08-07-2012 12:40 PM
I have a cisco 2900 series building a site-2-site vpn tunnel to an ASA 5510. The tunnel establishes just fine but I am unable to get traffic to flow through the tunnel. I have read several other posts and tried many of the suggestion (probably breaking things in the process). I am not sure if I have no nat all screwed up or if my access lists on the router are goofy. Any help is greatly appreciated.
ASA CONFIG:
ASA Version 8.4(4)1
!
hostname test-fw
domain-name ficticious.local
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.*
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.3.2 255.255.255.0
!
interface Ethernet0/2
nameif DMZ-TNS
security-level 10
ip address 192.168.31.1 255.255.255.0
interface Ethernet0/3
nameif DMZ-SMTP
security-level 9
ip address 192.168.32.1 255.255.255.0
!
interface Management0/0
nameif cradelpoint
security-level 1
ip address 192.168.254.1 255.255.255.0
!
boot system disk0:/asa844-1-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ficticious.local
object network obj-172.16.3.2
host 172.16.3.2
object network obj-172.16.7.2
host 172.16.7.2
object network obj-172.16.10.2
host 172.16.10.2
object network obj-172.16.13.2
host 172.16.13.2
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.6.0
subnet 192.168.6.0 255.255.255.0
object network obj-192.168.7.0
subnet 192.168.7.0 255.255.255.0
object network obj-192.168.8.0
subnet 192.168.8.0 255.255.255.0
object network obj-192.168.9.0
subnet 192.168.9.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network obj-192.168.12.0
subnet 192.168.12.0 255.255.255.0
object network obj-192.168.13.0
subnet 192.168.13.0 255.255.255.0
object network obj-192.168.15.0
subnet 192.168.15.0 255.255.255.0
object network obj-192.168.16.0
subnet 192.168.16.0 255.255.255.0
object network obj-10.1.0.0
subnet 10.1.0.0 255.255.0.0
object network obj-192.168.32.10
host 192.168.32.10
object network NETWORK_OBJ_192.168.20.0
host 192.168.20.0
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network NETWORK_OBJ_192.168.3.0_24
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.0.0_16
subnet 192.168.0.0 255.255.0.0
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.3.0
host 192.168.3.0
object network NETWORK_OBJ_192.168.3.144_28
subnet 192.168.3.144 255.255.255.240
object network obj-192.168.50.11
object network obj-192.168.30.10
host 192.168.30.10
object network obj-192.168.40.10
host 192.168.40.10
object network obj-192.168.70.10
host 192.168.70.10
object network obj-192.168.150.10
host 192.168.150.10
object network obj-192.168.160.10
host 192.168.160.10
object network obj-10.10.10.10
host 10.10.10.10
object network obj-192.168.120.10
host 192.168.120.10
access-list Out-In extended deny ip any any
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging console informational
logging monitor informational
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ-TNS 1500
mtu DMZ-SMTP 1500
mtu cradelpoint 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp deny any inside
icmp deny any DMZ-TNS
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.3.144_28 NETWORK_OBJ_192.168.3.144_28 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24
!
object network obj-172.16.3.2
nat (inside,outside) dynamic interface
object network obj-172.16.7.2
nat (inside,outside) dynamic interface
object network obj-172.16.10.2
nat (inside,outside) dynamic interface
object network obj-172.16.13.2
nat (inside,outside) dynamic interface
object network obj-192.168.3.0
nat (inside,outside) dynamic interface
object network obj-192.168.4.0
nat (inside,outside) dynamic interface
object network obj-192.168.5.0
nat (inside,outside) dynamic interface
object network obj-192.168.6.0
nat (inside,outside) dynamic interface
object network obj-192.168.7.0
nat (inside,outside) dynamic interface
object network obj-192.168.8.0
nat (inside,outside) dynamic interface
object network obj-192.168.9.0
nat (inside,outside) dynamic interface
object network obj-192.168.10.0
nat (inside,outside) dynamic interface
object network obj-192.168.12.0
nat (inside,outside) dynamic interface
object network obj-192.168.13.0
nat (inside,outside) dynamic interface
object network obj-192.168.15.0
nat (inside,outside) dynamic interface
object network obj-192.168.16.0
nat (inside,outside) dynamic interface
object network obj-10.1.0.0
nat (inside,outside) dynamic interface
object network obj-192.168.32.10
nat (DMZ-SMTP,outside) static 12.200.89.172
object network obj-192.168.50.11
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
route inside 10.1.0.0 255.255.0.0 192.168.3.1 1
route inside 10.10.0.0 255.255.0.0 192.168.3.1 1
route inside 10.200.0.0 255.255.0.0 192.168.3.1 1
route inside 172.16.3.2 255.255.255.255 192.168.3.1 1
route inside 172.16.7.2 255.255.255.255 192.168.3.1 1
route inside 172.16.10.2 255.255.255.255 192.168.3.1 1
route inside 172.16.13.2 255.255.255.255 192.168.3.1 1
route inside 192.168.4.0 255.255.255.0 192.168.3.1 1
route inside 192.168.5.0 255.255.255.0 192.168.3.1 1
route inside 192.168.6.0 255.255.255.0 192.168.3.1 1
route inside 192.168.7.0 255.255.255.0 192.168.3.1 1
route inside 192.168.8.0 255.255.255.0 192.168.3.1 1
route inside 192.168.9.0 255.255.255.0 192.168.3.1 1
route inside 192.168.10.0 255.255.255.0 192.168.3.1 1
route inside 192.168.12.0 255.255.255.0 192.168.3.1 1
route inside 192.168.13.0 255.255.255.0 192.168.3.1 1
route inside 192.168.15.0 255.255.255.0 192.168.3.1 1
route inside 192.168.16.0 255.255.255.0 192.168.3.1 1
route outside 192.168.20.0 255.255.255.0 *.*.*.* 1
route inside 192.168.30.0 255.255.255.0 192.168.3.1 1
route inside 192.168.40.0 255.255.255.0 192.168.3.1 1
route inside 192.168.50.0 255.255.255.0 192.168.3.1 1
route inside 192.168.70.0 255.255.255.0 192.168.3.1 1
route inside 192.168.100.0 255.255.255.0 192.168.3.1 1
route inside 192.168.120.0 255.255.255.0 192.168.3.1 1
route inside 192.168.150.0 255.255.255.0 192.168.3.1 1
route inside 192.168.160.0 255.255.255.0 192.168.3.1 1
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set cradelpoint_vpn
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.1.2.13 prefer
ssl trust-point ASDM_TrustPoint0 outside
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map IPSclass
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map IPSpolicy
class IPSclass
ips inline fail-open
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class-default
user-statistics accounting
!
Router Config:
Current configuration : 2605 bytes
!
! Last configuration change at 18:39:30 UTC Tue Aug 7 2012
! NVRAM config last updated at 19:50:03 UTC Mon Aug 6 2012
! NVRAM config last updated at 19:50:03 UTC Mon Aug 6 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
enable password blahblahblah
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip name-server 192.168.100.1
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
!
!
redundancy
crypto isakmp policy 2
authentication pre-share
crypto isakmp key 6 IBETYOUCANTGUESS address *.*.*.*
!
!
crypto ipsec transform-set cradelpoint_vpn esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to *.*.*.*
set peer *.*.*.*
set transform-set cradelpoint_vpn
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
no cdp enable
!
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
no cdp enable
!
interface GigabitEthernet0/1
ip address dhcp
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 110 interface GigabitEthernet0/1 overload
ip nat inside source list nonat interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 192.168.100.1 254
ip route 0.0.0.0 0.0.0.0 192.168.100.1 254
ip route 192.168.3.0 255.255.255.0 192.168.3.1
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
!
route-map nonat permit 10
match ip address 110
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
Solved! Go to Solution.
08-08-2012 11:21 AM
Ahh, looks like the CradelPoint router might have dropped the ESP packet, as we can see the router is encrypting the packets, but the ASA receives nothing/decrypts nothing, meaning it doesn't even reach the ASA.
Enable NAT-T, so ESP gets encapsulated in UDP/4500.
On ASA:
crypto isakmp nat-traversal 30
08-08-2012 12:47 AM
On the ASA, configure the following instead:
nat (inside,outside) source static obj-192.168.3.0 obj-192.168.3.0 any destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24
and remove the following:
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24
Then "clear xlate" after the above changes.
On the router, remove the following route:
ip route 192.168.3.0 255.255.255.0 192.168.3.1
08-08-2012 05:47 AM
Thank you so much for your response. I changed the nat rule on the ASA as advised along with executing the clear xlate command, however, I'm not sure if it is a typo but you have "any"after the first network object in the nat rule and it does not fit the syntax of the command so I omitted it and it is as follows now:
2 (inside) to (outside) source static obj-192.168.3.0 obj-192.168.3.0 destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24
translate_hits = 0, untranslate_hits = 0
I also removed the route on the router but I am still having no traffic cross the tunnel.
Here is the routing table on the router now that I have removed the suggested route:
Gateway of last resort is 192.168.100.1 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 192.168.100.1
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, GigabitEthernet0/0.1
L 192.168.0.1/32 is directly connected, GigabitEthernet0/0.1
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, GigabitEthernet0/1
L 192.168.100.170/32 is directly connected, GigabitEthernet0/1
I don't know if it is any help but if I perform a show route-map on the router I do not see any packets matching my access-list even though I have a continuous ping running from a node on the inside interface of the router:
router#sh route-map
route-map nonat, permit, sequence 10
Match clauses:
ip address (access-lists): 110
Set clauses:
Policy routing matches: 0 packets, 0 bytes
I would expect to see the ping at least match the access-list and make it to the ASA side of the tunnel right?
Thanks again for your support!
08-08-2012 08:45 AM
Apology, yes, it's a typo, shouldn't have included "any".
BTW, why is the router default gateway 192.168.100.1? what ip address do you get from the dhcp?
is the router having dynamic ip address or static ip address? is the router getting private or public ip? if it's private ip, then where are you configuring the NAT to public ip and is the public ip static or dynamic? if it's getting dhcp address, that means you are configuring dynamic PAT for the router, right? so only the router can initiate the outbound connection. Can you assign static ip for the router then?
The reason why you aren't seeing any hit on the route-map is because you haven't configured "ip nat outside" on gig0/1.
08-08-2012 09:05 AM
The router's default gateway is a 3G CradelPoint router assigned 192.168.100.1 and acts as the internet gateway which recieves a dynamic public address (yes I know I have to change the peer and crypto map IP on the ASA every time this changes). The cradelpoint assigns private IP 192.168.100.170 via DHCP to the 0/1 gigabit interface, I know it is not ideal but the cradelpoint router wouldn't play nice when the 2900 was using a static address for some reason. I had this setup passing traffic and working at one point but am missing something still obviously after startinig from scratch again. Perhaps it is configuring dynamic PAT as you have mentioned but unfortunately that is beyond the scope of my knowledge. I can confirm that I have attempted to initiate the outbound connection from the ASA side and it does not work if that is any help.
I assigned "ip nat outside" on gig0/1 and still see no packets in "sh route-map" output.
08-08-2012 09:16 AM
No, you don't have to change the ip address everytime the router changes the IP. You can configure dynamic crypto map on the ASA which would accept connection from dynamic IP.
You definitely can't initiate the VPN from the ASA side because the router end is configured with dynamic PAT, which means only outbound connection works. Which in turn means, you can only initiate the traffic from the router end towards the ASA, not the other way round. Once the VPN tunnel is established, you can send traffic both ways.
Try to initiate ping sourcing from 192.168.0.1 towards the ASA inside interface and see if that brings up the tunnel.
08-08-2012 09:27 AM
Poor choice of words on my behalf, I understand I can use a dynamic crypto map but we choose not to for security purposes and this is just in testing stages so ideally we will have a static address to use eventually.
I don't have any problem bringing the tunnel up whatsoever by initiating a ping from a client on the inside interface of the 2900 but the strange part is I don't see any hits on the route-map and can't seem to get traffic to flow accrossed the tunnel.
08-08-2012 09:38 AM
Since you don't want to perform any NAT on the router, you can just remove "ip nat inside" and "ip nat outside" on the router interfaces, that way the router will not NAT anything at all.
Can you share the output of:
show cry isa sa
show cry ipsec sa
from both the router and ASA.
08-08-2012 11:11 AM
Ok, I removed the "ip nat" statements from the interfaces and here is the output you requested:
ASA:
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: *.*.*.*
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: *.*.*.*
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer: *.*.*.*
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: *.*.*.*/0, remote crypto endpt.: *.*.*.*/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 87D7FB25
current inbound spi : 54B98F16
inbound esp sas:
spi: 0x54B98F16 (1421446934)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 57344, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/3580)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x87D7FB25 (2279078693)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 57344, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/3580)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Router:
router#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
Not.Gonna.Tell.Ya 192.168.100.170 QM_IDLE 1291 ACTIVE
IPv6 Crypto ISAKMP SA
router#sh crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: SDM_CMAP_1, local addr 192.168.100.170
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer *.*.*.* port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 142, #pkts encrypt: 142, #pkts digest: 142
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.100.170, remote crypto endpt.: *.*.*.*
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x86E6CAE1(2263272161)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB451FB24(3025271588)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2193, flow_id: Onboard VPN:193, sibling_flags 80000046, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4557938/3147)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x86E6CAE1(2263272161)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2194, flow_id: Onboard VPN:194, sibling_flags 80000046, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4557921/3147)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
08-08-2012 11:21 AM
Ahh, looks like the CradelPoint router might have dropped the ESP packet, as we can see the router is encrypting the packets, but the ASA receives nothing/decrypts nothing, meaning it doesn't even reach the ASA.
Enable NAT-T, so ESP gets encapsulated in UDP/4500.
On ASA:
crypto isakmp nat-traversal 30
08-08-2012 11:41 AM
Genious! Thank you so much! That did the trick, I knew it was something small like that but a fresh set of eyes was just what I needed! now I just have to figure out why my vpn traffic isn't being exempt from the firewall rules.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide