02-25-2019 01:09 PM - edited 02-21-2020 09:34 PM
Hi guys
I'm looking for a bit of support on an issue I've come across with a site to site setup.
Site A - 10.20.4.0 /24
HQ - Cisco ASA
Site B - 192.168.142.0 /24
The general problem is that Site A can ping Site B but Site B is unable to ping Site A. There is an IPSec tunnel between Site A and HQ and between Site B and HQ. The ASA handles all the access lists and NAT rules.
I've spent a few days working on this and it appears to come down to routing or a rogue NAT rule. I've attached the full ASA configuration but also included each tunnel configuration below. You'll see that we are seeing decrypt/encrypt packets in both directions for Calverton, but the Formac tunnel hardly has any encrypted packets.
Could someone point me in the right direction please? This is my first VPN setup of this magnitude so keen to understand what I'm missing. I'm thinking of adding a route for 192.168.142.0 /24 but unsure whether this needs to be on the Calverton router or on the ASA.
Calverton tunnel
===================================================================================
vpn# show crypto ipsec sa peer 81.149.11.243
peer address: 81.149.11.243
Crypto map tag: external-vpns, seq num: 320, local addr: 195.12.22.33
access-list 81.149.11.243_Calverton extended permit ip any 10.20.4.0 255.255.255.0
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.20.4.0/255.255.255.0/0/0)
current_peer: 81.149.11.243
#pkts encaps: 1328821, #pkts encrypt: 1328821, #pkts digest: 1328821
#pkts decaps: 1080096, #pkts decrypt: 1080095, #pkts verify: 1080095
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1328821, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 1
local crypto endpt.: 195.12.22.33/0, remote crypto endpt.: 81.149.11.243/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 1160007E
current inbound spi : AE22A2A8
inbound esp sas:
spi: 0xAE22A2A8 (2921505448)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 3293184, crypto-map: external-vpns
sa timing: remaining key lifetime (kB/sec): (4373967/26613)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x1160007E (291504254)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 3293184, crypto-map: external-vpns
sa timing: remaining key lifetime (kB/sec): (4373975/26613)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
===================================================================================
Formac tunnel
===================================================================================
vpn# show crypto ipsec sa peer 35.176.80.84
peer address: 35.176.80.84
Crypto map tag: external-vpns, seq num: 600, local addr: 195.12.22.33
access-list Formac extended permit ip any 192.168.142.0 255.255.255.0
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.142.0/255.255.255.0/0/0)
current_peer: 35.176.80.84
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 202708, #pkts decrypt: 202708, #pkts verify: 202708
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 195.12.22.33/4500, remote crypto endpt.: 35.176.80.84/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 2F61A8A2
current inbound spi : E53C5820
inbound esp sas:
spi: 0xE53C5820 (3845937184)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 221884416, crypto-map: external-vpns
sa timing: remaining key lifetime (kB/sec): (4373827/2522)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x2F61A8A2 (794929314)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 221884416, crypto-map: external-vpns
sa timing: remaining key lifetime (kB/sec): (4374000/2522)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
===================================================================================
Many thanks in advance.
B
02-25-2019 02:02 PM
Where is 192.168.142.0/24 located? is it accessed through the inside interface or on another site-to-site VPN? If it is accessed through the inside interface then you are missing a route to this subnet.
02-25-2019 09:10 PM
Many thanks for the reply.
Site A = Calverton 10.20.4.0 /24
Site B = Formac 192.168.142.0 /24
Formac subnet is on another site to site VPN. Traffic should tunnel from Formac to ASA, then back to Calverton via its own tunnel on outside interface.
02-25-2019 09:52 PM
Hi,
I quickly saw your configuration and I didn't find NAT 0 (no-proxy-arp) rules for the same.
Statement will like:
nat (inside,any) source static <local Subnet> destination static <destination> no-proxy-arp
Regards,
Deepak Kumar
02-26-2019 10:48 AM
Could you post the config for site B as well please.
My guess is one (or both) of:
02-26-2019 12:15 PM
02-27-2019 04:39 AM
Could this be being caused by the Site A router not having the Formac subnet defined in its encryption domain?
02-27-2019 05:13 AM
For starters, you dont seem to have the 10.20.4.0/24 subnet as a local subnet in the crypto ACL for peer 81.49.11.243. May i suggest consolidating some of these object-groups so that NAT and Crypto ACLs use the same groups for specific VPNs. Makes it a bit easier to read (just my two cents.)
crypto map external-vpns 320 match address 81.49.11.243_Calverton
crypto map external-vpns 320 set peer 81.49.11.243
crypto map external-vpns 320 set ikev1 transform-set ESP-AES-256-SHA
crypto map external-vpns 320 set security-association lifetime seconds 28800
crypto map external-vpns 320 set security-association lifetime kilobytes 4608000
access-list 81.49.11.243_Calverton extended permit ip any object-group Calverton-remote
access-list 81.49.11.243_Calverton extended permit ip object-group Calverton-local object-group Calverton-remote
object-group network Calverton-local
network-object 10.99.206.0 255.255.255.0
network-object 192.168.142.0 255.255.255.0
object-group network Calverton-remote
network-object 10.20.4.0 255.255.255.0
object-group network formac-remote
network-object 192.168.142.0 255.255.255.0
object-group network DIGI_VPN_SITES
network-object 10.20.3.0 255.255.255.0
network-object 10.20.4.0 255.255.255.0
network-object 10.20.12.0 255.255.255.0
network-object 10.20.5.0 255.255.255.0
nat (outside,outside) source static DIGI_VPN_SITES DIGI_VPN_SITES destination static formac-remote formac-remote
nat (outside,outside) source static formac-remote formac-remote destination static DIGI_VPN_SITES DIGI_VPN_SITES
02-27-2019 06:34 AM
Sorry, I saw that you have an any defined for source and I forgot to edit out the first sentence. I am now looking at the AWS file and see something odd, the public IP on the ASA (195.112.22.33) doesn't match what I see on the AWS (195.12.22.33) side, is this a typo?
on ASA
interface GigabitEthernet0/0
description OUTSIDE
duplex full
nameif outside
security-level 0
ip address 195.112.22.33 255.255.255.224 standby 195.112.22.34
on AWS
Outside IP Addresses:
- Customer Gateway : 195.12.22.33
- Virtual Private Gateway : 35.176.80.84
02-27-2019 08:52 AM
Ah yes that was a typo. Correct IP is 195.12.22.33
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide