Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
858
Views
0
Helpful
6
Replies

VPN Tunnel connection does not work.

horii_g
Level 1
Level 1

‎05-20-2022 05:02 AM

□ASA5506
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.223.25.57 255.255.255.240
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.223.2.93 255.255.255.128
!
crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 10.173.107.65 10.173.107.66
crypto map outside_map 1 set ikev1 transform-set ESP-AES256-SHA1
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 10.173.107.65 type ipsec-l2l
tunnel-group 10.173.107.65 ipsec-attributes
ikev1 pre-shared-key *****
!
access-list outside_cryptomap extended permit ip 10.223.2.0 255.255.255.128 10.223.14.0 255.255.255.0
access-list outside_in extended permit icmp 10.223.14.0 255.255.255.0 10.223.2.0 255.255.255.128
access-list inside_in extended permit ip 10.223.2.0 255.255.255.128 any
access-list inside_in extended deny ip any any log warnings
!
nat (inside,outside) source static HOST_10.223.2.109 NAT_10.120.66.203 destination static NAT_192.168.10.67 HOST_10.223.14.1


□WS-C3750X-24

crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ***** address 10.223.25.57
!
crypto ipsec transform-set ASA-IPSEC esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map VPN 1 ipsec-isakmp
set peer 10.223.25.57
set transform-set ASA-IPSEC
match address 100
!

interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet1/0/1
description To_Internet
switchport access vlan 10
crypto map VPN
!
interface Vlan10
description To_Internet
ip address 10.173.107.65 255.255.255.0

access-list 100 permit ip any any
access-list 100 permit tcp any any
access-list 100 permit icmp any any
access-list 100 permit udp any any

 

□PC1

ip:10.223.14.1

nat:192.168.10.67

 

□PC2

ip:10.223.2.109

nat:10.120.66.203

_______________________

We are currently testing VPN connection with the above settings.
Ping goes through, but VPN is not connected.
When I changed to the following NAT, VPN connection was established.

nat (outside,inside) source static HOST_10.223.14.1 NAT_192.168.10.67
nat (inside,outside) source static HOST_10.223.2.109 NAT_10.120.66.203

However, the ping does not go through.
Is there anything I need to configure to let the ping go through while the VPN is connected?

Translated with www.DeepL.com/Translator (free version)

 

Labels:
0 Helpful
6 Replies 6

SinghRaminder
Level 1
Level 1

‎05-20-2022 05:21 AM

Provide the output of show run policy-map from ASA

If inspect icmp is not there, you can add by using this command;

Fixup protocol icmp

 

This would be the first place to look. 

Thanks 

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer
0 Helpful

horii_g
Level 1
Level 1
In response to SinghRaminder

‎05-20-2022 05:26 AM

Thank you.
The result of the display is as follows
Best regards

 

# show run policy-map
Mar 20 2022 21:24:32: %ASA-7-111009: User 'enable_15' executed cmd: show running-config policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection

0 Helpful

Flavio Miranda
VIP
VIP

‎05-20-2022 05:25 AM

Hi

 Keep the NAT in which the tunnel stay up and change the Access List:

 

access-list outside_in extended permit icmp 192.168.10.67  255.255.255.0 10.120.66.203  255.255.255.0

0 Helpful

MHM Cisco World
VIP
VIP

‎05-20-2022 06:04 AM

access-list outside_cryptomap extended permit ip 10.223.2.0 255.255.255.128 10.223.14.0 255.255.255.0
!
nat (inside,outside) source static HOST_10.223.2.109 NAT_10.120.66.203 destination static NAT_192.168.10.67 HOST_10.223.14.1

I undersntad form your config that there is overlap between two NAT behind VPN peer?
if NO why we NAT source and destination ???


anyway 
change 
access-list outside_cryptomap extended permit ip 10.223.2.0 255.255.255.128 NAT_192.168.10.67

0 Helpful

horii_g
Level 1
Level 1
In response to MHM Cisco World

‎05-23-2022 01:47 AM

Thank you.
I set up the following access-list to isolate the VPN connection, but could not connect to the VPN.
The counter "outside_cryptomap" was not hit as a result of show access-list.

Ping
Sent from
10.223.2.90 (NAT:10.120.66.201)

↓↓↓↓↓↓↓↓
Destination
(NAT:192.168.10.67) 10.223.14.1
____________
access-list outside_cryptomap extended permit ip 10.223.2.0 255.255.255.128 192.168.10.0 255.255.255.0
access-list outside_in extended permit icmp any any log
access-list outside_in extended permit ip any any log
access-list inside_in extended permit icmp any any log
access-list inside_in extended permit ip any any
__________
nat (inside,outside) source static HOST_10.223.2.109 NAT_10.120.66.203 destination static NAT_192.168.10.67 HOST_10.223.14.1

Translated with www.DeepL.com/Translator (free version)

0 Helpful

horii_g
Level 1
Level 1
In response to horii_g

‎05-23-2022 02:14 AM

Sorry for the repetitiveness.
I have added all the ACLs that I want to allow and when I ping it, I get no hits for "crypto_map" but only for the ACL I have set for "outside_in".
Ping and VPN do not work well together.

ACL
___________________________________
crypto map outside_map 1 match address outside_cryptomap
access-list outside_cryptomap extended permit icmp any any
access-list outside_cryptomap extended permit ip any any
access-list outside_in extended permit icmp any any log
access-list outside_in extended permit ip any any log
access-list inside_in extended permit icmp any any log
access-list inside_in extended permit ip any any
access-group outside_in in interface outside
access-group inside_in in interface inside

NAT
_____________________________
nat (inside,outside) source static HOST_10.223.2.109 NAT_10.120.66.203 destination static NAT_192.168.10.67 HOST_10.223.14.1

 

Translated with www.DeepL.com/Translator (free version)

0 Helpful
Customers Also Viewed These Support Documents