07-10-2012 06:12 AM
Hello, everybody!
I have a problem.
I have two LANs - 192.168.44.0/22 and 192.168.0.0/24
I connected them with site-to-site VPN: ASA 8.2 (192.168.45.200) in 192.168.44.0/22 and 880 router(192.168.0.1)in 192.168.0.0/24
eberything is fine. I created another two networks - 10.100.100.0/24 and 10.11.12.0/24
and connect them to 192.168.44.0/24
10.100.100.0 through 192.168.47.233
10.11.12.0 through 192.168.47.236
I insert these networks in all ACLs on ASA and on 880 router
and in vain. I cannot ping 10.11.12.0 and 10.100.100.0 from 192.168.0.0
and vice versa
that the part ot ASA config
!
interface Ethernet0/0
nameif outside
security-level 0
ip address AAA.BBB.CCC.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.45.200 255.255.252.0
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 10.100.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.11.12.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.44.0 255.255.252.0 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.100.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.11.12.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 AAA.BBB.CCC.17 1
route inside 10.11.12.0 255.255.255.0 192.168.47.236 1
route inside 10.100.100.0 255.255.255.0 192.168.47.233 1
crypto map Sta-Map 1 match address outside_1_cryptomap
crypto map Sta-Map 1 set pfs group1
crypto map Sta-Map 1 set peer WWW.XXX.YYY.22
crypto map Sta-Map 1 set transform-set ESP-DES-SHA
crypto map Sta-Map 1 set reverse-route
crypto map Sta-Map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
tunnel-group WWW.WWW.YYY.22 type ipsec-l2l
tunnel-group WWW.XXX.YYY.22 ipsec-attributes
pre-shared-key *
that is the part of 880 router config
ip source-route
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key k@t@klizm address 62.205.178.18
!
!
crypto ipsec transform-set sklad-office esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toAAA.BBB.CCC.18
set peer AAA.BBB.CCC.18
set transform-set sklad-office
match address 100
reverse-route
interface FastEthernet4
description $ETH-LAN$
ip address WWW.XXX.YYY.22 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 87.249.6.21
!
ip nat inside source list 113 interface FastEthernet4 overload
access-list 23 permit 62.205.178.18
access-list 23 permit 82.204.180.136
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit 188.123.0.0 0.0.255.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.44.0 0.0.3.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.11.12.0 0.0.0.255
access-list 113 deny ip 192.168.0.0 0.0.0.255 192.168.44.0 0.0.3.255
access-list 113 deny ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255
access-list 113 deny ip 192.168.0.0 0.0.0.255 10.11.12.0 0.0.0.255
access-list 113 permit ip 192.168.0.0 0.0.0.255 any
Please, help me in understanding of where I am wrong
07-10-2012 07:43 AM
Did you clear the tunnel on both end after you have added the new config?
Also, is there any ACL on the ASA inside interface that might be blocking the traffic?
Lastly, I assume that the 10.100.100.0/24 and 10.11.12.0/24 networks know how to route to the 192.168.0.0/24 network, ie: via the ASA inside interface?
07-10-2012 09:43 AM
no, I'm not. but how can I go it?
I have some other strings in inside_nat0_outbound cause ASA is a hub for site-to-site VPNs
and I have some ACLs for other crypto maps
yes, all the routes are right
07-10-2012 10:18 AM
Hi Sergey,
Please run a packet-tracer from the new LAN to the remote LAN and see how far it goes.
If the packet gets dropped then check the phase (NAT, ACL...) and correct it.
Does the ASA build the SA for these new networks?
show crypto ipsec sa peer public_ip_Router
Please make sure you clear the tunnel:
clear crypto ipsec sa peer public_ip_Router
Please keep us posted.
Thanks.
07-10-2012 09:49 PM
I have run show crypto ipsec sa "remote ip address"
this is the output
ciscoasa# show crypto ipsec sa peer ?
Hostname or A.B.C.D IPsec SA peer address or hostname
ciscoasa# show crypto ipsec sa peer WWW.XXX.YYY.22
peer address: WWW.XXX.YYY.22
Crypto map tag: Sta-Map, seq num: 1, local addr: AAA.BBB.BBB.18
access-list outside_1_cryptomap permit ip 192.168.44.0 255.255.252.0 192.168.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.44.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer: WWW.XXX.YYY.22
#pkts encaps: 36, #pkts encrypt: 36, #pkts digest: 36
#pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 36, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: AAA.BBB.CCC.18, remote crypto endpt.: WWW.XXX.YYY.22
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 956FD974
inbound esp sas:
spi: 0x3EEB093E (1055590718)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 33054720, crypto-map: Sta-Map
sa timing: remaining key lifetime (kB/sec): (4373995/3567)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x0000FFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x956FD974 (2507135348)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 33054720, crypto-map: Sta-Map
sa timing: remaining key lifetime (kB/sec): (4373994/3567)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
is it right there is no sign of two other statements of my ACL outside_1_cryptomap?
access-list outside_1_cryptomap extended permit ip 192.168.44.0 255.255.252.0 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.100.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.11.12.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap line 1 extended permit ip 192.168.44.0 255.255.252.0 192.168.0.0 255.255.255.0 (hitcnt=11092) 0xcaad883e
access-list outside_1_cryptomap line 2 extended permit ip 10.100.100.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=223) 0x1fd85c29
access-list outside_1_cryptomap line 3 extended permit ip 10.11.12.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=26) 0x5938c6d7
the result of packet-tracer at ASA give the "DROP" result at the 11 step
Phase: 11
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
07-11-2012 07:01 AM
Please clear the SA so the tunnel gets re-established with the newly added crypto ACL:
clear cry ipsec sa
clear cry isa sa
07-17-2012 01:01 AM
Hello, Jenifer!
thank you. your advice helped for a while.
but now the situation is very strange.
VPN channel is stable. but on the 880 router's side I have not a route to 10.100.100.0 network at all
and all the pings from the 880 router's network to 10.100.100.0 network are unsuccessful
situation changes if I pings from 10.100.100.0 network to 880 router's network. first ping is unsuccessful but all next pings are successful.
and from the other side connectivity is ok
after some time connectivity desappears. and ping from 10.100.100.0 network to 880 router's network fix the situation.
please help me solve the problem. I want to have the stable connectivity.
07-17-2012 01:18 AM
Is there any reasons why your next hop for the 2 networks are different on the ASA? Are they 2 different devices?
route inside 10.11.12.0 255.255.255.0 192.168.47.236 1
route inside 10.100.100.0 255.255.255.0 192.168.47.233 1
07-17-2012 01:21 AM
I have the reason, yes.
is it important for my trouble?
It is not a vital reason.
but I'm sure it must work.
07-17-2012 01:24 AM
As long as the routing is correct, then it's ok.
When you ping from 880 LAN towards the 10.100.100.0 network, does it build the vpn tunnel?
Do you see entry under "show cry isa sa" and "show cry ipsec sa" for those networks?
07-17-2012 01:29 AM
well, yes.
connectivity between 192.168.0.0 network and 192.168.44.0 network is stable.
but now for example I don't see a route from 192.168.0.1 to 10.100.100.0
if I pings 192.168.0.254 (for ex.) from 10.100.100.1 (for ex) - this route appears!
as I understand somewhy this route disappers
I cannot understand why
07-17-2012 07:26 AM
The reason why it appears is after building the IPSec SA, it will inject the static route into the routing table, because you have "reverse-route" configured. Do you run any routing protocols and redistribute static into the routing protocols? If you don't run dynamic routing protocols then you don't need to configure "reverse-route". Is your default gateway for your internal network not the VPN termination devices?
07-17-2012 07:53 AM
Thank you, Jennifer.
After I remove the "reverse-route" statement the situation is perfect for now. Will loot at it tomorrow.
07-17-2012 08:15 AM
Great, thanks for the update. Let us know how it goes tomorrow.
07-18-2012 01:26 AM
the situation is the same
only ping from 10.100.100.0 network makes 192.186.0.0 network able to reach the 10.100.100.0 network
in both crypto maps - on ASA and on 880 - I delete "reverse-route" statement
but the same statements are in other crypto maps (as my ASA is a VPN hub)
Is it important?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide