05-20-2022 05:02 AM
□ASA5506
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.223.25.57 255.255.255.240
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.223.2.93 255.255.255.128
!
crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 10.173.107.65 10.173.107.66
crypto map outside_map 1 set ikev1 transform-set ESP-AES256-SHA1
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 10.173.107.65 type ipsec-l2l
tunnel-group 10.173.107.65 ipsec-attributes
ikev1 pre-shared-key *****
!
access-list outside_cryptomap extended permit ip 10.223.2.0 255.255.255.128 10.223.14.0 255.255.255.0
access-list outside_in extended permit icmp 10.223.14.0 255.255.255.0 10.223.2.0 255.255.255.128
access-list inside_in extended permit ip 10.223.2.0 255.255.255.128 any
access-list inside_in extended deny ip any any log warnings
!
nat (inside,outside) source static HOST_10.223.2.109 NAT_10.120.66.203 destination static NAT_192.168.10.67 HOST_10.223.14.1
□WS-C3750X-24
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ***** address 10.223.25.57
!
crypto ipsec transform-set ASA-IPSEC esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map VPN 1 ipsec-isakmp
set peer 10.223.25.57
set transform-set ASA-IPSEC
match address 100
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet1/0/1
description To_Internet
switchport access vlan 10
crypto map VPN
!
interface Vlan10
description To_Internet
ip address 10.173.107.65 255.255.255.0
access-list 100 permit ip any any
access-list 100 permit tcp any any
access-list 100 permit icmp any any
access-list 100 permit udp any any
□PC1
ip:10.223.14.1
nat:192.168.10.67
□PC2
ip:10.223.2.109
nat:10.120.66.203
_______________________
We are currently testing VPN connection with the above settings.
Ping goes through, but VPN is not connected.
When I changed to the following NAT, VPN connection was established.
nat (outside,inside) source static HOST_10.223.14.1 NAT_192.168.10.67
nat (inside,outside) source static HOST_10.223.2.109 NAT_10.120.66.203
However, the ping does not go through.
Is there anything I need to configure to let the ping go through while the VPN is connected?
Translated with www.DeepL.com/Translator (free version)
05-20-2022 05:21 AM
Provide the output of show run policy-map from ASA
If inspect icmp is not there, you can add by using this command;
Fixup protocol icmp
This would be the first place to look.
Thanks
05-20-2022 05:26 AM
Thank you.
The result of the display is as follows
Best regards
# show run policy-map
Mar 20 2022 21:24:32: %ASA-7-111009: User 'enable_15' executed cmd: show running-config policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
05-20-2022 05:25 AM
Hi
Keep the NAT in which the tunnel stay up and change the Access List:
access-list outside_in extended permit icmp 192.168.10.67 255.255.255.0 10.120.66.203 255.255.255.0
05-20-2022 06:04 AM
access-list outside_cryptomap extended permit ip 10.223.2.0 255.255.255.128 10.223.14.0 255.255.255.0
!
nat (inside,outside) source static HOST_10.223.2.109 NAT_10.120.66.203 destination static NAT_192.168.10.67 HOST_10.223.14.1
I undersntad form your config that there is overlap between two NAT behind VPN peer?
if NO why we NAT source and destination ???
anyway
change
access-list outside_cryptomap extended permit ip 10.223.2.0 255.255.255.128 NAT_192.168.10.67
05-23-2022 01:47 AM
Thank you.
I set up the following access-list to isolate the VPN connection, but could not connect to the VPN.
The counter "outside_cryptomap" was not hit as a result of show access-list.
Ping
Sent from
10.223.2.90 (NAT:10.120.66.201)
↓↓↓↓↓↓↓↓
Destination
(NAT:192.168.10.67) 10.223.14.1
____________
access-list outside_cryptomap extended permit ip 10.223.2.0 255.255.255.128 192.168.10.0 255.255.255.0
access-list outside_in extended permit icmp any any log
access-list outside_in extended permit ip any any log
access-list inside_in extended permit icmp any any log
access-list inside_in extended permit ip any any
__________
nat (inside,outside) source static HOST_10.223.2.109 NAT_10.120.66.203 destination static NAT_192.168.10.67 HOST_10.223.14.1
Translated with www.DeepL.com/Translator (free version)
05-23-2022 02:14 AM
Sorry for the repetitiveness.
I have added all the ACLs that I want to allow and when I ping it, I get no hits for "crypto_map" but only for the ACL I have set for "outside_in".
Ping and VPN do not work well together.
ACL
___________________________________
crypto map outside_map 1 match address outside_cryptomap
access-list outside_cryptomap extended permit icmp any any
access-list outside_cryptomap extended permit ip any any
access-list outside_in extended permit icmp any any log
access-list outside_in extended permit ip any any log
access-list inside_in extended permit icmp any any log
access-list inside_in extended permit ip any any
access-group outside_in in interface outside
access-group inside_in in interface inside
NAT
_____________________________
nat (inside,outside) source static HOST_10.223.2.109 NAT_10.120.66.203 destination static NAT_192.168.10.67 HOST_10.223.14.1
Translated with www.DeepL.com/Translator (free version)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide