02-12-2024 12:57 AM
Hello,
I am new in VPNs and I have configured a site-to-site VPN between my site ASA 5506 and a client Fortinet firewall.
I used the site-to-site VPN wizard in Cisco ASMD to create the VPN. Using the following parameters:
- Peer IP Address: Public IP of the client.
- VPN Access Interface: outside interface.
- Local network: My inside network.(172.16.0.0/16)
- Remote Network: The client internal network (10.142.38.0/24)
- Security: We used a preshared key.
- NAT Exempt: Enabled.
When creating the VPN all the configuration appeared correct and it has automatically created an Access Rule and a NAT Rule.
- Access Rule:
outside_cryptomap_1 extended permit ip object Local_Network object Remote_Network
- NAT Rule:
(inside,outside) source static Local_Network Local_Network destination static Remote_Network Remote_Network no-proxy-arp route-lookup
The configuration is the same on the client firewall.
When I try to ping the Remote Network from my Inside Network, i can't ping it (10.142.38.6). But I can see in the VPN monitoring page the session created and some Tx bytes but not Rx bytes. The client can't connect to the devices of our Local Network.
I tried to see if the VPN was up using the following commands in CLI.
show crypto isakmp sa
IKEv2 SAs:
Session-id:21761, Status:UP-ACTIVE, IKE count:1, CHILD count:2
Tunnel-id Local Remote Status Role
2253822717 192.168.100.2/500 X.X.X.X/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/95 sec
Child sa: local selector 172.16.5.111/0 - 172.16.5.111/65535
remote selector 10.142.38.6/0 - 10.142.38.6/65535
ESP spi in/out: 0xbe079aed/0xabb21cc5
Child sa: local selector 172.16.10.120/0 - 172.16.10.120/65535
remote selector 10.142.38.6/0 - 10.142.38.6/65535
ESP spi in/out: 0xbeb46a88/0xabb21cc4
The remote IP which is 10.142.38.6 is in the range of the Remote Network (I didn't write it anywhere). I understand that the VPN is working because it has identified an IP inside the Remote Network (this is the IP that does not ping).
show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 192.168.100.2
access-list outside_cryptomap_2 extended permit ip 172.16.0.0 255.255.0.0 10.142.38.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.5.111/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.142.38.6/255.255.255.255/0/0)
current_peer: X.X.X.X
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.100.2/500, remote crypto endpt.: X.X.X.X/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: ABB21CC9
current inbound spi : F1702761
inbound esp sas:
spi: 0xF1702761 (4050659169)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 93888512, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4239360/85896)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xABB21CC9 (2880576713)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 93888512, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4285440/85894)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 1, local addr: 192.168.100.2
access-list outside_cryptomap_2 extended permit ip 172.16.0.0 255.255.0.0 10.142.38.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.10.120/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.142.38.6/255.255.255.255/0/0)
current_peer: X.X.X.X
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.100.2/500, remote crypto endpt.: X.X.X.X/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: ABB21CC8
current inbound spi : 531F5255
inbound esp sas:
spi: 0x531F5255 (1394561621)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 93888512, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4055040/85883)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xABB21CC8 (2880576712)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 93888512, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3916800/85881)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Is there anything that is not configured that denies the connection?
Thank you for your help.
02-13-2024 12:27 AM
I have seen that the NAT-T is checked in the Connection Profiles and in Crypto Maps but when I run the command you asked me to do I get:
show crypto isakmp sa detail | i NAT
NAT-T is not detected
02-13-2024 01:06 AM
If NAT-T was disabled on the ASA OR the ASA was not behind NAT then the output would be "NAT is not detected", if the ASA is behind NAT then that output would state "NAT is detected inside".
You stated the ASA is behind a router that is natting, from your output you can see the ports are using 500 and not 4500 if NAT-T was working. I suggest you double check the NAT-T configuration.
Is NAT-T enabled or disabled globally? Use "show run | i nat-t"
To enable globally run "crypto isakmp nat-traversal" to enable and try again.
02-13-2024 02:58 AM
I have run the command "show run | i nat-t" but it returned nothing. As you asked me to do, I run "crypto isakmp nat-traversal" and repeated the command but it returned nothing again.
02-13-2024 01:20 AM
At least now I see some encaps in the first SAs.
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
I think you can enable NAT-T globally on the ASA with the command "crypto isakmp nat-traversal".
If you send encrypted traffic but you don't get anything back, it would suggest that the return traffic is not making it to be sent to the remote peer, or it is not making it to return to the ASA.
Because you have a NAT device in front of the ASA, I would check that the outbound NAT rules have been configured correctly to include the ASA outside interface private IP, it must be NAT'ed, and also, I would check that the return traffic on port 500/udp and 4500/udp is mapped to be routed to the ASA from the ISP device. I'm also assuming that on the remote peer the public IP of the ASA has been configured, not the 192.168.100.2.
02-13-2024 03:00 AM
I have enabled it globally but it still not work.
I have asked the ISP provider if the NAT are correctly made and if they see traffic in those ports. I will let you knok, thank you.
The peer has configured the public IP not the 192.168.100.2.
02-13-2024 01:34 AM - edited 02-13-2024 03:06 AM
NAT-T is issue ?
Let summary
YOU NEED TO BE SURE
Forti use public IP (mapped IP) not private IP
the ASA not detect NAT the forti must detect it' and hence you need to contact forti team ask them enable nat-t
Make double sure the router NAT both 500 abd 4500 ports
Last if above not work can you try change the subnet of anyconnect to other supernet
MHM
02-13-2024 03:03 AM
As I said in the previous answer I think our public IP is configured in Forti, not the public.
Tomorrow I have E2E test with them and I will know if the are using NAT-T or not.
Thank you.
02-13-2024 03:06 AM - edited 02-13-2024 03:13 AM
Yes that good check forti side, I think except the remote-lan and vpn pool share same supernet (10.x.x.x) all other config is good
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide