11-22-2013 11:17 AM
Trying to track down what happened. I had the remote end bring up the tunnel, as they can ping resources on my side. I'm unable to ping 10.90.238.148 through this tunnel. I used to be able to before the K_Inc interface was added. The network behind that interface is 10/8.
I posed a question earlier in another post and was advised to Set Reverse-route in the crypto. And that did it. I was able to ping 10.90.238.148 from 192.168.141.10, with the below config.
I'm at a loss for why I suddenly can't. A little background, the routes included below haven't changed. By adding the set reverse route command to the crypto I end up with a static entry for the 10.90.238.0 network is what fixed it intially so I don't think it's a route problem. The remote end had an overlap with the 192.168.141.0/24 which is why my side is natted to the 10.40.27.0. None of the nats have changed so if adding the reverse route worked for a day, it should still be working. Any thoughts?
interface GigabitEthernet0/3.10
vlan 10
nameif K_Inc
security-level 100
ip address 192.168.10.254 255.255.255.0
interface GigabitEthernet0/3.141
vlan 141
nameif cold
security-level 100
ip address 192.168.141.254 255.255.255.0
nat (cold) 0 access-list nonat
nat (cold) 1 192.168.141.0 255.255.255.0
access-list CSVPNOFFSITE extended permit ip 192.168.141.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list CSVPNOFFSITE extended permit ip 10.40.27.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list CSVPNNAT extended permit ip 192.168.141.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.40.27.0 255.255.255.0 10.90.238.0 255.255.255.0
static (cold,outside) 10.40.27.0 access-list CSVPNNAT
crypto map Outside_map 5 match address CSVPNOFFSITE
crypto map Outside_map 5 set reverse-route
crypto map Outside_map 5 set pfs
crypto map Outside_map 5 set peer 20.x.x.3
crypto map Outside_map 5 set transform-set ESP-3DES-MD5
crypto map Outside_map 5 set security-association lifetime seconds 28800
crypto map Outside_map 5 set security-association lifetime kilobytes 4608000
tunnel-group 20.x.x.3 type ipsec-l2l
tunnel-group 20.x.x.3 ipsec-attributes
pre-shared-key *
route outside 0.0.0.0 0.0.0.0 7.x.x.1 1
route K_Inc 10.0.0.0 255.192.0.0 192.168.10.252 1
route K_Inc 10.64.0.0 255.224.0.0 192.168.10.252 1
route K_Inc 10.100.100.0 255.255.255.0 192.168.10.252 1
route K_Inc 10.128.0.0 255.128.0.0 192.168.10.252 1
Tunnel is up:
14 IKE Peer: 20.x.x.243
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
EDIT:
I just noticed when i run packet tracer I don't get a VPN or Encrypt phase:
packet-tracer input cold tcp 192.168.141.10 80 10.90.238.148 80 det
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.90.238.0 255.255.255.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad048d08, priority=0, domain=permit-ip-option, deny=true
hits=2954624, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xb2ed4b80, priority=72, domain=qos-per-class, deny=false
hits=2954687, user_data=0xb2ed49d8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad090180, priority=20, domain=lu, deny=false
hits=618776, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (ColdSpring,outside) 74.x.x.50 192.168.141.10 netmask 255.255.255.255
match ip ColdSpring host 192.168.141.10 outside any
static translation to 74.x.x.50
translate_hits = 610710, untranslate_hits = 188039
Additional Information:
Static translate 192.168.141.10/0 to 74.112.122.50/0 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xac541e50, priority=5, domain=nat, deny=false
hits=610742, user_data=0xac541c08, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.141.10, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (ColdSpring,dmz) 192.168.141.0 192.168.141.0 netmask 255.255.255.0
match ip ColdSpring 192.168.141.0 255.255.255.0 dmz any
static translation to 192.168.141.0
translate_hits = 4194, untranslate_hits = 20032
Additional Information:
Forward Flow based lookup yields rule:
in id=0xace2c1a0, priority=5, domain=host, deny=false
hits=2954683, user_data=0xace2ce68, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.141.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xaacbcb90, priority=0, domain=permit-ip-option, deny=true
hits=282827537, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xb2ed5c78, priority=72, domain=qos-per-class, deny=false
hits=4749562, user_data=0xb2ed5ad0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 339487904, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 11
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 7.x.x.1 using egress ifc outside
adjacency Active
next-hop mac address 0007.b400.1402 hits 51982146
Result:
input-interface: Cold
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Solved! Go to Solution.
11-23-2013 12:40 PM
What version ASA are you running?
My initial guess is that the your two static NATs are configured above the policy nat you have configured for the VPN? If this is the case, move your policy NAT above those static NATs and you should see the traffic start to flow correctly.
--
Please rate all helpful posts
11-22-2013 02:09 PM
One more edit, when i run packet tracer using my natted address as the source, i get the expected result. Makes me think i have a nat problem I'm not seeing:
packet-tracer input cold tcp 10.40.27.10 80 10.90.238.148 8443
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.90.238.0 255.255.255.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip Cold 10.40.27.0 255.255.255.0 outside 10.90.238.0 255.255.255.0
NAT exempt
translate_hits = 4, untranslate_hits = 0
Additional Information:
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 339954332, packet dispatched to next module
Result:
input-interface: Cold
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
So in this one, the flow is created in phase11 and the packet is allowed. In the previous one, the packet is till allowed but the difference after the flow creation is it's hitting my next hop router. Which it shouldn't. This is telling me in the first capture I'm being sent out my default gateway, instead of the tunnel. I just can't see why.
Any help is appreciated. Thank you!
11-23-2013 09:21 AM
So this question cannot be answered based on the info i gave, which i thought included everything needed. It does not. Due to the nature of my business I'm unable to always post the whole config
but heres whats missing, my static nats:
static (ColdSpring,outside) 7.x.x.48 192.168.141.11 netmask 255.255.255.255
static (ColdSpring,outside) 7.x.x.50 192.168.141.10 netmask 255.255.255.255
When i packet trace from 192.168.141.10-11, I'm not natted to the 10.40.27.0 addressing, and it's not sent over the tunnel.
Any other address on 192.168.141.x works as expected.
i need those 2 translations. how do i exempt those internal addresses?
11-23-2013 12:40 PM
What version ASA are you running?
My initial guess is that the your two static NATs are configured above the policy nat you have configured for the VPN? If this is the case, move your policy NAT above those static NATs and you should see the traffic start to flow correctly.
--
Please rate all helpful posts
11-23-2013 03:02 PM
8.04
Nailed it!
11-23-2013 04:48 PM
static (ColdSpring,outside) 7.x.x.48 192.168.141.11 netmask 255.255.255.255
static (ColdSpring,outside) 7.x.x.50 192.168.141.10 netmask 255.255.255.255
When i packet trace from 192.168.141.10-11, I'm not natted to the 10.40.27.0 addressing, and it's not sent over the tunnel.
bro in this bold line u mentioned 10.40.27.0 but that is for whole network but here u will translate to something
7.X.X.48 ... so it will traslate to that address and
yes u didnt use GLOBAL(outside) command for NAT in ur earlier config ....but that is important if u r using RANGE of NAT/PAT not for static NAT
Bye,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide