Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
842
Views
0
Helpful
8
Replies

Site to Site Config Issues

JustinDike
Level 1
Level 1

‎12-24-2015 11:16 AM

Hello,

First, let me say that I am pretty much a novice at this, so please forgive me if I'm not wording things correctly.

We have 2 ASA 5505s that are setup for site to site connectivity. Our main ASA (192.168.4.x) acts as the firewall for both and provides the majority of the rules for the second (192.168.10.x), including internet access. Our main ASA also provides a user VPN connection (192.168.5.x) for remote users to access the network. The site to site connection and the VPN connection are working fine as they are, however, I'm trying to establish connectivity between the 192.168.5.x network and the 192.168.10.x network.

On the main ASA (192.168.4.x), I have created the NAT and access-list rules, and I can get a packet-tracer command to run successfully from 192.168.5.x to 192.168.10.x, however I cannot ping across the networks.

These are the rules I have created

access-list VPN extended permit ip object 192.168.5.0 object 192.168.10.0

nat (inside,outside) source static 192.168.5.0 192.168.5.0 destination static 192.168.10.0 192.168.10.0 no-proxy-arp route-lookup

Here are the results from the packet-tracer command:

MainASA(config)# packet-tracer input inside icmp 192.168.5.36 0 0 192.168.10.104

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 50.x.x.x, outside

Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static 192.168.5.0 192.168.5.0 destination static 192.168.10.0 192.168.10.0 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.10.1/0 to 192.168.10.1/0

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit icmp any any
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static 192.168.5.0 192.168.5.0 destination static 192.168.10.0 192.168.10.0 no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.5.36/0 to 192.168.5.36/0

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static 192.168.5.0 192.168.5.0 destination static 192.168.10.0 192.168.10.0 no-proxy-arp route-lookup
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id xxxxxxxx, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

What am I missing or doing wrong? Can anyone please point me in the right direction so I can get out of here and begin my brief vacation?

Thanks!

Labels:
0 Helpful
8 Replies 8

Diego Lopez
Level 1
Level 1

‎12-24-2015 03:24 PM

If you are using 192.168.5.x for the remote users connecting to the main ASA then they most likely will connect to the outside interface of the ASA with a VPN client  so your nat statement should look like this 

nat (ouside,outside) source static 192.168.5.0 192.168.5.0 destination static 192.168.10.0 192.168.10.0 no-proxy-arp route-lookup

also need to enable this command to permit communication in and out of the same interface

same-security-traffic permit intra-interface 

last but very important is to make sure that the network 192.168.5.x is part of the interesting traffic of the site to site tunnel, it seems to be part already based on the packet tracer but make sure is there, the remote side requires nat exempt too.

0 Helpful

JustinDike
Level 1
Level 1
In response to Diego Lopez

‎12-28-2015 09:12 AM

Thank you Diego! I have added the NAT rule that you suggested to the main ASA, but unfortunately it did not work.

On the mainASA I added this NAT rule:

nat (outside,outside) source static 192.168.5.x 192.168.5.x destination static 192.168.10.x 192.168.10.x no-proxy-arp route-lookup

On the secondary ASA I tried the following 2 rules with no luck:

nat (outside,outside) source static 192.168.5.x 192.168.5.x destination static 192.168.10.x 192.168.10.x no-proxy-arp route-lookup
nat (inside,outside) source static 192.168.10.x 192.168.10.x destination static 192.168.5.x 192.168.5.x no-proxy-arp route-lookup

Running a packet-tracer command causes the packet to drop at this point.

ASA2(config)# packet-tracer input inside icmp 192.168.5.36 0 0 192.168.10.104

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.10.0    255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4998726, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

ASA2(config)# packet-tracer input inside icmp 192.168.10.104 0 0 192.168.5.36

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static 192.168.10.x 192.168.10.x destination static 192.168.5.x 192.168.5.x no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.5.36/0 to 192.168.5.36/0

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static 192.168.10.x 192.168.10.x destination static 192.168.5.x 192.168.5.x no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.10.104/0 to 192.168.10.104/0

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Is there anything else that you can think of that I might try?

0 Helpful

Diego Lopez
Level 1
Level 1
In response to JustinDike

‎12-28-2015 09:30 AM

Hello,

the correct nat on the remote ASA will be

nat (inside,outside) source static 192.168.10.x 192.168.10.x destination static 192.168.5.x 192.168.5.x no-proxy-arp route-lookup

first packet tracer "packet-tracer input inside icmp 192.168.5.36 0 0 192.168.10.104"

should be "packet-tracer input OUTSIDE icmp 192.168.5.36 8 0 192.168.10.104"

try that one 

I also see that there is a router to the network 192.168.10.0 /24 pointing to the inside, isn't that network supposed to be going to the outside over a VPN? please remove that route otherwise the traffic wont go to the outside over the VPN

second packet tracer "packet-tracer input inside icmp 192.168.10.104 0 0 192.168.5.36"

Can you run the command "show crypto ipsec sa peer x.x.x.x"

and check if the SA between 192.168.10.0/24 and 192.168.5.0/24 is showing if not verify that local and remote ACL for interesting traffic are matching and that this 2 networks are there

0 Helpful

JustinDike
Level 1
Level 1
In response to Diego Lopez

‎12-28-2015 10:18 AM

Thanks again Diego! I do have that NAT rule in place on the remote ASA. The packet-tracer command is still dropping, but now it is due to the access list rules.

NexusInd(config)# packet-tracer input OUTSIDE icmp 192.168.5.36 8 0 192.168.10$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.10.0    255.255.255.0   inside

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static 192.168.10.x 192.168.10.x destination static 192.168.5.x 192.168.5.x no-proxy-arp route-lookup
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I have attached a quick network diagram showing our ASA setup, and how it is connected for clarity. I also included a diagram of the link that I am trying to establish in case my description hasn't been exactly clear.

Preview file
25 KB
0 Helpful

JustinDike
Level 1
Level 1
In response to JustinDike

‎12-28-2015 10:23 AM

Let me also add that the VPN connection allows users to access everything hosted on the MainASA network. We don't want to add a secondary VPN connection to the RemoteASA, we would like for the VPN connection that we currently have to be able to traverse the Site-to-Site connection and allow access to the RemoteASA.

0 Helpful

Diego Lopez
Level 1
Level 1
In response to JustinDike

‎12-28-2015 10:34 AM

 Hello,

I still see the route pointing to the inside 

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.10.0    255.255.255.0   inside

You need to configure a route to the network 192.168.10.0/24 pointing to the outside not to the inside remove the route with the command

"no route inside 192.168.10.0 255.255.255.0"

configure route to the outside "route outside 192.168.10.0 255.255.255.0" or if you have a default gateway pointing to the outside just remote the route to the inside so it can go out 

If you are using split tunnel tunnelspecified you need to enter this network "192.168.10.0/24" in the ACL that you are using for split tunnel to make sure that this traffic is going to the ASA 

0 Helpful

JustinDike
Level 1
Level 1
In response to Diego Lopez

‎12-28-2015 11:16 AM

I have tried the packet-tracer command again, and it is routing to the outside, however, it is still dropping.

mainASA(config)# packet-tracer input OUTSIDE icmp 192.168.5.36 8 0 192.168.1$

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 50.x.x.x, outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

In the access-list, I have this configured:

access-list VPN extended permit ip object 192.168.5.x object 192.168.10.x
access-list VPN extended permit ip object 192.168.10.x object 192.168.5.x

We are not currently using split-tunneling for network traffic.

0 Helpful

Diego Lopez
Level 1
Level 1
In response to JustinDike

‎12-28-2015 01:08 PM

This packet tracer most of the time doesn't work because of the access group applied to the outside interface you need to permit this network on the ACL applied to the outside interface from 192.168.5.x to 192.168.10.x for the packet tracer purposes real traffic doesn't require that because is VPN traffic.

The VPN ACL should just be defined from source 192.168.5.x to destination 192.168.10.x you don't require an entry backwards. The same for all the other networks that are communicating over this site to site tunnel.

just "access-list VPN extended permit ip object 192.168.5.x object 192.168.10.x"

in the remote ASA is were you require the backwards statement

This is probably why the SA is not coming up.

Once you modify the ACL and make sure they are mirror and no duplicate entries on both sides you need to drop the tunnel

clear crypto ipsec sa peer x.x.x.x

and try again 

0 Helpful
Customers Also Viewed These Support Documents