255.255.252

!

interface Vlan80

description ALL

nameif inside-80

security-level 100

ip address 192.168.80.1 255.255.255.0

!

interface Vlan83

description Devs

nameif inside-83

security-level 100

ip address 192.168.83.1 255.255.255.0

!

interface Vlan87

description CCR

nameif inside-87

security-level 100

ip address 192.168.87.1 255.255.255.0

!

interface Vlan88

description QA

nameif inside-88

security-level 100

ip address 192.168.88.1 255.255.255.0

!

interface Vlan89

description Guest

nameif inside-89

security-level 100

ip address 192.168.89.1 255.255.255.0

!

interface Vlan90

description INFRA

nameif inside-90

security-level 100

ip address 192.168.90.1 255.255.255.0

!

ftp mode passive

clock timezone ART -3

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network FW-CORE

host 192.168.9.125

object network Red-20

subnet 192.168.20.0 255.255.255.0

object network Red-33

subnet 192.168.33.0 255.255.255.0

object network Red-34

subnet 192.168.34.0 255.255.255.0

object network Red-35

subnet 192.168.35.0 255.255.255.0

object network Red-9

subnet 192.168.9.0 255.255.255.0

object network PUBLICA-FW-CORE

host 200.XXX.XXX.XXX

object network Red-80

subnet 192.168.80.0 255.255.255.0

object network Red-90

subnet 192.168.90.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

object-group network DM_INLINE_NETWORK_1

network-object object Red-80

network-object object Red-90

object-group network DM_INLINE_NETWORK_2

network-object object Red-33

network-object object Red-34

network-object object Red-35

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2

access-list outside_access_in extended permit ip any any

access-list inside-90_access_in extended permit ip any any

access-list inside-90_access_in extended permit ip object Red-90 any

access-list inside-80_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu inside-80 1500

mtu inside-83 1500

mtu inside-87 1500

mtu inside-88 1500

mtu inside-89 1500

mtu inside-90 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (outside,inside-90) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup

!

object network obj_any

nat (any,outside) dynamic interface

!

nat (outside,inside-90) after-auto source static any any unidirectional no-proxy-arp

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group inside-80_access_in in interface inside-80

access-group inside-90_access_in in interface inside-90

route outside 0.0.0.0 0.0.0.0 190.XXX.XXXX.XXX 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.79.0 255.255.255.0 inside

http 192.168.35.37 255.255.255.255 inside

http 192.168.12.0 255.255.255.0 inside

http 192.168.90.0 255.255.255.0 inside-90

http 192.168.80.0 255.255.255.0 inside-80

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 200.XXX.XXX.XXX

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA

crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable inside

crypto ikev2 enable outside

crypto ikev2 enable inside-80

crypto ikev2 enable inside-90

crypto ikev1 enable inside

crypto ikev1 enable outside

crypto ikev1 enable inside-80

crypto ikev1 enable inside-90

crypto ikev1 policy 1

authentication pre-share

encryption aes

hash md5

group 2

lifetime 86400

crypto ikev1 policy 2

authentication pre-share

encryption aes-256

hash md5

group 1

lifetime 86400

crypto ikev1 policy 3

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

no ssh stricthostkeycheck

ssh 192.168.12.0 255.255.255.0 inside

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

 

dhcpd auto_config outside

!

dhcpd address 192.168.79.5-192.168.79.6 inside

!

dhcpd address 192.168.80.100-192.168.80.200 inside-80

dhcpd dns 8.8.8.8 interface inside-80

dhcpd enable inside-80

!

dhcpd address 192.168.83.100-192.168.83.200 inside-83

dhcpd enable inside-83

!

dhcpd address 192.168.87.100-192.168.87.200 inside-87

dhcpd enable inside-87

!

dhcpd address 192.168.88.100-192.168.88.200 inside-88

dhcpd enable inside-88

!

dhcpd address 192.168.89.60-192.168.89.200 inside-89

dhcpd enable inside-89

!

dhcpd address 192.168.90.100-192.168.90.149 inside-90

dhcpd dns 8.8.8.8 interface inside-90

dhcpd enable inside-90

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

group-policy GroupPolicy_200.XXX.XXX.XXX internal

group-policy GroupPolicy_200.XXX.XXX.XXX attributes

vpn-tunnel-protocol ikev1 ikev2

username ROOT-USERNAME password xxXXxxxxXXxxXX encrypted privilege 15

username SU-ROOT-USERNAME password xxXXxxxxXXxxXX encrypted privilege 15

tunnel-group 200.xxx.xxx.xxx type ipsec-l2l

tunnel-group 200.xxx.xxx.xxx general-attributes

default-group-policy GroupPolicy_200.xxx.xxx.xxx

tunnel-group 200.xxx.xxx.xxx ipsec-attributes

ikev1 pre-shared-key xxxxx

ikev2 remote-authentication pre-shared-key xxxxx

ikev2 local-authentication pre-shared-key xxxxx

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum: xxXXXxxxxXXXxxxxxXX

: end

@AJPujol isn't this nat rule incorrect?

 

nat (outside,inside-90) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup

 

shouldn't the source be inside-90 and destination outside? As red-80 and red-90 networks are local

 

nat (inside-90,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup

 

That probably explain the asymetric nat error

 

FYI, this rule is an NAT exemption rule.

Rob! Thank you so much! I can now ping the 4 hosts on network-90! Is there a way for me to ping hosts on network-80 as well ? That would be the ONLY thing left for me to be happy and make my boss happy

@AJPujol 

 

nat (inside-80,outside) source static Red-80 Red-80 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers