04-20-2023 03:20 PM - edited 04-20-2023 03:35 PM
I will drop configs of both ASAs soon. Or at least what I believe my peer has theirs set to.
Right now, I have tried to troubleshoot it by using show crypto and debug.
show crypto ikev2 sa
there are no ikev2 Sas
debug crypto condition peer WAN Address
debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127
Both debug shows no output
I suspect my peer vpn site, gave me the wrong WAN address. Aside from the configs of both peers, is there anything else that could be helpful?
Terminal monitor was turned on when I did the above. I have enabled ikev2 on my interface I want the traffic to go through.
Since then I have did terminal no monitor and no debug all in case I forget. But, it shows nothing.
04-20-2023 03:33 PM
Did you try initate traffic?
04-20-2023 03:36 PM
I tried pinging their wan and all packets received?
04-20-2023 04:01 PM
You must ping behind Asa, using source local lan and destination remote lan of acl of vpn.
04-26-2023 08:04 AM - edited 04-26-2023 08:28 AM
After trying to ping them with ICMP packets, it looks like the VPN was up and active. It said
"ASA-1/act# show crypto ikev2 sa
ESP spi in/out: 0x695dfc7f/0xb7116de0 "
However, any other kind of packet, tells me the packets are being dropped by an implicit ACL rule. After trying a few things, I can no longer get the vpn active again.
This is the config so far on our ASA where our WAN is for example 50.50.50.50 and peer local network is 10.221.0.0 /16 while their WAN is 51.51.51.51 and remote peer network is 10.1.21.0 /24:
name 50.50.50.50 fw_1_ext
!
interface GigabitEthernet0/1
nameif ISP_2
security-level 0
ip address fw_1_ext 255.255.255.240
!
object network fw_1_ext
host 50.50.50.50
nat (inside,outside) source dynamic IntAllSeg interface
nat (inside,ISP_2) source dynamic IntAllSeg interface
object network RemoteBrotherCoNetwork
subnet 10.1.21.0 255.255.255.0
description RemoteBrotherCoNetwork
object network LocalBrotherCoNetwork
subnet 10.221.0.0 255.255.0.0
access-list ISP_2_Interface_cryptomap extended permit ip object LocalBrotherCoNetwork object RemoteBrotherCoNetwork
nat (inside,ISP_2_Interface) source static LocalBrotherCoNetwork LocalBrotherCoNetwork destination static RemoteBrotherCoNetwork RemoteBrotherCoNetwork no-proxy-arp route-lookup
route ISP_2_Interface 10.1.21.0 255.255.255.0 51.51.51.51 1
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map ISP_2_Interface_map 3 match address ISP_2_Interface_cryptomap
crypto map ISP_2_Interface_map 3 set peer 51.51.51.51
crypto map ISP_2_Interface_map 3 set ikev2 ipsec-proposal AES256
crypto map ISP_2_Interface_map interface ISP_2_Interface
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable ISP_2_Interface
group-policy GroupPolicy_51.51.51.51 internal
group-policy GroupPolicy_51.51.51.51 attributes
vpn-tunnel-protocol ikev2
tunnel-group 51.51.51.51 type ipsec-l2l
tunnel-group 51.51.51.51 general-attributes
default-group-policy GroupPolicy_51.51.51.51
tunnel-group 51.51.51.51 ipsec-attributes
ikev2 remote-authentication pre-shared-key password
ikev2 local-authentication pre-shared-key password
04-27-2023 05:22 AM
Form first view there is no issue with config'
I need to see packet tracer for this issue
Thanks
MHM
04-27-2023 05:56 AM - edited 04-27-2023 05:57 AM
I found out I was missing a line for my crypto proposal is why it didn't work again. However, it only works with icmp traffic since it is implicitly blocked by something in the acl. I had to explicitly create a global access list for traffic to work. Will you need the acl list?
04-27-2023 06:14 AM
The acl apply to inside share here
Thanks
Also show run nat i want to check something
04-30-2023 07:03 AM - edited 04-30-2023 07:05 AM
access-list global_access extended permit tcp object DMZseg any object-group HTTP_HTTPS_FTP
access-list global_access extended permit object-group Server_Access_Ports object-group Server_Access any
access-list global_access extended permit ip object-group InternalDataSegments object-group ABCResources
access-list global_access extended permit object-group dmz_29 object DMZ_SMTP_GW object-group DM_INLINE_NETWORK_1
access-list global_access extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list global_access extended permit icmp any any
access-list global_access extended permit ip object cctv any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit udp any any gt 30000
access-list outside_access_in extended permit object-group Traceroute_Allow any any
access-list outside_access_in extended permit tcp any object CRL object-group HTTP_HTTPS
access-list outside_access_in extended permit object-group exch_01 any host 10.x.x.x
access-list outside_access_in extended permit tcp any object cctv1_32 eq https
access-list outside_access_in extended permit tcp any object cctv2_32 eq https
access-list outside_access_in extended permit tcp any object cctv3_32 eq https
access-list outside_access_in extended permit tcp any object cctv4_32 eq 2021
access-list outside_access_in extended permit tcp any object cctv5_32 eq 2020
access-list outside_access_in extended permit udp any object cctv6_32 eq 61542
access-list Servers extended permit ip object-group Server_OWA any
access-list ISP_2_cryptomap extended permit ip object LocalBrotherCoNetwork object RemoteBrotherCoNetwork
access-list ISP_2_access_in extended permit tcp any object CRLPAK object-group HTTP_HTTPS
access-list ISP_2_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list dmz2_access_in extended permit ip any any
access-list sfr_redirect extended deny ip 192.168.100.0 255.255.255.0 10.100.0.0 255.255.0.0
access-list sfr_redirect extended deny ip any object-group SFR_Deny_DMZ
access-list sfr_redirect extended permit ip any any
access-list dmz1_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list AnyConnect-ACL extended permit tcp 192.168.100.0 255.255.255.0 any4 eq 3389
access-list AnyConnect-ACL extended permit udp 192.168.100.0 255.255.255.0 any4 eq 3389
access-list AnyConnect-ACL extended permit tcp 192.168.100.0 255.255.255.0 any4 eq 445
access-list AnyConnect-ACL extended permit udp 192.168.100.0 255.255.255.0 any4 eq 445
access-list AnyConnect-ACL extended permit udp 192.168.100.0 255.255.255.0 any4 eq domain
access-list AnyConnect-ACL extended permit tcp 192.168.100.0 255.255.255.0 any4 eq 5585
access-list AnyConnect-ACL extended permit icmp 192.168.100.0 255.255.255.0 any4
access-list guest_access_in extended permit tcp any host 10.250.1.5 eq 8880
access-list guest_access_in extended permit tcp any host 10.250.1.5 eq 8843
access-list guest_access_in extended permit ip any 172.x.x.0 255.255.255.0
access-list guest_access_in extended deny ip any 10.0.0.0 255.0.0.0
access-list guest_access_in extended deny ip any 172.16.0.0 255.240.0.0
access-list guest_access_in extended deny ip any 192.168.0.0 255.255.0.0
access-list guest_access_in extended permit ip any any
access-list phones_access_in extended permit ip any 172.x.x.0 255.255.255.0
access-list phones_access_in extended deny ip any 10.0.0.0 255.0.0.0
access-list phones_access_in extended deny ip any 172.16.0.0 255.240.0.0
access-list phones_access_in extended deny ip any 192.168.0.0 255.255.0.0
access-list phones_access_in extended permit ip any any
access-list City_VPN extended permit ip host 172.x.x.12 object-group lock_track
access-list City_VPN extended permit ip host 172.x.x.12 host 10.8.101.214
access-list City_VPN extended permit ip host 172.x.x.11 object-group s2s-dmz2
access-list dmz4_access_in extended permit tcp object 172.x.x.10_32 any eq https
access-list dmz4_access_in extended permit ip object 172.x.x.10_32 any
access-list dmz4_access_in extended permit ip object 172.x.x.11_32 any
access-list dmz4_access_in extended permit tcp object 172.x.x.11_32 any eq https
access-list dmz4_access_in extended permit ip object 172.x.x.12_32 any
access-list dmz4_access_out extended deny ip 10.0.0.0 255.0.0.0 any
access-list dmz4_access_out extended permit tcp any host 172.x.x.10 eq https
access-list dmz4_access_out extended permit tcp any host 172.x.x.11 eq https
access-list dmz4_access_out extended permit tcp any host 172.x.x.12 eq https
access-list cctv extended permit ip object DataSeg12 172.x.x.0 255.255.255.0
access-list cctv extended permit ip object DataSeg05 172.x.x.0 255.255.255.0
access-list cctv extended deny ip 192.168.0.0 255.255.0.0 172.x.x.0 255.255.255.0
access-list cctv extended deny ip 172.16.0.0 255.240.0.0 172.x.x.0 255.255.255.0
access-list cctv extended deny ip 10.0.0.0 255.0.0.0 172.x.x.0 255.255.255.0
access-list cctv extended permit ip any 172.x.x.0 255.255.255.0
access-list cctv_in extended permit ip 172.x.x.0 255.255.255.0 object DataSeg12
access-list cctv_in extended permit ip 172.x.x.0 255.255.255.0 object DataSeg05
access-list cctv_in extended permit ip 172.x.x.0 255.255.255.0 172.x.x.0 255.255.255.0
access-list cctv_in extended deny ip 172.x.x.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list cctv_in extended deny ip 172.x.x.0 255.255.255.0 172.16.0.0 255.240.0.0
access-list cctv_in extended deny ip 172.x.x.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list cctv_in extended permit ip 172.x.x.0 255.255.255.0 any
access-list SPLIT-TUNNEL standard permit 10.100.0.0 255.255.0.0
access-list SPLIT-TUNNEL standard permit 10.99.0.0 255.255.0.0
pager lines 24
04-30-2023 07:11 AM
NAT
nat (inside,outside) source static any any destination static Pool_SSL_VPN Pool_SSL_VPN no-proxy-arp route-lookup
nat (inside,outside) source static DataSeg00 DataSeg00 destination static NJIO_SUBNET NJIO_SUBNET no-proxy-arp
nat (inside,GTT_2) source static ManagementSegAll ManagementSegAll destination static NJIO_SUBNET NJIO_SUBNET no-proxy-arp
nat (inside,GTT_2) source static DataSeg00 DataSeg00 destination static NJIO_SUBNET NJIO_SUBNET no-proxy-arp
nat (CCTV,outside) source static 172.x.x.150_32 51.51.51.51_32 service udp_61542 udp_61542
nat (CCTV,outside) source static 172.x.x.222_32 51.51.51.51_32 service tcp_2020 tcp_2020
nat (CCTV,outside) source static 172.x.x.223_32 51.51.51.51_32 service tcp_2021 tcp_2021
nat (inside,CCTV) source static InternalDataSegments InternalDataSegments destination static cctv cctv no-proxy-arp
nat (guest,CCTV) source static guest guest destination static cctv cctv no-proxy-arp
nat (phones,CCTV) source static phones phones destination static cctv cctv no-proxy-arp
nat (DMZ_4,outside) source static 172.x.x.12_32 8.225.194.152_32
nat (DMZ_4,outside) source static 172.x.x.11_32 8.225.194.151_32
nat (inside,outside) source static InternalDataSegments Hide_Address_CityNet destination static s2s-dmz2 s2s-dmz2
nat (DMZ_4,outside) source static 172.x.x.10_32 8.225.194.150_32
nat (inside,outside) source static InternalDataSegments Def_local destination static l_track l_track
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.100.0_26 NETWORK_OBJ_192.168.100.0_26 no-proxy-arp route-lookup
nat (inside,outside) source static exch_01 exch_01_nat
nat (inside,GTT_2) source static CRL CRL_Ext
nat (inside,GTT_2) source static DMZ_SMTP_GW DMZ_SMTP_GW_Ext
nat (inside,dmz2) source dynamic InternalDataSegments Hide_Address_CityNet destination static CityNetR CityNetR
nat (inside,outside) source dynamic InternalDataSegments interface destination static Vlink Vlink
nat (inside,GTT_2) source dynamic InternalDataSegments Hide_Address_Internet destination static Vlink Vlink
nat (inside,dmz1) source dynamic InternalDataSegments Hide_Address_A destination static A2 A2
nat (inside,outside) source dynamic DMZseg interface
nat (inside,GTT_2) source dynamic DMZseg interface
nat (inside,outside) source dynamic InternalAllSegments interface
nat (inside,GTT_2) source dynamic InternalAllSegments interface
nat (inside,dmz1) source dynamic InternalDataSegments Hide_Address_A destination static A A
nat (guest,outside) source dynamic OBJ-VLAN303-GUEST interface
nat (phones,outside) source dynamic OBJ-VLAN302-PHONES interface
nat (CCTV,outside) source dynamic cctv interface
nat (inside,GTT_2) source static LocalBrotherCoNetwork LocalBrotherCoNetwork destination static RemoteBrotherCoNetwork RemoteBrotherCoNetwork no-proxy-arp route-lookup
05-04-2023 08:29 PM
any luck?
05-07-2023 07:57 AM
there are many ACL
packet-tracer input INSIDE tcp <any IP from local LAN> 1234 <any IP from remote LAN> 80 detail <<- please share output here
05-11-2023 08:40 AM
I already added the global acl. Do you want that done without it?
05-13-2023 07:46 AM
When I do a packet tracer from Inside tcp <any IP from local LAN> 21 <any IP from remote LAN> 443
The ACL that allowed it is
this ACL
config
access-group ISP_2_access_in in interface ISP_2
access-list ISP_2_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
object-group service DM_INLINE_SERVICE_1
service-object object SSL
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object icmp echo-reply
05-18-2023 04:48 PM
that explain issue if I am right.
you must permit the L2L VPN UDP port 500/4500
I know it used by control ACL but I think also is effect by interface ACL.
I will run lab and check this point.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide