10-06-2010 04:03 AM
Hi All,
Im currently having a serious issue setting up a simple Site to Site VPN.
I have used this as guide: http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5500/quick/guide/sitvpn_b.html
i have the the following setup:
A
10.10.10.0 are PERMITTED to use this IPSec tunnel to communicate with the remote-site 10.20.20.0
B
10.20.20.0 are PERMITTED to use this IPSec tunnel to communicate with the remote-site 10.10.10.0
site B can ping A, but A cant ping B.
Any ideas What Im dong wrong? I have other VPN's running with no issue, but thisa one is just not working...
Exempt ASA side host network from address translation check box is ticked on both sides...
The VPN was created with the ASDM Site to Site VPN wizard.
Help!
10-06-2010 04:06 AM
A few things to check is if you have any access-list that might be blocking ICMP. Also check if icmp inspection has been configured on both ASA.
Lastly, check if host B has any personal firewall that might be blocking incoming pings.
10-06-2010 04:10 AM
it's not realy about the pings I can't access anythign on the A side, not even the router...
10-06-2010 04:20 AM
Hi Ruben,
Can you paste your config here ?
Thanks,
Namit
10-06-2010 04:28 AM
Just an update, I have just realised I can browse to the servers from B to A!
so right now I cannot remote onto the servers or ping them...anything related to rdp/ssl maybe?
I can remote and ping from A to B, but fro some odd reason cant ping or access my ESXi server through the Vsphere client, assuming somewhere along the line SSL is being blocked?
Is there any command that I can execute that will get the relevante information, I have just tried sanatizing the Sh Run, and it will just mixp thingsas there is soo much information that i would have to remove.
10-06-2010 04:55 AM
Where is the traffic actually failing, ie: at which point?
Without looking at the config, it's difficult to tell where exactly is the problem.
It could be access-list, or inspection.
What does the output of "show cry ipsec sa" shows on both sides?
Try packet tracer on the ASA, and it will tell you where it might fail if it's the ASA. If not, then it could be other things within the network. Are the server subnets directly connected to the ASA?
10-06-2010 05:09 AM
Please see below:
ASA 5505 ASA5510
10.253.254.0/24 -- 38.101.x.x << -->> 91.75.x.x -- 10.252.254.0/24
One side:
Result of the command: "show crypto IPsec sa"
interface: outside
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 38.101.x.x
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.253.254.10/255.255.255.255/0/0)
current_peer: xx, username: xx
dynamic allocated peer ip: 10.253.254.10
#pkts encaps: 22768, #pkts encrypt: 22768, #pkts digest: 22768
#pkts decaps: 21470, #pkts decrypt: 21470, #pkts verify: 21470
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 22768, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 38.101.x.x, remote crypto endpt.: 80.227.x.x
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8D808986
inbound esp sas:
spi: 0xBF34948C (3207894156)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 878, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28245
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x8D808986 (2374011270)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 878, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28245
IV size: 8 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 1, local addr: 38.101.x.x
access-list outside_1_cryptomap permit ip 10.253.254.0 255.255.255.0 10.252.254.0 255.255.255.0
local ident (addr/mask/prot/port): (10.253.254.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.252.254.0/255.255.255.0/0/0)
current_peer: 91.75.x.x
#pkts encaps: 6751, #pkts encrypt: 6751, #pkts digest: 6751
#pkts decaps: 6719, #pkts decrypt: 6719, #pkts verify: 6719
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 6751, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 38.101.x.x, remote crypto endpt.: 91.75.x.x
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 574368C8
inbound esp sas:
spi: 0x24B29DEA (615685610)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 880, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824559/22591)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x574368C8 (1464035528)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 880, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824556/22591)
IV size: 8 bytes
replay detection support: Y
Other Side:
Result of the command: "show crypto IPsec sa"
interface: Outside
Crypto map tag: Outside_map, seq num: 80, local addr: 91.75.x.x
access-list Outside_cryptomap_80 permit ip 10.252.254.0 255.255.255.0 10.253.254.0 255.255.255.0
local ident (addr/mask/prot/port): (10.252.254.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.253.254.0/255.255.255.0/0/0)
current_peer: 38.101.x.x
#pkts encaps: 6814, #pkts encrypt: 6814, #pkts digest: 6814
#pkts decaps: 6840, #pkts decrypt: 6840, #pkts verify: 6840
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 6814, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 91.75.x.x, remote crypto endpt.: 38.101.x.x
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 24B29DEA
inbound esp sas:
spi: 0x574368C8 (1464035528)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 32, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4274551/22497)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x24B29DEA (615685610)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 32, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4274554/22497)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 91.75.35.140
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.252.254.101/255.255.255.255/0/0)
current_peer: 109.70.x.x, username: x.x
dynamic allocated peer ip: 10.252.254.101
#pkts encaps: 9843, #pkts encrypt: 9843, #pkts digest: 9843
#pkts decaps: 15702, #pkts decrypt: 15702, #pkts verify: 15702
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9843, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 91.75.x.x/4500, remote crypto endpt.: 109.70.x.x/4261
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: F7DD7D3C
inbound esp sas:
spi: 0x365FE11A (912253210)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 30, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (sec): 8302
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0xF7DD7D3C (4158487868)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 30, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (sec): 8302
IV size: 16 bytes
replay detection support: Y
Crypto map tag: Outside_map, seq num: 60, local addr: 91.75.35.140
access-list Outside_cryptomap_60 permit ip 10.252.254.0 255.255.255.0 10.251.254.0 255.255.255.0
local ident (addr/mask/prot/port): (10.252.254.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.251.254.0/255.255.255.0/0/0)
current_peer: 202.63.x.x
#pkts encaps: 45386, #pkts encrypt: 45386, #pkts digest: 45386
#pkts decaps: 40752, #pkts decrypt: 40752, #pkts verify: 40752
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 45386, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 91.75x.x, remote crypto endpt.: 202.63.x.x
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 4D2D3910
inbound esp sas:
spi: 0x35E0B702 (903919362)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 31, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (3819169/6856)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x4D2D3910 (1294809360)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 31, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (3805674/6856)
IV size: 16 bytes
replay detection support: Y
Crypto map tag: Outside_map, seq num: 20, local addr: 91.75.35.140
access-list Outside_cryptomap_20_2 permit ip 192.168.0.0 255.255.255.0 10.254.254.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.254.0/255.255.255.0/0/0)
current_peer: 216.107.x.x
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 510, #pkts decrypt: 510, #pkts verify: 510
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 91.75.x.x, remote crypto endpt.: 216.107.x.x
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 0A800416
inbound esp sas:
spi: 0x8389203F (2206801983)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 26, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (3824993/4605)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x0A800416 (176161814)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 26, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (3825000/4605)
IV size: 16 bytes
replay detection support: Y
Crypto map tag: Outside_map, seq num: 20, local addr: 91.75.x.x
access-list Outside_cryptomap_20_2 permit ip 10.252.254.0 255.255.255.0 10.254.254.0 255.255.255.0
local ident (addr/mask/prot/port): (10.252.254.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.254.0/255.255.255.0/0/0)
current_peer: 216.107.x.x
#pkts encaps: 340798, #pkts encrypt: 340798, #pkts digest: 340798
#pkts decaps: 404622, #pkts decrypt: 404622, #pkts verify: 404622
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 340798, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 91.75.x.x, remote crypto endpt.: 216.107.x.x
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 58AF6FDC
inbound esp sas:
spi: 0x0E076F75 (235368309)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 26, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (3824672/28177)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x58AF6FDC (1487892444)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 26, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (3824835/28177)
IV size: 16 bytes
replay detection support: Y
10-07-2010 02:19 AM
Doesn't appear to be VPN problem at least from the output provided.
Have you tested packet-tracer? what is the result? where does it say it's failing?
10-07-2010 03:04 AM
Site A ASA 5505 ASA5510 Site B
10.253.254.0/24 -- 38.101.x.x << -->> 91.75.x.x -- 10.252.254.0/24
All seems ok with the tunnel. my current problems are:
Any idea on the above?
these are my security policies for Site A:
and for Site B:
10-07-2010 03:14 AM
In regards to ping, have you enabled ICMP inspection on the ASA?
With RDP, can you telnet on port 3389? Is the server allowing RDP?
Sounds like an ESX server issue to me.
So far, all the issues sounds more networking issues than related to VPN tunnel, or firewall policy as you have allowed everything to go through between the 2 subnets. I would suggest that you investigate hop by hop and see where it is failing.
10-07-2010 03:38 AM
10-07-2010 03:42 AM
Go to Configuration --> Firewall --> Service Policy Rules --> right click on "inspection_default" --> Edit ... --> Rule Actions --> enabled both ICMP and ICMP error --> OK --> Apply
10-07-2010 04:04 AM
Seems a little different on the 5505:
there is no default..do I create a global SCR?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide