cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3623
Views
0
Helpful
24
Replies

site-to-site between ASA 5510 and 880 router

Sergey Balyura
Beginner
Beginner

Hello, everybody!

I have a problem.

I have two LANs - 192.168.44.0/22 and 192.168.0.0/24

I connected them with site-to-site VPN: ASA 8.2 (192.168.45.200) in 192.168.44.0/22 and 880 router(192.168.0.1)in 192.168.0.0/24

eberything is fine. I created another two networks - 10.100.100.0/24 and 10.11.12.0/24

and connect them to 192.168.44.0/24

10.100.100.0 through 192.168.47.233

10.11.12.0 through 192.168.47.236

I insert these networks in all ACLs on ASA and on 880 router

and in vain. I cannot ping 10.11.12.0 and 10.100.100.0 from 192.168.0.0

and vice versa

that the part ot ASA config

!

interface Ethernet0/0

nameif outside

security-level 0

ip address AAA.BBB.CCC.18 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.45.200 255.255.252.0

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip 10.100.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.11.12.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.44.0 255.255.252.0 192.168.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.100.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.11.12.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 AAA.BBB.CCC.17 1

route inside 10.11.12.0 255.255.255.0 192.168.47.236 1

route inside 10.100.100.0 255.255.255.0 192.168.47.233 1

crypto map Sta-Map 1 match address outside_1_cryptomap

crypto map Sta-Map 1 set pfs group1

crypto map Sta-Map 1 set peer WWW.XXX.YYY.22

crypto map Sta-Map 1 set transform-set ESP-DES-SHA

crypto map Sta-Map 1 set reverse-route

crypto map Sta-Map interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

tunnel-group WWW.WWW.YYY.22 type ipsec-l2l

tunnel-group WWW.XXX.YYY.22 ipsec-attributes

pre-shared-key *

that is the part of 880 router config

ip source-route

crypto isakmp policy 1

encr 3des

authentication pre-share

!

crypto isakmp policy 2

authentication pre-share

crypto isakmp key k@t@klizm address 62.205.178.18

!        

!

crypto ipsec transform-set sklad-office esp-des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel toAAA.BBB.CCC.18

set peer AAA.BBB.CCC.18

set transform-set sklad-office

match address 100

reverse-route

interface FastEthernet4

description $ETH-LAN$

ip address WWW.XXX.YYY.22 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 87.249.6.21

!

ip nat inside source list 113 interface FastEthernet4 overload

access-list 23 permit 62.205.178.18

access-list 23 permit 82.204.180.136

access-list 23 permit 192.168.0.0 0.0.255.255

access-list 23 permit 188.123.0.0 0.0.255.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.44.0 0.0.3.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 10.11.12.0 0.0.0.255

access-list 113 deny   ip 192.168.0.0 0.0.0.255 192.168.44.0 0.0.3.255

access-list 113 deny   ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255

access-list 113 deny   ip 192.168.0.0 0.0.0.255 10.11.12.0 0.0.0.255

access-list 113 permit ip 192.168.0.0 0.0.0.255 any

Please, help me in understanding of where I am wrong

24 Replies 24

Pls advise if it builds the IPSEC SA when you try to ping (when it doesnt work). Please share the output of "show cry isa sa" and "show cry ipsec sa" from both devices when ping doesn't work.

Also, please share the config of the next hop where the 10.100.100.0 network is connected.

880 router end

sklad#sh cry isa sa   

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

XXX.YYY.ZZZ.22     AAA.BBB.CCC.18   QM_IDLE           2077 ACTIVE

IPv6 Crypto ISAKMP SA

sklad#sh cry ips sa

interface: FastEthernet4

    Crypto map tag: SDM_CMAP_1, local addr XXX.YYY.ZZZ.22

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.100.100.0/255.255.255.0/0/0)

   current_peer AAA.BBB.CCC.18 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 42, #pkts encrypt: 42, #pkts digest: 42

    #pkts decaps: 42, #pkts decrypt: 42, #pkts verify: 42

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 30, #recv errors 0

     local crypto endpt.: XXX.YYY.ZZZ.22, remote crypto endpt.: AAA.BBB.ZZZ.18

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.11.12.0/255.255.255.0/0/0)

   current_peer AAA.BBB.CCC.18 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: XXX.YYY.ZZZ.22, remote crypto endpt.: AAA.BBB.CCC.18

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.44.0/255.255.252.0/0/0)

   current_peer AAA.BBB.CCC.18 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 515543, #pkts encrypt: 515543, #pkts digest: 515543

    #pkts decaps: 544592, #pkts decrypt: 544592, #pkts verify: 544592

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 39, #recv errors 0

     local crypto endpt.: XXX.YYY.ZZZ.22, remote crypto endpt.: AAA.BBB.ZZZ.18

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0x546DDFC3(1416486851)

     PFS (Y/N): Y, DH group: group1

     inbound esp sas:

      spi: 0xEAEF84BB(3941565627)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 937, flow_id: Onboard VPN:937, sibling_flags 80000046, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4495912/3313)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x546DDFC3(1416486851)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 938, flow_id: Onboard VPN:938, sibling_flags 80000046, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4496467/3313)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

ASA end

ciscoasa# sh cry isakmp sa

   Active SA: 13

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 13

13  IKE Peer: XXX.YYY.ZZZ.22

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

ciscoasa# sh cry ips sa pe XXX.YYY.ZZZ.22

peer address: XXX.YYY.ZZZ.22

    Crypto map tag: Sta-Map, seq num: 1, local addr: AAA.BBB.CCC.18

      access-list outside_1_cryptomap permit ip 192.168.44.0 255.255.252.0 192.168.0.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.44.0/255.255.252.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

      current_peer: XXX.YYY.ZZZ.22

      #pkts encaps: 6551, #pkts encrypt: 6551, #pkts digest: 6551

      #pkts decaps: 5209, #pkts decrypt: 5209, #pkts verify: 5209

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 6551, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: AAA.BBB.CCC.18, remote crypto endpt.: XXX.YYY.ZZZ.22

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: EAEF84BB

    inbound esp sas:

      spi: 0x546DDFC3 (1416486851)

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 33964032, crypto-map: Sta-Map

         sa timing: remaining key lifetime (kB/sec): (4373514/3124)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0xEAEF84BB (3941565627)

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 33964032, crypto-map: Sta-Map

         sa timing: remaining key lifetime (kB/sec): (4372487/3124)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

It's strange that the ASA does not have SA for the 10.100.100.0 network.

Do you clear the SA on both ASA and the router?

clear cry ipsec sa

clear cry isa sa

yes, I cleared ipsec and isakmp

and on the side of ASA tunnel for 10.100.100.0 is created only after ping from 10.100.100.0

why can it be so?

without looking at the configuration of the router next hop to the ASA inside and the full config of the ASA, we won't be able to tell what could be the issue.

Pls kindly share the config to see what could possibly be the issue.

here it is

ASA config looks ok.

Can you please share the complete "show cry ipsec sa" from the ASA when it's not working. Just want to check if there is any overlapping subnet particularly with dynamic map

Here is "show crypto ipsec sa"

I'm sorry...

but any idea?

hi all!

task is solved.

problem was in non-simmetric crypto map. on the ASA's side I have "pfs group1", on 880's side I don't have

I remove this statement from ASA - and everuthing is fine. Strange that with this non-simmetric configuration the main part of VPN war working

Thanx all

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers