07-10-2012 06:12 AM
Hello, everybody!
I have a problem.
I have two LANs - 192.168.44.0/22 and 192.168.0.0/24
I connected them with site-to-site VPN: ASA 8.2 (192.168.45.200) in 192.168.44.0/22 and 880 router(192.168.0.1)in 192.168.0.0/24
eberything is fine. I created another two networks - 10.100.100.0/24 and 10.11.12.0/24
and connect them to 192.168.44.0/24
10.100.100.0 through 192.168.47.233
10.11.12.0 through 192.168.47.236
I insert these networks in all ACLs on ASA and on 880 router
and in vain. I cannot ping 10.11.12.0 and 10.100.100.0 from 192.168.0.0
and vice versa
that the part ot ASA config
!
interface Ethernet0/0
nameif outside
security-level 0
ip address AAA.BBB.CCC.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.45.200 255.255.252.0
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 10.100.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.11.12.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.44.0 255.255.252.0 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.100.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.11.12.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 AAA.BBB.CCC.17 1
route inside 10.11.12.0 255.255.255.0 192.168.47.236 1
route inside 10.100.100.0 255.255.255.0 192.168.47.233 1
crypto map Sta-Map 1 match address outside_1_cryptomap
crypto map Sta-Map 1 set pfs group1
crypto map Sta-Map 1 set peer WWW.XXX.YYY.22
crypto map Sta-Map 1 set transform-set ESP-DES-SHA
crypto map Sta-Map 1 set reverse-route
crypto map Sta-Map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
tunnel-group WWW.WWW.YYY.22 type ipsec-l2l
tunnel-group WWW.XXX.YYY.22 ipsec-attributes
pre-shared-key *
that is the part of 880 router config
ip source-route
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key k@t@klizm address 62.205.178.18
!
!
crypto ipsec transform-set sklad-office esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toAAA.BBB.CCC.18
set peer AAA.BBB.CCC.18
set transform-set sklad-office
match address 100
reverse-route
interface FastEthernet4
description $ETH-LAN$
ip address WWW.XXX.YYY.22 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 87.249.6.21
!
ip nat inside source list 113 interface FastEthernet4 overload
access-list 23 permit 62.205.178.18
access-list 23 permit 82.204.180.136
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit 188.123.0.0 0.0.255.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.44.0 0.0.3.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.11.12.0 0.0.0.255
access-list 113 deny ip 192.168.0.0 0.0.0.255 192.168.44.0 0.0.3.255
access-list 113 deny ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255
access-list 113 deny ip 192.168.0.0 0.0.0.255 10.11.12.0 0.0.0.255
access-list 113 permit ip 192.168.0.0 0.0.0.255 any
Please, help me in understanding of where I am wrong
07-18-2012 02:03 AM
Pls advise if it builds the IPSEC SA when you try to ping (when it doesnt work). Please share the output of "show cry isa sa" and "show cry ipsec sa" from both devices when ping doesn't work.
Also, please share the config of the next hop where the 10.100.100.0 network is connected.
07-18-2012 02:28 AM
880 router end
sklad#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
XXX.YYY.ZZZ.22 AAA.BBB.CCC.18 QM_IDLE 2077 ACTIVE
IPv6 Crypto ISAKMP SA
sklad#sh cry ips sa
interface: FastEthernet4
Crypto map tag: SDM_CMAP_1, local addr XXX.YYY.ZZZ.22
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.100.100.0/255.255.255.0/0/0)
current_peer AAA.BBB.CCC.18 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 42, #pkts encrypt: 42, #pkts digest: 42
#pkts decaps: 42, #pkts decrypt: 42, #pkts verify: 42
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 30, #recv errors 0
local crypto endpt.: XXX.YYY.ZZZ.22, remote crypto endpt.: AAA.BBB.ZZZ.18
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.11.12.0/255.255.255.0/0/0)
current_peer AAA.BBB.CCC.18 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: XXX.YYY.ZZZ.22, remote crypto endpt.: AAA.BBB.CCC.18
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.44.0/255.255.252.0/0/0)
current_peer AAA.BBB.CCC.18 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 515543, #pkts encrypt: 515543, #pkts digest: 515543
#pkts decaps: 544592, #pkts decrypt: 544592, #pkts verify: 544592
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 39, #recv errors 0
local crypto endpt.: XXX.YYY.ZZZ.22, remote crypto endpt.: AAA.BBB.ZZZ.18
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x546DDFC3(1416486851)
PFS (Y/N): Y, DH group: group1
inbound esp sas:
spi: 0xEAEF84BB(3941565627)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 937, flow_id: Onboard VPN:937, sibling_flags 80000046, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4495912/3313)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x546DDFC3(1416486851)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 938, flow_id: Onboard VPN:938, sibling_flags 80000046, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4496467/3313)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
ASA end
ciscoasa# sh cry isakmp sa
Active SA: 13
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 13
13 IKE Peer: XXX.YYY.ZZZ.22
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ciscoasa# sh cry ips sa pe XXX.YYY.ZZZ.22
peer address: XXX.YYY.ZZZ.22
Crypto map tag: Sta-Map, seq num: 1, local addr: AAA.BBB.CCC.18
access-list outside_1_cryptomap permit ip 192.168.44.0 255.255.252.0 192.168.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.44.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer: XXX.YYY.ZZZ.22
#pkts encaps: 6551, #pkts encrypt: 6551, #pkts digest: 6551
#pkts decaps: 5209, #pkts decrypt: 5209, #pkts verify: 5209
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 6551, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: AAA.BBB.CCC.18, remote crypto endpt.: XXX.YYY.ZZZ.22
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: EAEF84BB
inbound esp sas:
spi: 0x546DDFC3 (1416486851)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 33964032, crypto-map: Sta-Map
sa timing: remaining key lifetime (kB/sec): (4373514/3124)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xEAEF84BB (3941565627)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 33964032, crypto-map: Sta-Map
sa timing: remaining key lifetime (kB/sec): (4372487/3124)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
07-18-2012 07:51 AM
It's strange that the ASA does not have SA for the 10.100.100.0 network.
Do you clear the SA on both ASA and the router?
clear cry ipsec sa
clear cry isa sa
07-18-2012 10:47 PM
yes, I cleared ipsec and isakmp
and on the side of ASA tunnel for 10.100.100.0 is created only after ping from 10.100.100.0
why can it be so?
07-19-2012 12:02 AM
without looking at the configuration of the router next hop to the ASA inside and the full config of the ASA, we won't be able to tell what could be the issue.
Pls kindly share the config to see what could possibly be the issue.
07-19-2012 01:52 AM
07-19-2012 07:35 AM
ASA config looks ok.
Can you please share the complete "show cry ipsec sa" from the ASA when it's not working. Just want to check if there is any overlapping subnet particularly with dynamic map
07-22-2012 11:55 PM
07-26-2012 10:33 PM
I'm sorry...
but any idea?
08-12-2012 10:53 PM
hi all!
task is solved.
problem was in non-simmetric crypto map. on the ASA's side I have "pfs group1", on 880's side I don't have
I remove this statement from ASA - and everuthing is fine. Strange that with this non-simmetric configuration the main part of VPN war working
Thanx all
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide