ā07-29-2014 03:00 AM
Hi,
I am having issues passing traffic between two ASA firewalls. The VPN tunnel is up with one dynamic IP and one Static IP. I have attached a diagram of the VPN connection. I am unsure where the issue lies and what to check next. I think i have all the routes and access-lists in that are required.
I have also attached the config of the ASA5505 and the ASA5510.
This is the first time I have set up a VPN connection so any guidance would be greatly appreciated.
Thanks
Adam
Solved! Go to Solution.
ā07-31-2014 12:55 AM
Hi,
With regards to your Remote Site ASA configuration notice that you have not added the Central Site internal networks to the L2L VPN configurations at all therefore the traffic does not go through the VPN.
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.*
Take a look at the above ACL configurations. The "exempt" ACL is used in the NAT0 configurations and tells the ASA which traffic to exempt from NAT. The "outside_1_cryptomap" ACL is used to tell between which subnets the traffic should be using the L2L VPN connection.
So in short on the Remote Site ASA these ACLs should be indentical. Make the additions to the L2L VPN ACL and try again.
I would also stress that make sure that the Central Site ASAs L2L VPN ACL contains the same networks. Naturally the ACL on the Central Site will have its internal subnets as the source and the Remote Sites LAN as the destination.
Thw output of "show crypto ipsec sa" shows you that only the SA between the Central Site link network and the Remote Site LAN has been established. Others have not formed as the configuration is lacking ATLEAST on the Remote Site ASA. Might also be the Central Site.
- Jouni
ā07-29-2014 04:43 AM
Hi Adam,
How you want to access the site to site network? because i see some of the encryption domain in public network and some of them are in private network... also i see both the ends you are using dynamic peer.... that should not be the problem.... just get me the information, what would be the encryption domain on both the ends.....
Regards
Karthik
ā07-29-2014 05:10 AM
I would like to have the affected site pass straight through the tunnel into the main internal network picking up an IP subnet which is routable on the internal network. This will be a 4G Backup Solution for when we have a network outage at a site. On the ASA 5510 there is also a Remote VPN set up which is working for PDA's which isn't included in this scope. There is a Dynamic IP for the ASA 5505 because it is connecting via the 4G. The ASA5510 has a static external IP which is 105.255.242.1. I have set the ASA5505 to Originate Only to get the VPN up. I think i am getting confused with the IP's and the natting section.
On the ASA5505 I have an internal IP of 10.1.1.0/24 and a destination address of 192.123.123.128/25. On the ASA5510 I have the opposite set up.
Hope this helps.
Adam
ā07-29-2014 06:04 AM
Hi,
Was just in the neighbourhood. :-)
Looks like you are missing NAT exemption on the ASA 5505.
Can you send the output of "show crypto isakmp sa" and "show crypto ipsec sa".
Thanks,
Nehmaan
ā07-29-2014 06:17 AM
ā07-29-2014 06:33 AM
You need to add the NAT exemption on the ASA 5505. You have already done this on the ASA 5510.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_bypassing.html
A good tool for troubleshooting is the "packet-tracer" command.
Thanks,
Nehmaan
ā07-29-2014 06:54 AM
Based on the link you have sent i have added the following commands.
#access-list exempt permit ip 10.1.1.0 255.255.255.128 192.123.123.128 255.255.255.128
#nat (inside) 0 access-list exempt
Is it the internal subnet (10.1.1.0 255.255.255.128) or the patted IP of the outside interface of the ASA 5505 which is 192.168.0.50 that should be within the NAT exemption?
ciscoasa# show running-config nat
nat (inside) 0 access-list exempt
nat (inside) 1 0.0.0.0 0.0.0.0
Thanks
Adam
ā07-29-2014 07:05 AM
Hi,
No it should be the internal networks only.
You can run a ping from an internal PC from one site to the other to test.
Thanks,
Nehmaan
ā07-29-2014 07:34 AM
Okay that has been done but i am still struggling to gain a connection through the tunnel to the internal network.
Packet Tracer says that from my internal network IP on the ASA 5505 i am able to send traffic to an internal IP on the ASA5510 but i am still unable to get any traffic down the tunnel.
Is there anything else to try?
Thank you for the help so far guys.
Adam
ā07-29-2014 12:46 PM
Hi Adam,
Can you please let me know which source IP you are pinging from and to which destination IP address.
I'm a little confused here. Are you trying to ping the VPN clients at the headend ASA or remote subnets that sit behind the headend ASA ?
Your VPN is up and I don't see any issues there. I believe your issues lies with your subnets and possiblly NAT configuration.
I would also add inspect icmp under the default policy-map.
On the ASA 5505 you have the following:
interface Vlan1 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0
The ACL you sent me:
access-list exempt permit ip 10.1.1.0 255.255.255.128 192.123.123.128 255.255.255.128
The VPN will not work for the whole /24 if you use a /25.
Thanks,
Nehmaan
ā07-29-2014 01:06 PM
ā07-30-2014 12:44 AM
I am pinging from a laptop plugged into the ASA5505 which has picked up a DHCP Address within the 10.1.1.0/25 network (10.1.1.10) to the core router within the internal network. Obviously I cannot ping anything on the 192.123.123.128/25 subnet because nothing is connected.
I have added 'inspect icmp' into the default policy-map.
Sorry that is my fault causing the confusion. I have changed the 10.1.1.0 to a /25 subnet instead of /24. This has been changed throughout the firewall so it is all consistent.
Thanks
Adam
ā07-30-2014 12:53 AM
is it started to work for you now?
Regards
Karthik
ā07-30-2014 02:10 AM
Unfortunately not. I have double checked to make sure there isn't a silly mistake with the subnets etc but there isn't. I will have a look at the txt files Nehmaan has sent and see if anything is missing or different.
Thanks
Adam
ā07-30-2014 02:44 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide