07-22-2009 03:18 AM
Hi,
I'm trying to setup a VPN tunnel between two sites using an ASA5510 and a ASA5520.
I have successfull VPN establishment but i am unable to transfer packets accross. i want to be able to see the networks sitting behind the f/w LAN's but even the f/w LAN's cannot send packets to each other.
I have attached the two configs and a brief diagram.
Thanks.
07-22-2009 04:25 AM
check your no-nat
HTH>
07-22-2009 04:41 AM
Hi,
Can you please be a bit more specific?
Thanks.
07-22-2009 04:53 AM
Your encryption domains (interesting VPN traffic) do not match your no-nat config.
07-22-2009 06:13 AM
I've checked both configs there is no 'no-nat' reference.
is that what you mean, that no 'no-nat' rule exists?
07-22-2009 06:19 AM
You do have a no-nat, you have it configured as on the 5510:-
nat (Inside) 0 access-list Inside_nat0_outbound
access-list Inside_nat0_outbound extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0
but you interesting acl on the 5510 is:-
access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3
The ACl's do not match.
07-22-2009 06:24 AM
Ah, so if i change it to:
access-list Outside_1_cryptomap extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0
The should pick it up as interesting traffic and will mathc the no-nat rule?
07-22-2009 06:28 AM
yes - I would suggest you create another acl and name it something else, then you can switch between the two.
07-22-2009 06:28 AM
or, if i want to allow traffic from the LAN sitting behind each f/w LAN i can do:
nat (Inside) 0 access-list Inside_nat0_outbound
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3
access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3
?
07-22-2009 06:58 AM
Did the update, no joy, VPN tunnel is still up bu no packets going through.
07-22-2009 07:03 AM
Is your interesting traffic acl being hit? when you do a show crypto ipsec sa can you see packets being encrypted and decrypted at both sides?
07-22-2009 07:13 AM
both f/w are responding:
There are no ipsec sas
07-22-2009 07:17 AM
OK this is the output i got:
ASA5520:
LYV-LHC-ASA5520-01# sh crypto ipsec sa
interface: Outside
Crypto map tag: Outside_map, seq num: 1, local addr: 193.82.146.254
access-list Outside_1_cryptomap permit ip 172.24.107.0 255.255.255.0 172.16.54.0 255.255.255.0
local ident (addr/mask/prot/port): (172.24.107.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.54.0/255.255.255.0/0/0)
current_peer: 81.246.92.116
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 193.82.146.254, remote crypto endpt.: 81.246.92.116
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E27A8077
inbound esp sas:
spi: 0x5E2B2FB6 (1579888566)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 45056, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/28765)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xE27A8077 (3799679095)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 45056, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/28764)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA5510:
interface: Outside
Crypto map tag: Outside_map, seq num: 1, local addr: 81.246.92.116
access-list Outside_1_cryptomap permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.54.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.24.107.0/255.255.255.0/0/0)
current_peer: 193.82.146.254
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 81.246.92.116, remote crypto endpt.: 193.82.146.254
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 5E2B2FB6
inbound esp sas:
spi: 0xE27A8077 (3799679095)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 176128, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28678)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x5E2B2FB6 (1579888566)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 176128, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28678)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
07-22-2009 07:25 AM
Then you are either blocking or your routing is not correct or you interesting acl is wrong or your no-nat is wrong. I took some of your config into my lab with a pix 515 and ASA and put them back to back - with 2 routers on either side, this works:-
hostname FW0
int e0
nameif outside
ip address 1.1.1.1 255.255.255.0
no shut
int e1
nameif inside
ip address 172.16.51.250 255.255.255.0
no shut
!
access-list outside-in permit icmp any any echo-reply
access-list outside-in permit icmp any any traceroute
access-list outside-in permit icmp any any time-exceeded
access-list outside-in permit icmp any any unreachable
access-list vpn-tunnel extended permit ip 172.16.51.0 255.255.255.0 172.24.104.0 255.255.255.0
access-list vpn-tunnel extended permit ip 172.16.51.0 255.255.255.0 172.24.107.0 255.255.255.0
access-list vpn-tunnel extended permit ip 172.16.54.0 255.255.255.0 172.24.104.0 255.255.255.0
access-list vpn-tunnel extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0
!
global (outside) 1 interface
nat (inside) 0 access-list vpn-tunnel
nat (inside) 1 172.16.0.0 255.255.0.0
!
route outside 0.0.0.0 0.0.0.0 1.1.1.1
route inside 172.16.54.0 255.255.255.0 172.16.51.254
route outside 172.24.104.0 255.255.255.0 1.1.1.1
route outside 172.24.107.0 255.255.255.0 1.1.1.1
!
access-group outside-in in interface outside
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map vpntunnel-outside 1 match address vpn-tunnel
crypto map vpntunnel-outside 1 set peer 2.2.2.2
crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1
!
crypto map vpntunnel-outside interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key cisco1234
!
end
**********************
hostname FW1
int e0
nameif outside
ip address 2.2.2.2 255.255.255.0
no shut
int e1
nameif inside
ip address 172.24.104.250 255.255.255.0
no shut
!
access-list outside-in permit icmp any any echo-reply
access-list outside-in permit icmp any any traceroute
access-list outside-in permit icmp any any time-exceeded
access-list outside-in permit icmp any any unreachable
access-list vpn-tunnel extended permit ip 172.24.104.0 255.255.255.0 172.16.51.0 255.255.255.0
access-list vpn-tunnel extended permit ip 172.24.104.0 255.255.255.0 172.16.54.0 255.255.255.0
access-list vpn-tunnel extended permit ip 172.24.107.0 255.255.255.0 172.16.51.0 255.255.255.0
access-list vpn-tunnel extended permit ip 172.24.107.0 255.255.255.0 172.16.54.0 255.255.255.0
!
global (outside) 1 interface
nat (inside) 0 access-list vpn-tunnel
nat (inside) 1 172.24.0.0 255.255.0.0
!
route outside 0.0.0.0 0.0.0.0 2.2.2.2
route inside 172.24.107.0 255.255.255.0 172.24.104.254
route outside 172.16.51.0 255.255.255.0 2.2.2.2
route outside 172.16.54.0 255.255.255.0 2.2.2.2
!
access-group outside-in in interface outside
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map vpntunnel-outside 1 match address vpn-usmay
crypto map vpntunnel-outside 1 set peer 1.1.1.1
crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1
!
crypto map vpntunnel-outside interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key cisco1234
!
end
07-22-2009 07:35 AM
I ran a packet trace and the ICMP was blocked on the 'Implicit Deny Rule' on the Inside interface of the ASA5520. I have a rule that allows all ICMP for that same interface so why is th implicit rule blocking packets?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide