Solved: Unable to pass traffic between ASA Site to Site VPN Tunnel

Adam Handley · ‎07-29-2014

Hi,

I am having issues passing traffic between two ASA firewalls. The VPN tunnel is up with one dynamic IP and one Static IP. I have attached a diagram of the VPN connection. I am unsure where the issue lies and what to check next. I think i have all the routes and access-lists in that are required.

I have also attached the config of the ASA5505 and the ASA5510.

This is the first time I have set up a VPN connection so any guidance would be greatly appreciated.

Thanks

Adam

Jouni Forss · ‎07-31-2014

Hi,

With regards to your Remote Site ASA configuration notice that you have not added the Central Site internal networks to the L2L VPN configurations at all therefore the traffic does not go through the VPN.

access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* 


access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* 
access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* 
access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* 
access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* 
access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.*

Take a look at the above ACL configurations. The "exempt" ACL is used in the NAT0 configurations and tells the ASA which traffic to exempt from NAT. The "outside_1_cryptomap" ACL is used to tell between which subnets the traffic should be using the L2L VPN connection.

So in short on the Remote Site ASA these ACLs should be indentical. Make the additions to the L2L VPN ACL and try again.

I would also stress that make sure that the Central Site ASAs L2L VPN ACL contains the same networks. Naturally the ACL on the Central Site will have its internal subnets as the source and the Remote Sites LAN as the destination.

Thw output of "show crypto ipsec sa" shows you that only the SA between the Central Site link network and the Remote Site LAN has been established. Others have not formed as the configuration is lacking ATLEAST on the Remote Site ASA. Might also be the Central Site.

- Jouni

View solution in original post

nkarthikeyan · ‎07-29-2014

Hi Adam,

How you want to access the site to site network? because i see some of the encryption domain in public network and some of them are in private network... also i see both the ends you are using dynamic peer.... that should not be the problem.... just get me the information, what would be the encryption domain on both the ends.....

Regards

Karthik

Adam Handley · ‎07-29-2014

I would like to have the affected site pass straight through the tunnel into the main internal network picking up an IP subnet which is routable on the internal network. This will be a 4G Backup Solution for when we have a network outage at a site. On the ASA 5510 there is also a Remote VPN set up which is working for PDA's which isn't included in this scope. There is a Dynamic IP for the ASA 5505 because it is connecting via the 4G. The ASA5510 has a static external IP which is 105.255.242.1. I have set the ASA5505 to Originate Only to get the VPN up. I think i am getting confused with the IP's and the natting section.

On the ASA5505 I have an internal IP of 10.1.1.0/24 and a destination address of 192.123.123.128/25. On the ASA5510 I have the opposite set up.

Hope this helps.

Adam

nehmaan123 · ‎07-29-2014

Hi,

Was just in the neighbourhood. :-)

Looks like you are missing NAT exemption on the ASA 5505.

Can you send the output of "show crypto isakmp sa" and "show crypto ipsec sa".

Thanks,

Nehmaan

Adam Handley · ‎07-29-2014

Both show outputs are attached.

Thanks

nehmaan123 · ‎07-29-2014

You need to add the NAT exemption on the ASA 5505. You have already done this on the ASA 5510.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_bypassing.html

A good tool for troubleshooting is the "packet-tracer" command.

Thanks,

Nehmaan

Adam Handley · ‎07-29-2014

Based on the link you have sent i have added the following commands.

#access-list exempt permit ip 10.1.1.0 255.255.255.128 192.123.123.128 255.255.255.128

#nat (inside) 0 access-list exempt

Is it the internal subnet (10.1.1.0 255.255.255.128) or the patted IP of the outside interface of the ASA 5505 which is 192.168.0.50 that should be within the NAT exemption?

ciscoasa# show running-config nat
nat (inside) 0 access-list exempt
nat (inside) 1 0.0.0.0 0.0.0.0

Thanks

Adam

nehmaan123 · ‎07-29-2014

Hi,

No it should be the internal networks only.

You can run a ping from an internal PC from one site to the other to test.

Thanks,

Nehmaan

Adam Handley · ‎07-29-2014

Okay that has been done but i am still struggling to gain a connection through the tunnel to the internal network.

Packet Tracer says that from my internal network IP on the ASA 5505 i am able to send traffic to an internal IP on the ASA5510 but i am still unable to get any traffic down the tunnel.

Is there anything else to try?

Thank you for the help so far guys.

Adam

nehmaan123 · ‎07-29-2014

Hi Adam,

Can you please let me know which source IP you are pinging from and to which destination IP address.

I'm a little confused here. Are you trying to ping the VPN clients at the headend ASA or remote subnets that sit behind the headend ASA ?

Your VPN is up and I don't see any issues there. I believe your issues lies with your subnets and possiblly NAT configuration.

I would also add inspect icmp under the default policy-map.

On the ASA 5505 you have the following:

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0

The ACL you sent me:

access-list exempt permit ip 10.1.1.0 255.255.255.128 192.123.123.128 255.255.255.128

The VPN will not work for the whole /24 if you use a /25.

Thanks,

Nehmaan

nehmaan123 · ‎07-29-2014

If it makes it easier I have attached a configuration for the headend ASA and a remote ASA for you.

Headend would have a static IP, Remote ASA would have a dynamic IP.

Regards,

Nehmaan

Adam Handley · ‎07-30-2014

I am pinging from a laptop plugged into the ASA5505 which has picked up a DHCP Address within the 10.1.1.0/25 network (10.1.1.10) to the core router within the internal network. Obviously I cannot ping anything on the 192.123.123.128/25 subnet because nothing is connected.

I have added 'inspect icmp' into the default policy-map.

Sorry that is my fault causing the confusion. I have changed the 10.1.1.0 to a /25 subnet instead of /24. This has been changed throughout the firewall so it is all consistent.

Thanks

Adam

nkarthikeyan · ‎07-30-2014

is it started to work for you now?

Regards

Karthik

Adam Handley · ‎07-30-2014

Unfortunately not. I have double checked to make sure there isn't a silly mistake with the subnets etc but there isn't. I will have a look at the txt files Nehmaan has sent and see if anything is missing or different.

Thanks

Adam

Adam Handley · ‎07-30-2014

I have attached a packet trace from an Internal IP on the remote ASA (10.1.1.10) to the VPN subnet on the headend ASA (192.123.123.135). Hopefully something may show up for you guys.

Thanks

Adam