Solved: Site to Site VPN no traffic.

Shaun McCloud · ‎10-08-2013

Hello,

I have been having an issue with my connection to my vendor, and we can not figure it out for the life of us. We have the tunnel up, we just can not ping either side of it.(as you can tell from the post time, I am at a loss).

The goal is for our site to pass all traffic through to the vendor so they can route it out to the internet through the rest of thier network.

As I said, the tunnel is up, just does not seem to be passsing any traffic, or at least any real traffic, I believe the keep alives are passing.

Jouni Forss · ‎10-08-2013

Hi,

Some comments about the configurations

Your sites configurations on a quick glance seems fine. You have configured NAT0 for all traffic and have configure all traffic out of the LAN to the L2L VPN connection.

The Vendor site configurations seems a bit wierd though. Lets start with the routing. It has a route for network 10.0.0.0/8 and 10.4.0.0/16 pointing towards an IP address of 10.4.250.49 behind "inside" interface which CANT be the right gateway IP address since the "inside" interfaces IP address is 10.4.253.66/30, therefore the routes to my understanding are useless. (Next hop IP address has to be from a directly connected network)

These are the routes

route inside 10.0.0.0 255.0.0.0 10.4.250.49 1

route inside 10.4.0.0 255.255.0.0 10.4.250.49 1

This is the "inside" interface

interface GigabitEthernet0/1

no shut

speed 1000

duplex full

nameif inside

security-level 100

ip address 10.4.253.66 255.255.255.252

So with the above configuration it should not be even possible to forward traffic between the local networks of both sites.

If your plan is also to have the traffic from your site be forwarded to the remote site and out to the Internet through the Vendor ASA then its missing some configurations.

You would need atleast

global (outside) 1 interface

Since there are only "nat" statement currently defining the source addresses for the translations but there is no "global" defining the actual NAT/PAT address.

The Vendor Site ASA is also missing the command

same-security-traffic permit intra-interface

Which would permit the traffic to come through the "outside" interface (coming from your site through the VPN) and head out through the "outside" (your traffic heading back to the Internet)

- Jouni

View solution in original post

Markus Thun · ‎10-08-2013

Hi Shaun McCloud,

which kind of router do you use? Give us some more informations, like configurations (ACL, NAT, Routing)

Greets

Markus

Shaun McCloud · ‎10-08-2013

This is an ASA 5520 connected to another ASA 5520.

And I thought I had attached the configs, so let me try again...

Markus Thun · ‎10-08-2013

I have some presumptions. if you ping from site A to B, which shows the log entries?

Shaun McCloud · ‎10-08-2013

I am not sure I follow your question (still a bit asleep).

I know that pings fail atm.

Shaun McCloud · ‎10-08-2013

I believe the main issue is with my access lists. Now that i have been looking at this config for so long I just cant see the solution.

Shaun McCloud · ‎10-08-2013

Here is the result of the crypto command.

oursite# show crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 27.166.60.6
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Jouni Forss · ‎10-08-2013

Hi,

Some comments about the configurations

Your sites configurations on a quick glance seems fine. You have configured NAT0 for all traffic and have configure all traffic out of the LAN to the L2L VPN connection.

The Vendor site configurations seems a bit wierd though. Lets start with the routing. It has a route for network 10.0.0.0/8 and 10.4.0.0/16 pointing towards an IP address of 10.4.250.49 behind "inside" interface which CANT be the right gateway IP address since the "inside" interfaces IP address is 10.4.253.66/30, therefore the routes to my understanding are useless. (Next hop IP address has to be from a directly connected network)

These are the routes

route inside 10.0.0.0 255.0.0.0 10.4.250.49 1

route inside 10.4.0.0 255.255.0.0 10.4.250.49 1

This is the "inside" interface

interface GigabitEthernet0/1

no shut

speed 1000

duplex full

nameif inside

security-level 100

ip address 10.4.253.66 255.255.255.252

So with the above configuration it should not be even possible to forward traffic between the local networks of both sites.

If your plan is also to have the traffic from your site be forwarded to the remote site and out to the Internet through the Vendor ASA then its missing some configurations.

You would need atleast

global (outside) 1 interface

Since there are only "nat" statement currently defining the source addresses for the translations but there is no "global" defining the actual NAT/PAT address.

The Vendor Site ASA is also missing the command

same-security-traffic permit intra-interface

Which would permit the traffic to come through the "outside" interface (coming from your site through the VPN) and head out through the "outside" (your traffic heading back to the Internet)

- Jouni

Shaun McCloud · ‎10-08-2013

The vendor ASA is not the access back out to the internet, it should go back to the core of thier network and out through another point.

With removing the:

no route inside 10.0.0.0 255.0.0.0 10.4.250.49 1

no route inside 10.4.0.0 255.255.0.0 10.4.250.49 1

I can now ping from the Vendor site back to my site, but can not currently ping from mine to the vendors.

Jouni Forss · ‎10-08-2013

Hi,

The Vendor ASA holds a default route through its interface "outside".

If traffic from your site is supposed to head out to Internet some device behind the Vendor ASA then you would need a default route through their "inside" interface I imagine?

You could use a "tunneled" route

route inside 0.0.0.0 0.0.0.0 10.4.253.65 tunneled

The tunneled route to my understanding forwards all traffic incoming from VPN connections towards this gateway without causing problems with the normal default route configured on the device.

To my understanding the .65 is the correct gateway IP address as you are using .66 on the Vendor firewall "inside" interface and its only a /30 mask network so .65 is the only other usable IP address from that subnet.

I dont know however how removing those routes make any difference for traffic between the networks as there would still be no routes for the LAN networks at Vendor site. Was there perhaps some other routes configured on that device that we are not seeing in the attached configurations?

- Jouni

Shaun McCloud · ‎10-08-2013

There is nothing else connected to thier ASA (just bought it).

Ok, next update...

This now has to do with routing and not so much the tunnel!

If i add:

global (outside) 1 interface

same-security-traffic permit intra-interface

but not:

route inside 0.0.0.0 0.0.0.0 10.4.253.65 tunneled

I can surf the net, but it is back out the vendor ASA and not through thier network.

if I remove :

same-security-traffic permit intra-interface

and add:

route inside 0.0.0.0 0.0.0.0 10.4.253.65 tunneled

I can not surf. (thoguh they might not have the rest of thier network set up to support this traffic atm.)

Please help me clerify, to achieve the goal of surfing out thier network I should use the:

route inside 0.0.0.0 0.0.0.0 10.4.253.65 tunneled

and not:

same-security-traffic permit intra-interface

But should the:

global (outside) 1 interface

be used or not?

Jouni Forss · ‎10-08-2013

Hi,

First off, dont worry about the "same-security-traffic" command. Whether it is or is not in your configuration doesnt matter in what you what to achieve. This was a configuration that was meant to enable Internet connection directly through the Vendor ASA but as that is not the aim you dont really need it. Though leaving it WONT cause problems for your setup.

If your aim is to simply first pass ALL traffic from your site to the Vendor Site ASA through the L2L VPN connection and then have the Vendor ASA pass the traffic to some other device on the network that will forward the traffic further or out to the Internet then you will need the "tunneled" route.

You might also want to clear up the NAT0 configuration on the Vendor ASA

It is currently this

access-list vpn-all extended permit ip 27.166.60.0 255.255.255.0 10.4.250.128 255.255.255.224

access-list vpn-all extended permit ip 10.4.0.0 255.255.0.0 10.4.250.128 255.255.255.224

access-list vpn-all extended permit ip any 10.4.250.128 255.255.255.192

access-list vpn-all extended permit ip any 10.4.253.64 255.255.255.252

access-list vpn-all extended permit ip 10.4.0.0 255.255.0.0 10.4.200.0 255.255.248.0

While it could be this

access-list vpn-all extended permit ip any 10.4.200.0 255.255.248.0

no access-list vpn-all extended permit ip 27.166.60.0 255.255.255.0 10.4.250.128 255.255.255.224

no access-list vpn-all extended permit ip 10.4.0.0 255.255.0.0 10.4.250.128 255.255.255.224

no access-list vpn-all extended permit ip any 10.4.250.128 255.255.255.192

no access-list vpn-all extended permit ip any 10.4.253.64 255.255.255.252

no access-list vpn-all extended permit ip 10.4.0.0 255.255.0.0 10.4.200.0 255.255.248.0

And to be honest the rest of the Vendor network is a big question mark for us

Is the ASA connected to their network?
Do they have routing configured so that the destination network 10.4.200.0 255.255.248.0 is found behind this Vendor ASA and through the L2L VPN?

- Jouni

Shaun McCloud · ‎10-08-2013

I will turn off the "same-security-traffic" because it allows for unfiltered internet access, and that is the point of going through thier network in the first place. Thanks for the clerification on that though.

Thanks for the cleanup, I am sure there will be a bit more of that after we finish with the routing (don't want to play with it too much until it is all working and we have saved it in 15 different locations, including a copy on the moon incase the earth blows up!)

The Vendors network is complex which has made part of this project flustrating, but I think we will be able to figure it out.

The ASA is already connected to thier network, and the 10.4.200.0 network is already routed through thier network (to some point to point T1s) so its just a matter of changing some routing. (we hope)

I will update you if we have any more issues, we will be changing the routing in 45 mins

Shaun

Shaun McCloud · ‎10-08-2013

Success! The Tunnel is up and working!

There is one config that I can not figure out how to translate it over...

ip nat inside source static 10.4.200.29 27.166.58.194

ip nat inside source static 10.4.200.25 27.166.58.195

How do I do this on the ASA? (came from a 2800 router running ver 12.3(8r))

Jouni Forss · ‎10-09-2013

Hi,

Are you saying that router Static NAT configuration should be now on your sites ASA or where?

Please do remember to mark replys as correct answers if they answered your question or rate helpfull answers.

- Jouni