cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1064
Views
6
Helpful
14
Replies

VPN issue ASA behind home modem

AirSail
Level 1
Level 1

Hello Folks, 

running into a crazy situation, 

I've got an ASA behind modem w/ IPSEC config done (UDP4500 + 500 forwarded and CLI of nat-translated in ASA executed) the other peer a have a meraki concetrator facing internet directly, 

i've got phase 1 up, and phase sounds to be up as well, pkts encaps can increment from ASA side, but no pkts decaps: 0

I understood that even my ASA seems to encrypt traffic but it s not sending it to the other side (I did a packet capture on meraki nothing received over the tunnel )

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:129, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
1678445931 192.168.1.10/4500 38.104.125.162/4500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/1 sec
Child sa: local selector 10.8.73.0/0 - 10.8.73.255/65535
remote selector 172.16.20.0/0 - 172.16.20.255/65535
ESP spi in/out: 0x5365888f/0xc28ae7d4

S(config)# show crypto ipsec sa
interface: outside
Crypto map tag: CMAP, seq num: 25, local addr: 192.168.1.10

access-list VPN-oujda-ss extended permit ip 10.8.73.0 255.255.255.0 172.16.20.0 255.255.255.0
local ident (addr/mask/prot/port): (10.8.73.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.20.0/255.255.255.0/0/0)
current_peer: 38.104.125.162


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.10/4500, remote crypto endpt.: 38.104.125.162/4500
path mtu 1500, ipsec overhead 86(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CAB60CDF
current inbound spi : 600776CD

*** Tunnel rekeyed or deleted ***

any idea here ? 

14 Replies 14

CLI of nat-translated in ASA executed!!

You must use No-NAT (exception NAT) not NAT translate.

AirSail
Level 1
Level 1

I've DM'ed the whole configuration to you =), thank you!

AirSail
Level 1
Level 1

had a chance to look into these ? I can attach them to my reply

I make fast review'

I found two vpn 

Ikev1 and ikev2 

Are both NAT at modem to same public IP'

If so how the modem/asa can know what vpn for this traffic.

Please confirm that you use different public IP for each ikev1 and ikev2.

as far as I know v1 and v2 are partially the same, and UDP500/UDP4500 are used for both, 

modem forward UDP4500/500 to the ASA outside interface, 

am I ignoring something? 

Same and no issue if the vpn end in asa' 

Here it end in device that asa behind it.

There is one way to change port from 4500 to 1000.

Let me make check how we can asd this port for ikev1 or ikev2.

I run lab add two IKEv1 in ASA1 behind NAT and config NAT 500/4500 and I success 
this result of lab 
check the NAT entry in IOU1

Screenshot (555).pngScreenshot (556).pngScreenshot (557).png

please use packet-trecer for both VPN check in which phase the traffic drop 


ciscoasa# packet-tracer input IN icmp 10.0.0.100 8 0 20.0.0.100 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 100.0.0.10 using egress ifc OUT

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe059242ed0, priority=0, domain=nat-per-session, deny=true
hits=6, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe0599a9180, priority=0, domain=inspect-ip-options, deny=true
hits=5, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=IN, output_ifc=any

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe059a4e740, priority=70, domain=inspect-icmp, deny=false
hits=3, user_data=0x7fe059a4c990, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=IN, output_ifc=any

Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe059a576e0, priority=70, domain=qos-per-class, deny=false
hits=4, user_data=0x7fe05980e600, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe0599a8990, priority=66, domain=inspect-icmp-error, deny=false
hits=3, user_data=0x7fe0599a7f10, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=IN, output_ifc=any

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fe059afc230, priority=70, domain=encrypt, deny=false
hits=2, user_data=0x2bdc, cs_id=0x7fe0599b3190, reverse, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=20.0.0.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=OUT

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fe059afd650, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=2, user_data=0x5594, cs_id=0x7fe0599b3190, reverse, flags=0x0, protocol=0
src ip/id=20.0.0.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.0.0.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=OUT, output_ifc=any

Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fe059a576e0, priority=70, domain=qos-per-class, deny=false
hits=5, user_data=0x7fe05980e600, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fe059242ed0, priority=0, domain=nat-per-session, deny=true
hits=8, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fe05993d4e0, priority=0, domain=inspect-ip-options, deny=true
hits=5, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=OUT, output_ifc=any

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: IN
input-status: up
input-line-status: up
output-interface: OUT
output-status: up
output-line-status: up
Action: allow

ciscoasa# packet-tracer input IN icmp 10.0.0.100 8 0 30.0.0.100 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 100.0.0.10 using egress ifc OUT

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe059242ed0, priority=0, domain=nat-per-session, deny=true
hits=11, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe0599a9180, priority=0, domain=inspect-ip-options, deny=true
hits=7, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=IN, output_ifc=any

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe059a4e740, priority=70, domain=inspect-icmp, deny=false
hits=5, user_data=0x7fe059a4c990, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=IN, output_ifc=any

Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe059a576e0, priority=70, domain=qos-per-class, deny=false
hits=7, user_data=0x7fe05980e600, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe0599a8990, priority=66, domain=inspect-icmp-error, deny=false
hits=5, user_data=0x7fe0599a7f10, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=IN, output_ifc=any

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fe059b03660, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x6f34, cs_id=0x7fe0599b3c10, reverse, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=30.0.0.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=OUT

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fe059b04b10, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=1, user_data=0x920c, cs_id=0x7fe0599b3c10, reverse, flags=0x0, protocol=0
src ip/id=30.0.0.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.0.0.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=OUT, output_ifc=any

Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fe059a576e0, priority=70, domain=qos-per-class, deny=false
hits=8, user_data=0x7fe05980e600, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fe059242ed0, priority=0, domain=nat-per-session, deny=true
hits=13, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fe05993d4e0, priority=0, domain=inspect-ip-options, deny=true
hits=8, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=OUT, output_ifc=any

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: IN
input-status: up
input-line-status: up
output-interface: OUT
output-status: up
output-line-status: up
Action: allow

 

 

AirSail
Level 1
Level 1

I've learnt that this senario won't work in a production envirement or for me at least because of this the log below

PROXY MATCH on crypto map CMAP seq 25

 ASA outside IP is private and it's different from the original IP(modem ip public) given to the other VPN device, 

that's why phase 2 fails to negotiate, because of the IPs mismatch, 

check this out https://docs.umbrella.com/umbrella-user-guide/docs/add-a-tunnel-cisco-asa#section-network-access 

 ignore about umbrella part but just check "network-access" section, 

I make double check config you share' 

I am 75% sure that it can work IF modem can classify NATing traffic 

AirSail
Level 1
Level 1

the modem (ADSL) is a kind of dummy one, a ZTE brand a GUI based with few options on it, I used port forwarding under the "application tab" to allow UDP4500/500,   - that modem NAT the private network he has to internet, the good thing is it provides a static public IP. 

Please share the config. The Umbrella doc you pointed out is not related to the scenario you described which will work just fine, in fact you mentioned you were already seeing encaps on the ASA. Please share the config and captures

AirSail
Level 1
Level 1

@Gustavo Medina - shared via DM

Hi Freind 

sorry I make you waiting 
can you initiate the traffic from far side not from ASA 
the ASA is response only so it can not build SA child for IKEv2.