12-23-2010 12:19 PM
I have configured a site-to-site vpn between two ASA 5505 firewalls. The tunnel establishes, but traffic icmp does not pass. Actually ping has worked twice, but just randomly. I need it to work consistently. I have attached both configurations as well as output from the packet-tracer from both ASA's and the IPSec and ISAKMP SAs. Thanks for any help you can provide.
ASA 1 Configuration:
ASA Version 8.0(3)
!
hostname asa1
enable password A.zMQonBIU0NmOC0 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.50.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd OMV1AjIsWknnKr9H encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
access-list acl_out extended permit tcp any host 63.76.12.195 eq smtp
access-list acl_out extended permit tcp any host 63.76.12.195 eq www
access-list acl_out extended permit tcp any host 63.76.12.195 eq 3389
access-list acl_out extended permit tcp any host 63.76.12.195 eq ftp
access-list acl_out extended permit tcp any host 63.76.12.195 eq ftp-data
access-list acl_out extended permit tcp any host 63.76.12.195 eq telnet
access-list acl_out extended permit tcp any host 63.76.12.195 eq 5800
access-list acl_out extended permit tcp any host 63.76.12.195 eq 5900
access-list acl_out extended permit tcp any host 63.76.12.195 eq https
access-list acl_out extended permit tcp any host 63.76.12.196 eq www
access-list acl_out extended permit tcp any host 63.76.12.196 eq https
access-list acl_out extended permit tcp any host 63.76.12.196 eq smtp
access-list acl_out extended permit tcp any host 63.76.12.196 eq 3389
access-list acl_out extended permit icmp any any
access-list 101 extended permit ip 10.1.50.0 255.255.255.0 10.1.40.0 255.255.255.0
access-list 101 extended permit ip 10.1.50.0 255.255.255.0 10.1.51.0 255.255.255.0
access-list vpn-fargo extended permit ip 10.1.50.0 255.255.255.0 10.1.51.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool 10.1.40.1-10.1.40.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 1.1.1.2 ftp 10.1.50.3 ftp netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.2 ftp-data 10.1.50.3 ftp-data netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.2 telnet 10.1.50.3 telnet netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.2 5800 10.1.50.102 5800 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.2 5900 10.1.50.102 5900 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.2 3389 10.1.50.5 3389 netmask 255.255.255.255
static (inside,outside) 1.1.1.3 10.1.50.6 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 20 match address vpn-fargo
crypto map mymap 20 set peer 2.2.2.2
crypto map mymap 20 set transform-set myset
crypto map mymap 20 set reverse-route
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
group-policy vpn3000 internal
group-policy vpn3000 attributes
wins-server value 10.1.50.5
dns-server value 10.1.50.5 10.1.50.6
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 101
default-domain value asa1.com
user-authentication disable
address-pools value ippool
username vpn password Tw.atDK7GScnXkMJ encrypted
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
default-group-policy vpn3000
tunnel-group jtvpn ipsec-attributes
pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
: end
ASA 2 configuration:
ASA Version 8.2(1)
!
hostname asa2
enable password A.zMQonBIU0NmOC0 encrypted
passwd 1vU9VISnc.IQ6OSN encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.51.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list vpn-dsm extended permit ip 10.1.51.0 255.255.255.0 10.1.50.0 255.255.255.0
access-list nonat extended permit ip 10.1.51.0 255.255.255.0 10.1.50.0 255.255.255.0
access-list outside-access-in extended permit icmp any any echo
access-list outside-access-in extended permit icmp any any echo-reply
access-list outside-access-in extended permit icmp any any unreachable
access-list outside-access-in extended permit icmp any any time-exceeded
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address vpn-dsm
crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 10 set transform-set ESP-3DES
crypto map mymap 10 set reverse-route
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
: end
Packet Tracer from ASA1:
asa1(config)# packet-tracer input inside icmp 10.1.50.253 1 1 10.1.51.253 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd49dcce0, priority=500, domain=permit, deny=true
hits=5, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.1.50.253, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Packet Tracer from ASA2:
asa2(config)# packet-tracer input inside icmp 10.1.51.253 1 1 10.1.50.253 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.50.0 255.255.255.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9583648, priority=500, domain=permit, deny=true
hits=9, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.1.51.253, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
IPSec SA from ASA 1:
peer address: 2.2.2.2
Crypto map tag: dynmap, seq num: 10, local addr: 1.1.1.1
local ident (addr/mask/prot/port): (10.1.50.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.51.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 1F3E7E3A
inbound esp sas:
spi: 0x1DFAE5E0 (502982112)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77824, crypto-map: dynmap
sa timing: remaining key lifetime (kB/sec): (3824999/28036)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x1F3E7E3A (524189242)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77824, crypto-map: dynmap
sa timing: remaining key lifetime (kB/sec): (3825000/28034)
IV size: 8 bytes
replay detection support: Y
ISAKMP SA from ASA 1:
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
IPSec SA from ASA 2:
peer address: 1.1.1.1
Crypto map tag: mymap, seq num: 10, local addr: 2.2.2.2
access-list vpn-dsm permit ip 10.1.51.0 255.255.255.0 10.1.50.0 255.255.255.0
local ident (addr/mask/prot/port): (10.1.51.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.50.0/255.255.255.0/0/0)
current_peer: 63.76.12.194
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 1DFAE5E0
inbound esp sas:
spi: 0x1F3E7E3A (524189242)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 81920, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4374000/27900)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x1DFAE5E0 (502982112)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 81920, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4373999/27900)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ISAKMP SA from ASA 2:
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Solved! Go to Solution.
12-23-2010 11:08 PM
Hi Mike,
I see the following in your configuration :
crypto map mymap 10 ipsec-isakmp dynamic dynmap
Th sequence number for the peer 2.2.2.2 is 20 so we hit the dynamic map first which could be causing this issue.
To avoid this, I would suggest you to do the following :
no crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
To validate this fact, if you look at the ipsec SA on ASA1,you wil find that it was negotiated with dymap (crypto map seq 10) and not 20!!
IPSec SA from ASA 1:
peer address: 2.2.2.2
Crypto map tag: dynmap, seq num: 10, local addr: 1.1.1.1
local ident (addr/mask/prot/port): (10.1.50.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.51.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
Hope this helps!!
Cheers,
Manasi!!
12-23-2010 12:21 PM
Also, names and addresses have been changed to protect the innocent. 1.1.1.1 is the public IP of ASA1. 1.1.1.x are other public IPs used for ASA1. 2.2.2.2 is the public ip for ASA2.
12-23-2010 11:08 PM
Hi Mike,
I see the following in your configuration :
crypto map mymap 10 ipsec-isakmp dynamic dynmap
Th sequence number for the peer 2.2.2.2 is 20 so we hit the dynamic map first which could be causing this issue.
To avoid this, I would suggest you to do the following :
no crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
To validate this fact, if you look at the ipsec SA on ASA1,you wil find that it was negotiated with dymap (crypto map seq 10) and not 20!!
IPSec SA from ASA 1:
peer address: 2.2.2.2
Crypto map tag: dynmap, seq num: 10, local addr: 1.1.1.1
local ident (addr/mask/prot/port): (10.1.50.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.51.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
Hope this helps!!
Cheers,
Manasi!!
12-24-2010 07:19 AM
Thank you so much Manasi! I got it working temporarily by refreshing the SAs a couple times. I had assumed that since crypto map 20 sets the peer that it would automatically associate with that policy, but I guess I was mistaken. Thanks for the help.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide