Strange site to site encryption issue with ASA

burleyman · ‎04-16-2015

I am having a strange issue with encryption for a site to site VPN.

The ASA is running Cisco Adaptive Security Appliance Software Version 8.2(5)

Here is my config. The tunnel is up and passes traffic.

object-group network FAR_NETWORKS
network-object 172.31.174.0 255.255.255.0
network-object 172.31.175.0 255.255.255.0
network-object 172.31.176.0 255.255.255.0
network-object 172.31.177.0 255.255.255.0
network-object 172.31.178.0 255.255.255.0

access-list FAR-CRYPTOMAP-17 extended permit ip object-group FAR_NETWORKS 172.31.255.128 255.255.255.128

access-list FAR_STATIC_NAT_11 extended permit ip 10.30.1.0 255.255.255.0 172.31.255.128 255.255.255.128
access-list FAR_STATIC_NAT_12 extended permit ip 10.30.16.0 255.255.255.0 172.31.255.128 255.255.255.128
access-list FAR_STATIC_NAT_13 extended permit ip 10.30.3.0 255.255.255.0 172.31.255.128 255.255.255.128
access-list FAR_STATIC_NAT_14 extended permit ip 10.30.12.0 255.255.255.0 172.31.255.128 255.255.255.128
access-list FAR_STATIC_NAT_15 extended permit ip 10.30.7.0 255.255.255.0 172.31.255.128 255.255.255.128

global (outside) 11 172.31.174.1-172.31.174.254 netmask 255.255.255.0
global (outside) 12 172.31.175.1-172.31.175.254 netmask 255.255.255.0
global (outside) 13 172.31.178.1-172.31.178.254 netmask 255.255.255.0
global (outside) 14 172.31.176.1-172.31.176.254 netmask 255.255.255.0
global (outside) 15 172.31.177.1-172.31.177.254 netmask 255.255.255.0

static (inside,outside) 172.31.174.0 access-list FAR_STATIC_NAT_11
static (inside,outside) 172.31.175.0 access-list FAR_STATIC_NAT_12
static (inside,outside) 172.31.178.0 access-list FAR_STATIC_NAT_13
static (inside,outside) 172.31.176.0 access-list FAR_STATIC_NAT_14
static (inside,outside) 172.31.177.0 access-list FAR_STATIC_NAT_15

crypto map MAP-VPN 72 match address FAR-CRYPTOMAP-17
crypto map MAP-VPN 72 set peer 2.2.2.3
crypto map MAP-VPN 72 set transform-set ESP-3DES-SHA
crypto map MAP-VPN 72 set reverse-route
crypto map MAP-VPN interface outside

tunnel-group 2.2.2.3 type ipsec-l2l
tunnel-group 2.2.2.3 ipsec-attributes
pre-shared-key KEY-Here

Now when I run show ipsec sa peer 2.2.2.3 I see the 172.31.174.0, 172.31.175.0 and they are encap and decap OK along with encrypt and decrypt as well. The I see 172.31.178.0 and it does not show the ACL, and I only see decaps and decrypt but no encaps or encrypt. And I do not see the others at all 172.31.176.0 and 172.31.177.0.

What is causing this issue?

The odd part is if I take these out of the config...

crypto map MAP-VPN 72 match address FAR-CRYPTOMAP-17

access-list FAR-CRYPTOMAP-17 extended permit ip object-group FAR_NETWORKS 172.31.255.128 255.255.255.128

It works and I see all the IP ranges.

Mike

rizwanr74 · ‎04-16-2015

Hi Mike,

You are using static-policy-nat and dynamic-policy-nat same time to achieve the same result, which I wouldn't do.

Well, if you could see, on which instance of crytop-map is being terminated your tunnel.

show crypto ipsec sa peer 2.2.2.3

Crypto map tag: userdefinedname, seq num: xxxx,

burleyman · ‎04-16-2015

ASA# show ipsec sa peer 2.2.2.3
peer address: 2.2.2.3
Crypto map tag: MAP-VPN, seq num: 72, local addr: 6.6.6.2

      access-list VOXENT-CRYPTOMAP-17 extended permit ip 172.31.174.0 255.255.255.0 172.31.255.128 255.255.255.128
      local ident (addr/mask/prot/port): (172.31.174.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.31.255.128/255.255.255.128/0/0)
      current_peer: 2.2.2.3

      #pkts encaps: 6836, #pkts encrypt: 6836, #pkts digest: 6836
      #pkts decaps: 6836, #pkts decrypt: 6836, #pkts verify: 6836
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 6836, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 6.6.6.2, remote crypto endpt.: 2.2.2.3

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 8CDA73C1
      current inbound spi : 7A27569C

    inbound esp sas:
      spi: 0x7A27569C (2049398428)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 60235776, crypto-map: MAP-VPN
         sa timing: remaining key lifetime (kB/sec): (3914792/621)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x8CDA73C1 (2363126721)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 60235776, crypto-map: MAP-VPN
         sa timing: remaining key lifetime (kB/sec): (3914792/620)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Crypto map tag: MAP-VPN, seq num: 72, local addr: 6.6.6.2

      access-list VOXENT-CRYPTOMAP-17 extended permit ip 172.31.175.0 255.255.255.0 172.31.255.128 255.255.255.128
      local ident (addr/mask/prot/port): (172.31.175.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.31.255.128/255.255.255.128/0/0)
      current_peer: 2.2.2.3

      #pkts encaps: 12896, #pkts encrypt: 12896, #pkts digest: 12896
      #pkts decaps: 12896, #pkts decrypt: 12896, #pkts verify: 12896
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 12896, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 6.6.6.2, remote crypto endpt.: 2.2.2.3

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 2E98BB05
      current inbound spi : 42F157C5

    inbound esp sas:
      spi: 0x42F157C5 (1123112901)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 60235776, crypto-map: MAP-VPN
         sa timing: remaining key lifetime (kB/sec): (3914617/615)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x2E98BB05 (781761285)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 60235776, crypto-map: MAP-VPN
         sa timing: remaining key lifetime (kB/sec): (3914617/615)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Crypto map tag: MAP-DYN, seq num: 20, local addr: 6.6.6.2

      local ident (addr/mask/prot/port): (172.31.178.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.31.255.128/255.255.255.128/0/0)
      current_peer: 2.2.2.3

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 858, #pkts decrypt: 858, #pkts verify: 858
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 6.6.6.2, remote crypto endpt.: 2.2.2.3

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 0C6A6AB8
      current inbound spi : 9B265EB9

    inbound esp sas:
      spi: 0x9B265EB9 (2602983097)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 60235776, crypto-map: MAP-DYN
         sa timing: remaining key lifetime (kB/sec): (3914936/675)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x0C6A6AB8 (208300728)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 60235776, crypto-map: MAP-DYN
         sa timing: remaining key lifetime (kB/sec): (3915000/675)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

burleyman · ‎04-16-2015

So I would remove this...

global (outside) 11 172.31.174.1-172.31.174.254 netmask 255.255.255.0
global (outside) 12 172.31.175.1-172.31.175.254 netmask 255.255.255.0
global (outside) 13 172.31.178.1-172.31.178.254 netmask 255.255.255.0
global (outside) 14 172.31.176.1-172.31.176.254 netmask 255.255.255.0
global (outside) 15 172.31.177.1-172.31.177.254 netmask 255.255.255.0

And keep this...

access-list FAR_STATIC_NAT_11 extended permit ip 10.30.1.0 255.255.255.0 172.31.255.128 255.255.255.128
access-list FAR_STATIC_NAT_12 extended permit ip 10.30.16.0 255.255.255.0 172.31.255.128 255.255.255.128
access-list FAR_STATIC_NAT_13 extended permit ip 10.30.3.0 255.255.255.0 172.31.255.128 255.255.255.128
access-list FAR_STATIC_NAT_14 extended permit ip 10.30.12.0 255.255.255.0 172.31.255.128 255.255.255.128
access-list FAR_STATIC_NAT_15 extended permit ip 10.30.7.0 255.255.255.0 172.31.255.128 255.255.255.128

static (inside,outside) 172.31.174.0 access-list FAR_STATIC_NAT_11
static (inside,outside) 172.31.175.0 access-list FAR_STATIC_NAT_12
static (inside,outside) 172.31.178.0 access-list FAR_STATIC_NAT_13
static (inside,outside) 172.31.176.0 access-list FAR_STATIC_NAT_14
static (inside,outside) 172.31.177.0 access-list FAR_STATIC_NAT_15

rizwanr74 · ‎04-16-2015

Hi Mike,

So, it is being terminated on the correct crypto instance 72.

Crypto map tag: MAP-VPN, seq num: 72, local addr: 6.6.6.2

The reason you don't see other other ACL entries on the IPSec SA, is because, that particular flow of data flow was not initiated by users who are behind those private-ip ranges.

thanks

burleyman · ‎04-16-2015

I have continuous pings from all the sites.

Let's start from scratch and I will let you know what I need to accomplish.

I have a main site with other sites that connect to the main site through a private MPLS.

All traffic from the remote sites and the main site will be going across this one tunnel and must be NATed as follows.

Remember the ASA is running 8.2.5 software.

The main site subnet is 172.30.1.0/24

Site A subnet is 172.30.16.0/24

Site B subnet is 172.30.3.0/24

These subnets need to be NATed to the following so they look like they are originating from these subnets

172.30.1.0/24 NAT to 172.31.174.0/24

172.30.16.0/24 NAT to 172.31.175.0/24

172.30.3.0/24 NAT to 172.31.178.0/4

So this will happen.....

172.30.1.111 will NAT to and look like on the other side as 172.31.174.111

so the last octet is preserved.

this traffic only needs to be NATed if the destination subnet is 172.31.255.128/25

How would you configure this.

Local outside IP address is 1.1.1.1

Local inside IP address is 172.30.1.254

The peer IP address is 2.2.2.2

Mike

rizwanr74 · ‎04-16-2015

First make sure your ASA has the route to subnets coming from MPLS cloud.

Your static-policy-nat is fine, unless remote-tunnel subnet overlap with another remote-tunnel of yours and if that is not the case.

You may try this. I normally use a dynamic-nat as shown below, when traffic is only initiate from my side not from remote-tunnel side.

global (outside) 11 172.31.174.1 netmask 255.255.255.255
nat (inside) 11 access-list FAR_STATIC_NAT_11

global (outside) 12 172.31.175.1 netmask 255.255.255.255
nat (inside) 12 access-list FAR_STATIC_NAT_12

global (outside) 13 172.31.178.1 netmask 255.255.255.255
nat (inside) 13 access-list FAR_STATIC_NAT_13

global (outside) 14 172.31.176.1 netmask 255.255.255.255
nat (inside) 14 access-list FAR_STATIC_NAT_14

global (outside) 15 172.31.177.1 netmask 255.255.255.255
nat (inside) 15 access-list FAR_STATIC_NAT_15

Let me know.

thanks

burleyman · ‎04-16-2015

That will translate ip address lets say in the subnet 172.30.7.0/24 to just one IP address 172.31.177.1 that is not what I need...

172.30.7.101 should NAT to 172.31.177.101

172.30.7.23 should NAT to 172.31.177.23

172.30.7.12 should NAT to 172.31.177.12

and so on for all the Subnets