Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
751
Views
0
Helpful
5
Replies

Site to Site VPN Routing Issue

ryan.neil
Level 1
Level 1

‎08-24-2020 02:45 AM

Hi,

 

I have the following site to site VPN setup on our router.

 

crypto map CMAP 10 ipsec-isakmp
set peer 217.**.**.**
set transform-set DHL
set pfs group5
match address 101
crypto map CMAP 20 ipsec-isakmp
set peer 51.**.***.***
set transform-set Bridge-Allan
match address 102

 

interface GigabitEthernet0/1
description LAN
ip address 172.19.8.1 255.255.255.0 secondary
ip address 172.19.7.4 255.255.255.0

 

access-list 100 deny ip 172.19.7.0 0.0.0.255 10.162.132.0 0.0.0.255
access-list 100 deny ip 172.19.7.0 0.0.0.255 6.**.0.0 0.0.255.255
access-list 100 deny ip 172.19.7.0 0.0.0.255 10.192.**.0 0.0.0.255
access-list 100 permit ip 172.19.7.0 0.0.0.255 any
access-list 101 permit ip 172.19.7.0 0.0.0.255 host 10.162.132.184
access-list 102 permit ip 172.19.7.0 0.0.0.255 6.**.*.* 0.0.255.255
access-list 102 permit ip 172.19.4.0 0.0.0.255 6.**.*.* 0.0.255.255
access-list 102 permit ip 172.19.7.0 0.0.0.255 10.192.**.0 0.0.0.255

 

However I cannot get the routing for the following to work correctly which was added recently

 

access-list 102 permit ip 172.19.7.0 0.0.0.255 10.192.**.0 0.0.0.255

 

I can see hits on the ACL for this

 

Extended IP access list 100
10 deny ip 172.19.7.0 0.0.0.255 10.162.**.0 0.0.0.255 (32781 matches)
20 deny ip 172.19.7.0 0.0.0.255 6.**.0.0 0.0.255.255 (180566538 matches)
25 deny ip 172.19.7.0 0.0.0.255 10.192.**.0 0.0.0.255 (85240 matches)
30 permit ip 172.19.7.0 0.0.0.255 any (12032138 matches)
Extended IP access list 101
10 permit ip 172.19.7.0 0.0.0.255 host 10.162.132.184 (32804 matches)
Extended IP access list 102
10 permit ip 172.19.7.0 0.0.0.255 6.**.0.0 0.0.255.255 (180651662 matches)
20 permit ip 172.19.4.0 0.0.0.255 6.**.0.0 0.0.255.255 (1497493 matches)
30 permit ip 172.19.7.0 0.0.0.255 10.192.**.0 0.0.0.255 (85240 matches) this one

 

However it does not show here is their an issue with my ACL for the route over the VPN to 10.192.**.0 0.0.0.255?

 

FL002442#show crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 217.33.239.49 port 500
IKEv1 SA: local 46.**.*.**/500 remote 217.**.***.**/500 Active
IPSEC FLOW: permit ip 172.19.7.0/255.255.255.0 host 10.162.**.**
Active SAs: 2, origin: crypto map

Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 51.**.***.*** port 500
IKEv1 SA: local 46.***.*.**/500 remote 51.**.***.***/500 Active
IPSEC FLOW: permit ip 172.19.4.0/255.255.255.0 6.**.*.*/255.255.0.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 172.19.7.0/255.255.255.0 6.**.*.*/255.255.0.0
Active SAs: 2, origin: crypto map

 

Any help with this would be greatly appreciated.

 

 

Regards

 

 

 

Ryan Neil

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎08-24-2020 02:55 AM

Hi,

Is NAT configured on the router? Could the traffic be unintentially NATTED?

Can you generate some traffic in order to attempt to establish the tunnel whilst running a debug, provide the output for review.

 

0 Helpful

ryan.neil
Level 1
Level 1
In response to Rob Ingram

‎08-24-2020 05:35 AM

Hi Rob,

 

Traffic is not natted and when I run a ping to 10.192.27.1 source 172.19.7.4 the ACL increments below

 

30 permit ip 172.19.7.0 0.0.0.255 10.192.27.0 0.0.0.255 (85268 matches)

 

However running debug crypto isakmp shows nothing at all while pinging and this does not change to show the new route between 172.19.7.0 and 10.192.27.0.

 

Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 51.**.***.** port 500
IKEv1 SA: local 46.***.*.**/500 remote 5*.*.***.***/500 Active
IPSEC FLOW: permit ip 172.19.4.0/255.255.255.0 6.**.*.*/255.255.0.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 172.19.7.0/255.255.255.0 6.**.*.*/255.255.0.0
Active SAs: 2, origin: crypto map

 

Regards

 

 

 

Ryan Neil

0 Helpful

Rob Ingram
VIP
VIP
In response to ryan.neil

‎08-24-2020 05:54 AM

What is the routing configuration of the router?, please provide the output.

0 Helpful

ryan.neil
Level 1
Level 1
In response to Rob Ingram

‎08-25-2020 02:45 AM

Hi Rob,

 

As requested see below.

 

show ip route

S* 0.0.0.0/0 [1/0] via 46.***.*.**
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/30 is directly connected, Tunnel1
L 10.10.10.1/32 is directly connected, Tunnel1
46.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
C 46.**.*.**/31 is directly connected, GigabitEthernet0/0
L 46.**.*.**/32 is directly connected, GigabitEthernet0/0
C 46.**.*.***/30 is directly connected, GigabitEthernet0/1.20
L 46.**.*.***/32 is directly connected, GigabitEthernet0/1.20
172.19.0.0/16 is variably subnetted, 5 subnets, 2 masks
S 172.19.4.0/24 [1/0] via 10.10.10.2
C 172.19.7.0/24 is directly connected, GigabitEthernet0/1
L 172.19.7.4/32 is directly connected, GigabitEthernet0/1
C 172.19.8.0/24 is directly connected, GigabitEthernet0/1
L 172.19.8.1/32 is directly connected, GigabitEthernet0/1

 

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key DC345;JY9818CgCbY92! address 51.**.***.***
crypto isakmp key 578fu8fhtgjk address 217.**.***.**
!
!
crypto ipsec transform-set DHL esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set Bridge-Allan esp-3des esp-sha-hmac
mode transport
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 217.**.***.**
set transform-set DHL
set pfs group5
match address 101
crypto map CMAP 20 ipsec-isakmp
set peer 51.**.***.***
set transform-set Bridge-Allan
match address 102
!
!
!
interface Tunnel1
description Tunnel to Factory
ip address 10.10.10.1 255.255.255.252
keepalive 6 10
tunnel source GigabitEthernet0/0
tunnel destination 46.**.*.**
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN
ip address 46.**.*.** 255.255.255.254
ip access-group wanfirewall in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CMAP
!
interface GigabitEthernet0/1
description LAN
ip address 172.19.8.1 255.255.255.0 secondary
ip address 172.19.7.4 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.20
description vLAN20 for ASA
encapsulation dot1Q 20
ip address 46.***.*.*** 255.255.255.252
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool PORTFWD 172.19.7.234 172.19.7.234 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 172.19.7.3 25 interface GigabitEthernet0/0 25
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.19.7.20 7016 interface GigabitEthernet0/0 7016
ip nat inside source static tcp 172.19.7.254 8080 interface GigabitEthernet0/0 8080
ip nat inside source static tcp 172.19.7.254 8443 interface GigabitEthernet0/0 8443
ip nat inside source static tcp 172.19.7.254 8880 interface GigabitEthernet0/0 8880
ip nat inside source static tcp 172.19.7.254 8843 interface GigabitEthernet0/0 8843
ip nat inside source static tcp 172.19.7.254 27117 interface GigabitEthernet0/0 27117
ip nat inside source static tcp 172.19.7.234 10990 interface GigabitEthernet0/0 10990
ip nat inside source static tcp 172.19.7.5 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 172.19.7.5 80 interface GigabitEthernet0/0 80
ip nat inside source static udp 172.19.7.254 3478 interface GigabitEthernet0/0 3478
ip nat inside source static tcp 172.19.7.9 8023 interface GigabitEthernet0/0 23
ip nat inside destination list 110 pool PORTFWD
ip route 0.0.0.0 0.0.0.0 46.2**.*.**
ip route 172.19.4.0 255.255.255.0 10.10.10.2
!
ip access-list extended wanfirewall
permit udp any any eq ntp
permit tcp any host 46.***.**.** range 50000 50100 log
permit ip any any
permit tcp host 81.*.***.*** host 46.***.*.** eq telnet
permit tcp host 81.*.***.*** host 46.***.*.** eq telnet
permit tcp any host 46.***.*.** eq telnet
!
access-list 1 permit 172.19.7.0 0.0.0.255
access-list 1 permit 172.19.4.0 0.0.0.255
access-list 1 permit 172.19.8.0 0.0.0.255
access-list 1 permit 6.**.*.* 0.0.255.255
access-list 1 permit 10.192.27.0 0.0.0.255
access-list 10 permit 178.**.**.**
access-list 10 permit 46.***.*.*
access-list 10 permit 46.***.*.*
access-list 10 permit 46.***.*.*
access-list 10 permit 46.***.*.*
access-list 10 permit 46.***.*.*
access-list 100 deny ip 172.19.7.0 0.0.0.255 10.162.132.0 0.0.0.255
access-list 100 deny ip 172.19.7.0 0.0.0.255 6.**.*.0 0.0.255.255
access-list 100 deny ip 172.19.7.0 0.0.0.255 10.192.27.0 0.0.0.255
access-list 100 permit ip 172.19.7.0 0.0.0.255 any
access-list 101 permit ip 172.19.7.0 0.0.0.255 host 10.162.132.184
access-list 102 permit ip 172.19.7.0 0.0.0.255 6.**.*.0 0.0.255.255
access-list 102 permit ip 172.19.4.0 0.0.0.255 6.**.*.0 0.0.255.255
access-list 102 permit ip 172.19.7.0 0.0.0.255 10.192.27.0 0.0.0.255
access-list 110 permit udp any any range 50000 50100
access-list 110 permit tcp any any range 50000 50100

 

 

Regards

 

 

Ryan Neil

0 Helpful

Rob Ingram
VIP
VIP
In response to ryan.neil

‎08-25-2020 02:58 AM

I can't see anything obviously wrong with the information you've provided.

If no isakmp debugs appear then either traffic is not routed to the router to attempt to establish the VPN or it does not match the crypto ACL, double check the source (ping from a device behind the router not the router itself).

Turn on "debug ip icmp" and "debug crypto isakmp", run a ping from the correct network. Provide the output for review. Double check the output is displayed on the console.
0 Helpful
Customers Also Viewed These Support Documents