Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7014
Views
0
Helpful
17
Replies

Site-to-Site VPN, pings being blocked by NAT/firewall?

ZoCaAdmin
Level 1
Level 1

‎07-29-2016 06:14 AM

Perhaps one of you can help me with the following challenge.

I'm setting up a site-to-site VPN, the router at SiteB says 'connected'. But I cannot connect pc's from SiteB to SiteA or viceversa.

Both sites have a cable modem in bridge/transparent-mode and a switch between the router and the PC's

Like so:

PC-A > SF200-48 Switch > 5525-x ASA 9.1 Routers > Cable modem > INTERNET > Cable modem > RV130W > Cisco 3550 switch > PC-B

I've configured a Site-to-site VPN on SiteA (ASA) with the setup wizard in the ASDM GUI-tool. After the official video walk-through: https://supportforums.cisco.com/videos/5933.
(With the 'Exempt ASA side host/network from address translation' enabled at the last step, because I don't want my NAT to block my VPN access)
SiteA uses the 172.16.x.x range for the VLAN's.
SiteA has multiple VLAN's configured, while SiteB has not.
SiteA has a long list of NAT-rules and access-rules for remote access and some servers. (Already configured before starting with the VPN.)

The RV130W at SiteB has no console access, i've configured a VPN to connect to SiteA via the somewhat limited webinterface.
SiteB has the IP range of 192.168.1.x.
After a while it said 'connected'. When I tried to ping a LAN ip address of a server at SiteA, I've got no response.
I've also tried pinging from SiteA to LAN IP's at SiteB, with no success.

Image, SiteB connected

In the ASA with ASDM, i've added a 'permit icmp from any to any' rule. But still no pings from the internal LAN at SiteA to B.
When I ping from 172.16.6.4 (SiteA) to 192.168.1.1 (The router at SiteB, INSIDE interface), I get:
"Reply from 192.168.1.1: Destination host unreachable." But most pings still time out with no reply at all. (So the router says that it cannot talk...?)

Image, VPN connection profile

Image ASDM dashboard

Image, allow icmp any-any

My ultimate goal is to connect the PC's at SiteB to the domain controller at SiteA.
And be able to remotely manage the SiteB network/pc's from SiteA. (Like with GPO's, wake on LAN, etc)
People working at SiteB need to be able to reach some internal webservers located at SiteA.

When this is working, i'm going to do the same to connect SiteC, which has a Cisco 870 ADSL modem/router.
I took a look at VTI (https://supportforums.cisco.com/blog/149426/advantages-vti-configuration-ipsec-tunnels), but I don't think the RV130W supports this.

Oh yeah, each site has its own VOIP running. I suppose that won't be a problem?

1 person had this problem
Labels:
0 Helpful
17 Replies 17

Cristian Nilsson
Level 1
Level 1
In response to ZoCaAdmin

‎08-22-2016 01:47 AM

Hello,

You are sourcing from wrong interface:

packet-tracer input INSIDE icmp 172.16.6.4 8 0 192.168.1.101 detail

Try this instead:

packet-tracer input RO-IT icmp 172.16.6.4 8 0 192.168.1.101 detail

Do you have any ACLs attached to interfaces that may block ICMP?

show run access-group

//Cristian

0 Helpful

ZoCaAdmin
Level 1
Level 1
In response to Cristian Nilsson

‎08-22-2016 04:53 AM

Great, whe're getting closer!

ASA-01-RO-PRI# packet-tracer input RO-IT icmp 172.16.6.4 8 0 192.168.1.101 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x7fff33c7e960, priority=1, domain=permit, deny=false
 hits=979074842, user_data=0x0, cs_id=0x0, l3_type=0x8
 src mac=0000.0000.0000, mask=0000.0000.0000
 dst mac=0000.0000.0000, mask=0100.0000.0000
 input_ifc=RO-IT, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,OUTSIDE) source static SITE-A_NETS SITE-A_NETS destination static SITE-B_NETS SITE-B_NETS no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.1.101/0 to 192.168.1.101/0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ITToNetworks in interface RO-IT
access-list ITToNetworks extended permit ip any4 any4
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x7fff33500ef0, priority=13, domain=permit, deny=false
 hits=6462745, user_data=0x7fff2c19a200, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
 input_ifc=RO-IT, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,OUTSIDE) source static SITE-A_NETS SITE-A_NETS destination static SITE-B_NETS SITE-B_NETS no-proxy-arp route-lookup
Additional Information:
Static translate 172.16.6.4/0 to 172.16.6.4/0
 Forward Flow based lookup yields rule:
 in id=0x7fff353056f0, priority=6, domain=nat, deny=false
 hits=4, user_data=0x7fff35a3e7a0, cs_id=0x0, flags=0x0, protocol=0
 src ip/id=172.16.6.4, mask=255.255.255.252, port=0, tag=0
 dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=0 dscp=0x0
 input_ifc=any, output_ifc=OUTSIDE
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x7fff32cf44c0, priority=0, domain=nat-per-session, deny=true
 hits=30156644, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
 input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x7fff33e13b40, priority=0, domain=inspect-ip-options, deny=true
 hits=7324029, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
 input_ifc=RO-IT, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x7fff3514f4d0, priority=70, domain=inspect-icmp, deny=false
 hits=455310, user_data=0x7fff34a46010, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
 dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0 dscp=0x0
 input_ifc=RO-IT, output_ifc=any
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x7fff33c581f0, priority=66, domain=inspect-icmp-error, deny=false
 hits=458383, user_data=0x7fff33a33f30, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
 dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0 dscp=0x0
 input_ifc=RO-IT, output_ifc=any
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff35a01b50, priority=70, domain=encrypt, deny=false
 hits=5, user_data=0x0, cs_id=0x7fff37327e20, reverse, flags=0x0, protocol=0
 src ip/id=172.16.6.4, mask=255.255.255.252, port=0, tag=0
 dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=0 dscp=0x0
 input_ifc=any, output_ifc=OUTSIDE
Result:
input-interface: RO-IT
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA-01-RO-PRI# sh asp drop
Frame drop:
 Flow is being freed (flow-being-freed) 154
 Invalid encapsulation (invalid-encap) 147347
 Unsupported IP version (unsupported-ip-version) 3
 Invalid IP length (invalid-ip-length) 8
 Invalid TCP Length (invalid-tcp-hdr-length) 3
 Invalid UDP Length (invalid-udp-length) 2
 No valid adjacency (no-adjacency) 621
 No route to host (no-route) 2161928
 Flow is denied by configured rule (acl-drop) 8366355
 First TCP packet not SYN (tcp-not-syn) 5765850
 Bad TCP flags (bad-tcp-flags) 681
 TCP Dual open denied (tcp-dual-open) 10
 TCP data send after FIN (tcp-data-past-fin) 15
 TCP failed 3 way handshake (tcp-3whs-failed) 42291
 TCP RST/FIN out of order (tcp-rstfin-ooo) 694742
 TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 54812
 TCP SYNACK on established conn (tcp-synack-ooo) 2094
 TCP packet SEQ past window (tcp-seq-past-win) 35850
 TCP invalid ACK (tcp-invalid-ack) 20142
 TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 144
 TCP Out-of-Order packet buffer full (tcp-buffer-full) 636
 TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 1709
 TCP RST/SYN in window (tcp-rst-syn-in-win) 6609
 TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 813
 TCP packet failed PAWS test (tcp-paws-fail) 6547
 CTM returned error (ctm-error) 50
 Slowpath security checks failed (sp-security-failed) 19925756
 Expired flow (flow-expired) 15
 ICMP Inspect bad icmp code (inspect-icmp-bad-code) 676
 ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 15280
 ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 20
 DNS Inspect invalid packet (inspect-dns-invalid-pak) 1301
 DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 195
 DNS Inspect id not matched (inspect-dns-id-not-matched) 2234419
 FP L2 rule drop (l2_acl) 60040
 Interface is down (interface-down) 175
 Dropped pending packets in a closed socket (np-socket-closed) 18067
 NAT unassigned pool in cluster (nat-cluster-unassigned-pool) 76
Last clearing: Never
Flow drop:
 Need to start IKE negotiation (need-ike) 128
 Flow is denied by access rule (acl-drop) 4171312
 Inspection failure (inspect-fail) 83126
 SSL bad record detected (ssl-bad-record-detect) 234
 SSL handshake failed (ssl-handshake-failed) 1250
 SSL malloc error (ssl-malloc-error) 50
Last clearing: Never
ASA-01-RO-PRI# show run access-group
access-group Internet1ToNetworks in interface OUTSIDE
access-group NetworksToInternet1 out interface OUTSIDE
access-group NetworksToMGMT out interface INSIDE
access-group OfficeToNetworks in interface RO-Office
access-group NetworksToOffice out interface RO-Office
access-group GuestToNetworks in interface RO-Guest
access-group NetworksToGuest out interface RO-Guest
access-group RNDToNetworks in interface RO-RND
access-group NetworksToRND out interface RO-RND
access-group VoiceToNetworks in interface RO-Voice
access-group NetworksToVoice out interface RO-Voice
access-group Guest2ToNetworks in interface RO-Guest2
access-group NetworksToGuest2 out interface RO-Guest2
access-group AutomationToNetworks in interface RO-Automation
access-group NetworksToAutomation out interface RO-Automation
access-group ITToNetworks in interface RO-IT
access-group NetworksToIT out interface RO-IT
access-group PrintersToNetworks in interface RO-Printers
access-group NetworksToPrinters out interface RO-Printers
access-group ServersToNetworks in interface RO-Servers
access-group NetworksToServers out interface RO-Servers
access-group global_access global
ASA-01-RO-PRI#

ITToNetworks only has:

access-list ITToNetworks extended permit ip any4 any4

And there are some global rules:

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
0 Helpful

Cristian Nilsson
Level 1
Level 1
In response to ZoCaAdmin

‎08-22-2016 05:05 AM

Hello,

Good results!

If i am not mistaken you will always get a DROP showing on VPN in packet-tracer.

Now make sure that no ACL in/out is blocking traffic (you seem to have a lot of them) and test connectivity to/from the other side.

//Cristian

0 Helpful
Customers Also Viewed These Support Documents