11-28-2013 05:53 AM
Just configured site to site VPN for ASA 5515x and 5505. The tunnel is up, but couldn't ping to the other site from 5505 and vice versa. Below are the tunnel status and ASA configs. Any help or comment is appreciated. Thanks!
ASA5515X# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 10, local addr: 211.24.X.X
access-list outside_cryptomap_10 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 175.141.X.X
#pkts encaps: 1595, #pkts encrypt: 1595, #pkts digest: 1595
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1595, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 211.24.X.X/4500, remote crypto endpt.: 175.141.X.X/4500
path mtu 1492, ipsec overhead 66(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: FC699E19
current inbound spi : FFFCF744
inbound esp sas:
spi: 0xFFFCF744 (4294768452)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, IKEv1, }
slot: 0, conn_id: 462848, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/22042)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xFC699E19 (4234780185)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, IKEv1, }
slot: 0, conn_id: 462848, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914825/22042)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA5515X
ASA Version 9.1(1)
!
hostname ASA5515X
!
interface GigabitEthernet0/0
description TIMEFibre
nameif outside
security-level 0
pppoe client vpdn group navision
ip address pppoe setroute
!
interface GigabitEthernet0/1
description Internal LAN
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.0.0.1 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 192.168.0.10
object network SVR001
host 192.168.0.13
description Hyper-V Server
object network SVR002
host 192.168.0.12
description SQL server
object network SVR003
host 192.168.0.10
description Domain COntroller
object network SVR004
host 192.168.0.11
description Terminal server
object network local
subnet 192.168.0.0 255.255.255.0
description MFW
object network remote-A
subnet 192.168.1.0 255.255.255.0
description FWSG
object network remote-B
subnet 192.168.2.0 255.255.255.0
description FWWW
object network remote-C
subnet 192.168.3.0 255.255.255.0
description FWFM
object network remote-D
subnet 192.168.4.0 255.255.255.0
description FWMP
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_cryptomap_10 extended permit ip object local object remote-B
access-list inside_access_in extended permit object-group TCPUDP any any
access-list inside_access_in extended permit icmp any4 any echo
access-list outside_access_in extended permit object-group TCPUDP any any
access-list inside_authentication extended permit tcp any any eq ssh
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static local local destination static remote-A remote-A no-proxy-arp route-lookup inactive
nat (inside,outside) source static local local destination static remote-B remote-B no-proxy-arp route-lookup
!
object network SVR001
nat (any,outside) static interface service tcp 3389 50013
object network SVR002
nat (any,outside) static interface service tcp 3389 50012
object network SVR003
nat (any,outside) static interface service tcp 3389 50010
object network SVR004
nat (any,outside) static interface service tcp 3389 50011
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 211.24.199.129 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication match inside_authentication inside LOCAL
aaa authorization command LOCAL
http server enable
http 10.0.0.0 255.255.255.0 management
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set pfs group1
crypto map outside_map 10 set peer 175.141.X.X
crypto map outside_map 10 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
vpdn group navision request dialout pppoe
vpdn group navision localname user@bb
vpdn group navision ppp authentication pap
vpdn username user@bb password ***** store-local
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 192.168.0.10 8.8.8.8 interface inside
dhcpd wins 192.168.0.10 interface inside
dhcpd enable inside
!
dhcpd address 10.0.0.100-10.0.0.110 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 175.141.X.X type ipsec-l2l
tunnel-group 175.141.X.X ipsec-attributes
ikev1 pre-shared-key *****
!
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
service-policy icmp_policy interface inside
prompt hostname context
(Behind a router)
ASA5505# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 172.16.10.200
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer: 211.24.X.X
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1539, #pkts decrypt: 1539, #pkts verify: 1539
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.10.200/4500, remote crypto endpt.: 211.24.X.X/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: FFFCF744
current inbound spi : FC699E19
inbound esp sas:
spi: 0xFC699E19 (4234780185)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 348160, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373831/22284)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xFFFCF744 (4294768452)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 348160, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/22284)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA5505
ASA Version 8.2(5)
!
hostname ASA5505
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.10.200 255.255.255.0
!
interface Vlan3
no forward interface Vlan2
nameif management
security-level 0
ip address 10.0.0.1 255.255.255.0
management-only
!
ftp mode passive
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 172.16.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 211.24.X.X
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.100-192.168.2.130 inside
dhcpd dns 192.168.2.1 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 10.0.0.100-10.0.0.110 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 211.24.X.X type ipsec-l2l
tunnel-group 211.24.X.X ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Update:
The traffic to the other end is dropped by implicit rule but there already is an access-list configured no?
ASA5515X# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 10, local addr: 211.24.X.X
access-list outside_cryptomap_10 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 175.141.X.X
#pkts encaps: 30188, #pkts encrypt: 30188, #pkts digest: 30188
#pkts decaps: 25550, #pkts decrypt: 25550, #pkts verify: 25550
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 30188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 211.24.X.X/4500, remote crypto endpt.: 175.141.X.X/4500
path mtu 1492, ipsec overhead 66(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 7D03CD30
current inbound spi : B2B16E15
inbound esp sas:
spi: 0xB2B16E15 (2997972501)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, IKEv1, }
slot: 0, conn_id: 516096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4371272/24996)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x7D03CD30 (2097401136)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, IKEv1, }
slot: 0, conn_id: 516096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4367450/24996)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA5515X# packet-tracer input inside icmp 192.168.0.1 0 8 192.168.2.1 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a320c70, priority=1, domain=permit, deny=false
hits=3417800, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote-B remote-B no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.2.1/0 to 192.168.2.1/0
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a2b5580, priority=500, domain=permit, deny=true
hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.0.1, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
11-29-2013 03:01 AM
Hi,
I noticed you use wrong format of the "packet-tracer" command actually
packet-tracer input inside icmp
And regarding the ASA5505 external ACL. It doesnt need one as by default the ASA allows any traffic incoming from VPN connection to bypass the interface ACL. I dont see the configuration having the command would change this default behaviour.
Can you issue the "packet-tracer" with the above correct Type/Code. You had them the wrong way around in the original command.
Could you also test the traffic between actual hosts and not the ASAs. Though the traffic from a host to the remote ASA "inside" IP address should also work.
With regards to the above it seems you have also changed the default inspection rules on the ASA5515-X unit since its not attached globally but to the "inside" interface. Not sure if it has any effect but I dont usually have a need to change them from the default.
- Jouni
11-29-2013 01:30 AM
Guys any feedback? I'm stuck here.
11-29-2013 02:17 AM
Hi,
The "packet-tracer" fails because you use the ASA interface IP address as the source. You should use some random IP address belonging to the source network.
I assume that the ASA5505 behind the router has a Static NAT to the public IP address on the Router?
Will have to look at the configurations through but there should not be many things to look since the L2L VPN seems to have negotiated up. Perhaps a problem with NAT or even the Router infront of the ASA5505
- Jouni
11-29-2013 02:22 AM
Your configurations seemed correct but the situation in the original post and after the update is different.
The first situation seems to suggest that the traffic from the ASA5515 got to the ASA5505 but there was no return traffic from behind that ASA. Looking at the configuration I would have to guess the problem in that case would have been on the actual hosts behind the ASA5505.
But in the updated information we can see that packets have both left to the L2L VPN and arrived from the L2L VPN connection so that would indicate that the L2L VPN would be able to pass traffic both ways.
What are you using to test the connection and where are you testing from or generating the traffic from?
- Jouni
11-29-2013 02:34 AM
And this is the current tunnel status;
ASA5515X# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 10, local addr: 211.24.199.129
access-list outside_cryptomap_10 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 175.141.249.29
#pkts encaps: 5625, #pkts encrypt: 5625, #pkts digest: 5625
#pkts decaps: 688, #pkts decrypt: 688, #pkts verify: 688
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5625, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 211.24.199.129/4500, remote crypto endpt.: 175.141.249.29/4500
path mtu 1492, ipsec overhead 66(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 44265C30
current inbound spi : 4B0CFB8A
inbound esp sas:
spi: 0x4B0CFB8A (1259142026)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, IKEv1, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373944/27760)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x44265C30 (1143364656)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, IKEv1, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373727/27760)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
11-29-2013 02:36 AM
Hi,
For you to be able to ICMP the "inside" interface on both units you will have to add this on both ASAs
management-access inside
It will allow to ICMP and connect with management connections to the "inside" interface through the L2L VPN connection.
- Jouni
11-29-2013 02:40 AM
Hi,
You could also add this to the ASA5515-X "inside" interface ACL
access-list inside_access_in extended permit icmp any any echo
You could also add this on both ASA units
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
- Jouni
11-29-2013 02:48 AM
It's already on 5515X, I just added for 5505;
ASA5505(config)# sh run | inc icmp
access-list inside_access_in extended permit icmp any any echo
icmp unreachable rate-limit 1 burst-size 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
inspect icmp
inspect icmp error
ASA5515X# sh run | inc icmp
access-list inside_access_in extended permit icmp any4 any echo
icmp unreachable rate-limit 1 burst-size 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
class-map icmp-class
policy-map icmp_policy
class icmp-class
inspect icmp
inspect icmp error
service-policy icmp_policy interface inside
11-29-2013 03:01 AM
Hi,
I noticed you use wrong format of the "packet-tracer" command actually
packet-tracer input inside icmp
And regarding the ASA5505 external ACL. It doesnt need one as by default the ASA allows any traffic incoming from VPN connection to bypass the interface ACL. I dont see the configuration having the command would change this default behaviour.
Can you issue the "packet-tracer" with the above correct Type/Code. You had them the wrong way around in the original command.
Could you also test the traffic between actual hosts and not the ASAs. Though the traffic from a host to the remote ASA "inside" IP address should also work.
With regards to the above it seems you have also changed the default inspection rules on the ASA5515-X unit since its not attached globally but to the "inside" interface. Not sure if it has any effect but I dont usually have a need to change them from the default.
- Jouni
11-29-2013 03:18 AM
Hey Jouni,
That did it, wrong packet-tracer format and ICMP fix! Thanks!
ASA5515X# packet-tracer input inside icmp 192.168.0.10 8 0 192.168.2.1
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote-B remote-B no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.2.1/0 to 192.168.2.1/0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit icmp any any echo
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote-B remote-B no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.0.10/0 to 192.168.0.10/0
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote-B remote-B no-proxy-arp route-lookup
Additional Information:
Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 15971, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ASA5505# packet-tracer input inside icmp 192.168.2.10 8 0 192.168.0.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.2.0 255.255.255.0 outside 192.168.0.0 255.255.255.0
NAT exempt
translate_hits = 6013, untranslate_hits = 66418
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (172.16.10.200 [Interface PAT])
translate_hits = 4745, untranslate_hits = 448
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 8
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 77234, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
But I still can't ping from 5515 inside interface to 5505?
ASA5515X(config)# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
11-29-2013 03:21 AM
Hi,
The ASA will by default use the interface IP address of the interface closest to the destination as the source. In this case its naturally the "outside" so that results in the ICMP failing as expected.
It might work with
ASA5515-X
ping inside 192.168.2.1
ASA5505
ping inside 192.168.0.1
- Jouni
11-29-2013 03:30 AM
Thank you Jouni! You've been a great help to my blunder!
11-29-2013 03:33 AM
Hi,
Does it work now?
Please do remember to mark a reply as the correct answer if it answered your question.
- Jouni
11-29-2013 03:27 AM
Could you also test the traffic between actual hosts and not the ASAs. Though the traffic from a host to the remote ASA
"inside"
IP address should also work.
Ohh and I'm not able to test from actual hosts right now. Only ASA to ASA.
11-29-2013 03:30 AM
Hi,
There arent really many ways to test directly from the ASA.
The "ping" commands I mentioned in the above reply should work.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide