Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
767
Views
0
Helpful
4
Replies

Unable to sent packets accross S2S tunnel

Adrián Moran
Level 1
Level 1

‎03-10-2021 01:01 PM

Hi, all good day;

 

I am facing an issue with an S2S tunnel between cisco ASA and FortiGate firewall, so far tunnel is UP, and apparently, I am receiving packets from Fortigate

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 222, #pkts decrypt: 222, #pkts verify: 222
 
the Scene is like this:
a remote server with 192.168.160.254 need to send logs to the local server 192.168.0.7 and vice-versa
 
this is the configuration for my tunnel in the Cisco ASA firewall
Server Local: 192.168.0.7
Server Remote: 192.168.160.254
 
### ObjectGroups
object-group network ServerLocal
network-object 192.168.0.7 255.255.255.255
object-group network ServerRemote
network-object 192.168.160.254 255.255.255.255
 
###ACL
access-list VPN_DRE extended permit ip object-group ServerLocal object-group ServerRemote
###NAT
nat (inside,outside) source static ServerLocal ServerLocal destination static ServerRemote ServerRemote no-proxy-arp route-lookup
###Crypto ikev1 Configuration###
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
 

###Crypto MAP
crypto map OUTSIDEMAP 10 match address VPN_DRE
crypto map OUTSIDEMAP 10 set pfs group5
crypto map OUTSIDEMAP 10 set peer (RemotePublicIP)
crypto map OUTSIDEMAP 10 set ikev1 transform-set AES256-SHA
crypto map OUTSIDEMAP 10 set reverse-route
crypto map OUTSIDEMAP interface outside


tunnel-group (RemotePublicIP) type ipsec-l2l
tunnel-group (RemotePublicIP) ipsec-attributes
ikev1 pre-shared-key (PRESHAREDKEY)

 
but when I try to ping the other side I am not getting a reply.
 
is there something missing?
 
Regards
MSE Adrian M.
Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎03-10-2021 01:35 PM

@Adrián Moran 

As is evident by your output there are no encaps, which means nothing is being sent via the VPN tunnel.

Is the ASA the default gateway for your network? Or do you have another firewall for outbound traffic?

Run packet-tracer from the CLI and provide the output for review.

When you run the ping are you testing from the IP address 192.168.0.7?

0 Helpful

Adrián Moran
Level 1
Level 1
In response to Rob Ingram

‎03-11-2021 06:22 AM

Hi Rob good day, I wasn't aware that the local server had another gateway so after changing the server gateway to point to ASA traffic flow perfectly, thanks for this.

 

now I have another question as in this kind of configuration I am really new I want to protect traffic allowing just port for SFTP between servers, which is the best way

adding another ACL allowing SFTP traffic 

or

Modifying the encryption domain

and an example of how to do it, please.

Thanks.

MSE Adrian M.
0 Helpful

Rob Ingram
VIP
VIP

‎03-11-2021 06:26 AM

@Adrián Moran 

Glad to hear it's working, if you have multiple routing devices, you might want to check that the server can access the other network resources.

 

Rather than modify the crypto map ACL (encryption domain), use a VPN Filter to restrict traffic sent/received over the VPN tunnel.

 

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Rob Ingram

‎03-11-2021 10:35 AM - edited ‎03-11-2021 10:40 AM

https://packetswitch.co.uk/cisco-asa-vpn-filter/   this is a great example and step by step setup configuration.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents