Re: VPN Tunnel Up, Packet-Tracer perfect but ping request timeout

00u113vaduihn6f9P5d7 · ‎02-28-2022

Hi,

I have an issue that I am not sure how to solve.

So I established a VPN site-to-site Ikev1 connection. The tunnel is up. However, I cannot access any resources in the second end of this tunnel, behind the network IP.

I started troubleshooting the issue. The packet-tracer does not show any problems. However when I ping an independently from inside the cisco config or the computer connected to the internet.

Anyone knows what is the problem and potentially how to fix it?

ciscoasa(config)# ping 10.0.200.151

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.200.151, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ciscoasa(config)# packet-tracer input inside_1 icmp 21.0.100.1 8 0 10.0.200.15$

...

Result:

input-interface: inside_1

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

:

ASA Version 9.8(2) 

!

!

interface GigabitEthernet1/1

 nameif outside

 security-level 0

 ip address STATIC_IP_2.186 255.255.255.248 

!

interface GigabitEthernet1/2

 nameif inside_1

 security-level 100

 ip address 192.168.100.1 255.255.255.0 

!

interface GigabitEthernet1/3

 bridge-group 1

 nameif inside_2

 security-level 100

!

interface GigabitEthernet1/4

 bridge-group 1

 nameif inside_3

 security-level 100

!

interface GigabitEthernet1/5

 bridge-group 1

 nameif inside_4

 security-level 100

!

interface GigabitEthernet1/6

 bridge-group 1

 nameif inside_5

 security-level 100

!

interface GigabitEthernet1/7

 bridge-group 1

 nameif inside_6

 security-level 100

!

interface GigabitEthernet1/8

 bridge-group 1

 nameif inside_7

 security-level 100

!

interface Management1/1

 management-only

 no nameif

 no security-level

 no ip address

!

interface BVI1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

 name-server 194.73.82.242 outside

 name-server 194.72.9.34 outside

same-security-traffic permit inter-interface

object network INSIDE-MAINNET

 subnet 192.168.100.0 255.255.255.0

object network obj_any1

 subnet 0.0.0.0 0.0.0.0

object network obj_any2

 subnet 0.0.0.0 0.0.0.0

object network obj_any3

 subnet 0.0.0.0 0.0.0.0

object network obj_any4

 subnet 0.0.0.0 0.0.0.0

object network obj_any5

 subnet 0.0.0.0 0.0.0.0

object network obj_any6

 subnet 0.0.0.0 0.0.0.0

object network obj_any7

 subnet 0.0.0.0 0.0.0.0

object-group network NET-SITEONE

 network-object 10.0.100.128 255.255.255.224

 network-object 10.0.200.128 255.255.255.224

object-group network XLATED-INSIDE_1-MAINNET

 network-object 21.0.100.0 255.255.255.0

access-list VPN-ACL-SITEONE-SITETWO extended permit ip object-group XLATED-INSIDE_1-MAINNET object-group NET-SITEONE 

access-list VPN-ACL-SITEONE-SITETWO-1 extended permit ip object-group NET-SITEONE object-group XLATED-INSIDE_1-MAINNET 

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside_1 1500

mtu inside_2 1500

mtu inside_3 1500

mtu inside_4 1500

mtu inside_5 1500

mtu inside_6 1500

mtu inside_7 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

nat (inside_1,outside) source static INSIDE-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE

nat (inside_1,outside) source static XLATED-INSIDE_1-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE

!

object network INSIDE-MAINNET

 nat (inside_1,outside) dynamic interface

object network obj_any1

 nat (inside_1,outside) dynamic interface

object network obj_any2

 nat (inside_2,outside) dynamic interface

object network obj_any3

 nat (inside_3,outside) dynamic interface

object network obj_any4

 nat (inside_4,outside) dynamic interface

object network obj_any5

 nat (inside_5,outside) dynamic interface

object network obj_any6

 nat (inside_6,outside) dynamic interface

object network obj_any7

 nat (inside_7,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 STATIC_IP_2.185 1

route inside_1 21.0.100.0 255.255.255.0 STATIC_IP_2.185 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication login-history

http server enable

http 192.168.1.0 255.255.255.0 inside_1

http 192.168.1.0 255.255.255.0 inside_2

http 192.168.1.0 255.255.255.0 inside_3

http 192.168.1.0 255.255.255.0 inside_4

http 192.168.1.0 255.255.255.0 inside_5

http 192.168.1.0 255.255.255.0 inside_6

http 192.168.1.0 255.255.255.0 inside_7

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec security-association pmtu-aging infinite

crypto map SITETWO-SITEONE-MAP 10 match address VPN-ACL-SITEONE-SITETWO

crypto map SITETWO-SITEONE-MAP 10 set peer STATIC_IP_1.90 

crypto map SITETWO-SITEONE-MAP 10 set ikev1 transform-set AES256-SHA

crypto map SITETWO-SITEONE-MAP interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 1

 authentication pre-share

 encryption aes-256

 hash sha

 group 5

 lifetime 86400

telnet timeout 5

ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0



dhcpd dns 194.73.82.242 194.72.9.34

dhcpd auto_config outside

dhcpd option 3 ip 192.168.100.1

!

dhcpd address 192.168.100.2-192.168.100.254 inside_1

dhcpd enable inside_1

!

dhcpd address 192.168.1.5-192.168.1.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy VPN-FILTER-SITEONE-SITETWO internal

group-policy VPN-FILTER-SITEONE-SITETWO attributes

 vpn-filter value VPN-ACL-SITEONE-SITETWO-1

 vpn-tunnel-protocol ikev1 

dynamic-access-policy-record DfltAccessPolicy

tunnel-group STATIC_IP_1.90 type ipsec-l2l

tunnel-group STATIC_IP_1.90 general-attributes

 default-group-policy VPN-FILTER-SITEONE-SITETWO

tunnel-group STATIC_IP_1.90 ipsec-attributes

 ikev1 pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc

Rob Ingram · ‎02-28-2022

@00u113vaduihn6f9P5d7 you are pinging from the ASA, test connectivity from a device behind the ASA...that is obviously in a network defined in the crypto ACL.

00u113vaduihn6f9P5d7 · ‎03-01-2022

Hi Rob, thanks for the answer.

That is helpful to know that pinging from ASA should not work.

As mentioned in the description - pinging (10.0.200.151) results in request timeouts in both the Cisco router and computer connected.

I just did not include the output of requests timeouts from the computer in the description.

Of course, there is a normal connection between the computer and the internet but not with 10.0.200.151.

Rob Ingram · ‎03-01-2022

@00u113vaduihn6f9P5d7 re-run the packet-tracer from the CLI, use the source as the original IP address (pre-translation)....provide the full output for review.

Provide the output of "show nat detail" and "show crypto ipsec sa".

00u113vaduihn6f9P5d7 · ‎03-08-2022

Rob. Below there is an output from the commands from your post. I assume that original IP is 192.168.100.0 (looking at show nat detail). However, at the bottom I also provided the output of packet tracer for 192.168.1.0 (since the output is different and also does not reach VPN tunnel).

ciscoasa(config)# show nat detail

Manual NAT Policies (Section 1)

1 (inside_1) to (outside) source static INSIDE-MAINNET XLATED-INSIDE_1-MAINNET  destination static NET-SITEONE NET-SITEONE

    translate_hits = 84, untranslate_hits = 85

    Source - Origin: 192.168.100.0/24, Translated: 21.0.100.0/24

    Destination - Origin: 10.0.100.128/27, 10.0.200.128/27, Translated: 10.0.100.128/27, 10.0.200.128/27

2 (inside_1) to (outside) source static XLATED-INSIDE_1-MAINNET XLATED-INSIDE_1-MAINNET  destination static NET-SITEONE NET-SITEONE

    translate_hits = 15, untranslate_hits = 15

    Source - Origin: 21.0.100.0/24, Translated: 21.0.100.0/24

    Destination - Origin: 10.0.100.128/27, 10.0.200.128/27, Translated: 10.0.100.128/27, 10.0.200.128/27



Auto NAT Policies (Section 2)

1 (inside_1) to (outside) source dynamic INSIDE-MAINNET interface

    translate_hits = 326201, untranslate_hits = 1728

    Source - Origin: 192.168.100.0/24, Translated: STATIC_IP_2.186/29

2 (inside_1) to (outside) source dynamic obj_any1 interface

    translate_hits = 1, untranslate_hits = 0

    Source - Origin: 0.0.0.0/0, Translated: STATIC_IP_2.186/29

3 (inside_2) to (outside) source dynamic obj_any2 interface

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 0.0.0.0/0, Translated: STATIC_IP_2.186/29

4 (inside_3) to (outside) source dynamic obj_any3 interface

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 0.0.0.0/0, Translated: STATIC_IP_2.186/29

5 (inside_4) to (outside) source dynamic obj_any4 interface

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 0.0.0.0/0, Translated: STATIC_IP_2.186/29

6 (inside_5) to (outside) source dynamic obj_any5 interface

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 0.0.0.0/0, Translated: STATIC_IP_2.186/29

7 (inside_6) to (outside) source dynamic obj_any6 interface

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 0.0.0.0/0, Translated: STATIC_IP_2.186/29

8 (inside_7) to (outside) source dynamic obj_any7 interface

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 0.0.0.0/0, Translated: STATIC_IP_2.186/29



ciscoasa(config)# packet-tracer input inside_1 icmp 192.168.100.0 8 0 10.0.200$



Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7f20cd4bfe30, priority=13, domain=capture, deny=false

        hits=76457, user_data=0x7f20cb4723d0, cs_id=0x0, l3_type=0x0

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

        input_ifc=inside_1, output_ifc=any



Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7f20cc4ca740, priority=1, domain=permit, deny=false

        hits=8802857, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=inside_1, output_ifc=any



Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside_1,outside) source static INSIDE-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE

Additional Information:

NAT divert to egress interface outside

Untranslate 10.0.200.151/0 to 10.0.200.151/0



Result:

input-interface: inside_1

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (sp-security-failed) Slowpath security checks failed





ciscoasa(config)# show crypto ipsec sa

interface: outside

    Crypto map tag: SITETWO-SITEONE-MAP, seq num: 10, local addr: STATIC_IP_2.186



      access-list VPN-ACL-SITEONE-SITETWO extended permit ip 21.0.100.0 255.255.255.0 10.0.200.128 255.255.255.224

      local ident (addr/mask/prot/port): (21.0.100.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.0.200.128/255.255.255.224/0/0)

      current_peer: STATIC_IP_1.90





      #pkts encaps: 33, #pkts encrypt: 33, #pkts digest: 33

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 33, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0



      local crypto endpt.: STATIC_IP_2.186/0, remote crypto endpt.: STATIC_IP_1.90/0

      path mtu 1500, ipsec overhead 74(44), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: 3D88B522

      current inbound spi : A31A72F5

    inbound esp sas:

      spi: 0xA31A72F5 (2736419573)

         SA State: active

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv1, }

         slot: 0, conn_id: 11845632, crypto-map: SITETWO-SITEONE-MAP

         sa timing: remaining key lifetime (kB/sec): (4374000/28066)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x3D88B522 (1032369442)

         SA State: active

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv1, }

         slot: 0, conn_id: 11845632, crypto-map: SITETWO-SITEONE-MAP

         sa timing: remaining key lifetime (kB/sec): (4373997/28066)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

ciscoasa(config)# packet-tracer input inside_1 icmp 192.168.1.0 8 0 10.0.200.1$



Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7f20cd4bfe30, priority=13, domain=capture, deny=false

        hits=85597, user_data=0x7f20cb4723d0, cs_id=0x0, l3_type=0x0

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

        input_ifc=inside_1, output_ifc=any



Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7f20cc4ca740, priority=1, domain=permit, deny=false

        hits=8807424, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=inside_1, output_ifc=any



Phase: 3

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop STATIC_IP_2.185 using egress ifc  outside



Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_any1

nat (inside_1,outside) dynamic interface

Additional Information:

Dynamic translate 192.168.1.0/0 to 217.38.151.186/25335

Forward Flow based lookup yields rule:

in  id=0x7f20cc7a5e40, priority=6, domain=nat, deny=false

        hits=2, user_data=0x7f20cc77dfc0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=inside_1, output_ifc=outside



Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7f20cb860c40, priority=0, domain=nat-per-session, deny=true

        hits=3160175, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any



Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7f20cc4d38e0, priority=0, domain=inspect-ip-options, deny=true

        hits=339204, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=inside_1, output_ifc=any



Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7f20cd4aebb0, priority=70, domain=inspect-icmp, deny=false

        hits=1457, user_data=0x7f20cd32d360, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=inside_1, output_ifc=any



Phase: 8      

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7f20cc4d30f0, priority=66, domain=inspect-icmp-error, deny=false

        hits=1485, user_data=0x7f20cc4d2660, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=inside_1, output_ifc=any



Phase: 9

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x7f20cb860c40, priority=0, domain=nat-per-session, deny=true

        hits=3160177, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any



Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x7f20cc4899f0, priority=0, domain=inspect-ip-options, deny=true

        hits=2418417, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=outside, output_ifc=any



Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2533861, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_inspect_icmp

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat



Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_inspect_icmp

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat



Result:

input-interface: inside_1

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Rob Ingram · ‎03-08-2022

@00u113vaduihn6f9P5d7 from your output....

      #pkts encaps: 33, #pkts encrypt: 33, #pkts digest: 33
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

...you are encrypting the traffic, but you are not decrypting any return traffic. Check the configuration of the remote peer, NAT, routing and crypto ACL.

00u113vaduihn6f9P5d7 · ‎03-08-2022

Configuration on peer remote side:

object-group network NET-LANS
 network-object 21.0.100.0 255.255.255.0
!
object-group network NET-TARGETS
 network-object 10.0.100.0 255.255.255.224
 network-object 10.0.200.0 255.255.255.224
!
access-list VPN-ACL-FILTER-SITETWO extended permit ip object-group NET-LANS object-group NET-TARGETS
access-list VPN-SITETWO extended permit ip object-group NET-TARGETS object-group NET-LANS

nat (plus_local_transit,outside) source static NET-TARGETS NET-TARGETS destination static NET-LANS NET-LANS no-proxy-arp route-lookup


crypto map ra_map 14 match address VPN-SITETWO
crypto map ra_map 14 set peer STATIC_IP_2.186
crypto map ra_map 14 set ikev1 transform-set aes-256-sha
crypto map ra_map 14 set security-association lifetime seconds 28800
crypto map ra_map 14 set security-association lifetime kilobytes 4608000

group-policy VPN-FILTER-SITETWO internal
group-policy VPN-FILTER-SITETWO attributes
 vpn-filter value VPN-ACL-FILTER-SITETWO
 vpn-tunnel-protocol ikev1
!
tunnel-group STATIC_IP_2.186 type ipsec-l2l
tunnel-group STATIC_IP_2.186 general-attributes
 default-group-policy VPN-FILTER-SITETWO
!
tunnel-group STATIC_IP_2.186 ipsec-attributes
 pre-shared-key *******

My config (some of these mentioned in the first post):

ciscoasa(config)# show route
 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is STATIC_IP_2.185 to network 0.0.0.0
 
S*       0.0.0.0 0.0.0.0 [1/0] via STATIC_IP_2.185, outside
S        21.0.100.0 255.255.255.0 [1/0] via STATIC_IP_2.185, inside_1
C        192.168.1.0 255.255.255.0 is directly connected, inside
L        192.168.1.1 255.255.255.255 is directly connected, inside
C        192.168.100.0 255.255.255.0 is directly connected, inside_1
L        192.168.100.1 255.255.255.255 is directly connected, inside_1
C        STATIC_IP_2.184 255.255.255.248 is directly connected, outside
L        STATIC_IP_2.186 255.255.255.255 is directly connected, outside
ciscoasa(config)# show nat
Manual NAT Policies (Section 1)
1 (inside_1) to (outside) source static INSIDE-MAINNET XLATED-INSIDE_1-MAINNET  destination static NET-SITEONE NET-SITEONE
    translate_hits = 84, untranslate_hits = 86
2 (inside_1) to (outside) source static XLATED-INSIDE_1-MAINNET XLATED-INSIDE_1-MAINNET  destination static NET-SITEONE NET-SITEONE
    translate_hits = 15, untranslate_hits = 15
 
Auto NAT Policies (Section 2)
1 (inside_1) to (outside) source dynamic INSIDE-MAINNET interface 
    translate_hits = 326724, untranslate_hits = 1730
2 (inside_1) to (outside) source dynamic obj_any1 interface 
    translate_hits = 3, untranslate_hits = 0
3 (inside_2) to (outside) source dynamic obj_any2 interface 
    translate_hits = 0, untranslate_hits = 0
4 (inside_3) to (outside) source dynamic obj_any3 interface 
    translate_hits = 0, untranslate_hits = 0
5 (inside_4) to (outside) source dynamic obj_any4 interface 
    translate_hits = 0, untranslate_hits = 0
6 (inside_5) to (outside) source dynamic obj_any5 interface 
    translate_hits = 0, untranslate_hits = 0
7 (inside_6) to (outside) source dynamic obj_any6 interface 
    translate_hits = 0, untranslate_hits = 0
8 (inside_7) to (outside) source dynamic obj_any7 interface 
    translate_hits = 0, untranslate_hits = 0
ciscoasa(config)# show run crypto
crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map SITETWO-SITEONE-MAP 10 match address VPN-ACL-SITEONE-SITETWO
crypto map SITETWO-SITEONE-MAP 10 set peer STATIC_IP_1.90 
crypto map SITETWO-SITEONE-MAP 10 set ikev1 transform-set AES256-SHA
crypto map SITETWO-SITEONE-MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
ciscoasa(config)# show run access-list
access-list VPN-ACL-SITEONE-SITETWO extended permit ip object-group XLATED-INSIDE_1-MAINNET object-group NET-SITEONE 
access-list VPN-ACL-SITEONE-SITETWO-1 extended permit ip object-group NET-SITEONE object-group XLATED-INSIDE_1-MAINNET

Rob Ingram · ‎03-08-2022

@00u113vaduihn6f9P5d7 in this latest output you've got

object-group network NET-TARGETS
 network-object 10.0.100.0 255.255.255.224
 network-object 10.0.200.0 255.255.255.224

but in your original post you have slightly different network defined.

object-group network NET-SITEONE
 network-object 10.0.100.128 255.255.255.224
 network-object 10.0.200.128 255.255.255.224

Amend these to the correct network.

00u113vaduihn6f9P5d7 · ‎03-08-2022

Oh sorry! actually it is my mistake when copying the current config (I copied the wrong one). The correct one includes the network-objects with .128 at the end of the IP instead of .0.

So the current config on the peer side is correct in these fields. All the output in the thread was received with .128 config on the peer side (not .0).

On the peer side:

object-group network NET-LANS
 network-object 21.0.100.0 255.255.255.0
!
object-group network NET-TARGETS
 network-object 10.0.100.128 255.255.255.224
 network-object 10.0.200.128 255.255.255.224
!
access-list VPN-ACL-FILTER-SITETWO extended permit ip object-group NET-LANS object-group NET-TARGETS
access-list VPN-SITETWO extended permit ip object-group NET-TARGETS object-group NET-LANS

nat (plus_local_transit,outside) source static NET-TARGETS NET-TARGETS destination static NET-LANS NET-LANS no-proxy-arp route-lookup


crypto map ra_map 14 match address VPN-SITETWO
crypto map ra_map 14 set peer STATIC_IP_2.186
crypto map ra_map 14 set ikev1 transform-set aes-256-sha
crypto map ra_map 14 set security-association lifetime seconds 28800
crypto map ra_map 14 set security-association lifetime kilobytes 4608000

group-policy VPN-FILTER-SITETWO internal
group-policy VPN-FILTER-SITETWO attributes
 vpn-filter value VPN-ACL-FILTER-SITETWO
 vpn-tunnel-protocol ikev1
!
tunnel-group STATIC_IP_2.186 type ipsec-l2l
tunnel-group STATIC_IP_2.186 general-attributes
 default-group-policy VPN-FILTER-SITETWO
!
tunnel-group STATIC_IP_2.186 ipsec-attributes
 pre-shared-key *******

Rob Ingram · ‎03-08-2022

@00u113vaduihn6f9P5d7 provide "show crypto ipsec sa" from the peer side.

Have you tried testing without the VPN filter applied?

Run packet-tracer from the peer side

00u113vaduihn6f9P5d7 · ‎03-08-2022

Below "crypto ipsec sa" from the peer side

 Crypto map tag: ra_map, seq num: 14, local addr: STATIC_IP_1.90

      access-list  Crypto map tag: ra_map, seq num: 14, local addr: STATIC_IP_1.90

      access-list TOKE_VPN extended permit ip 10.0.200.128 255.255.255.224 21.0.100.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.200.128/255.255.255.224/0/0)
      remote ident (addr/mask/prot/port): (21.0.100.0/255.255.255.0/0/0)
      current_peer: STATIC_IP_2.186


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: STATIC_IP_1.90/0, remote crypto endpt.: STATIC_IP_2.186/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: B76A4C1A
      current inbound spi : 4E5138F4

    inbound esp sas:
      spi: 0x4E5138F4 (1313945844)
         SA State: active
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 178421760, crypto-map: ra_map
         sa timing: remaining key lifetime (kB/sec): (3915000/27570)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xB76A4C1A (3077196826)
         SA State: active
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 178421760, crypto-map: ra_map
         sa timing: remaining key lifetime (kB/sec): (3915000/27569)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
VPN-SITETWO extended permit ip 10.0.200.128 255.255.255.224 21.0.100.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.200.128/255.255.255.224/0/0)
      remote ident (addr/mask/prot/port): (21.0.100.0/255.255.255.0/0/0)
      current_peer: STATIC_IP_2.186


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: STATIC_IP_1.90/0, remote crypto endpt.: STATIC_IP_2.186/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: B76A4C1A
      current inbound spi : 4E5138F4

    inbound esp sas:
      spi: 0x4E5138F4 (1313945844)
         SA State: active
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 178421760, crypto-map: ra_map
         sa timing: remaining key lifetime (kB/sec): (3915000/27570)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xB76A4C1A (3077196826)
         SA State: active
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 178421760, crypto-map: ra_map
         sa timing: remaining key lifetime (kB/sec): (3915000/27569)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

00u113vaduihn6f9P5d7 · ‎03-08-2022

I think I was wrong when it comes to the ip (I checked my computer's IP in th network and it is different) in packet-tracer. I did some tries when it comes to nat and routes. I think that I should not remove the filter because it is set on the peer side, it works (similar configuration worked for others) and currently I cannot change the settings there.

Packet tracer seems to work fine for my computer's IP. But I still get request timeout when I ping from my computer (not cisco asa) the proper IP and try to enter the website on the other side of VPN tunnel and decaps are still 0.

ciscoasa(config)# packet-tracer input inside_1 icmp 192.168.100.4 8 0 10.0.200$

Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f20cd4bfe30, priority=13, domain=capture, deny=false
        hits=254647, user_data=0x7f20cb4723d0, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=inside_1, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f20cc4ca740, priority=1, domain=permit, deny=false
        hits=8891927, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside_1, output_ifc=any

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside_1,outside) source static INSIDE-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE
Additional Information:
NAT divert to egress interface outside
Untranslate 10.0.200.151/0 to 10.0.200.151/0

Phase: 4
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside_1,outside) source static INSIDE-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE
Additional Information:
Static translate 192.168.100.4/0 to 21.0.100.4/0
 Forward Flow based lookup yields rule:
 in  id=0x7f20cd4c1ec0, priority=6, domain=nat, deny=false
        hits=21, user_data=0x7f20cc53cd40, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=10.0.200.128, mask=255.255.255.224, port=0, tag=any, dscp=0x0
        input_ifc=inside_1, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f20cb860c40, priority=0, domain=nat-per-session, deny=true
        hits=3168743, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f20cc4d38e0, priority=0, domain=inspect-ip-options, deny=true
        hits=342485, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside_1, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f20cd4aebb0, priority=70, domain=inspect-icmp, deny=false
        hits=1490, user_data=0x7f20cd32d360, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside_1, output_ifc=any
              
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f20cc4d30f0, priority=66, domain=inspect-icmp-error, deny=false
        hits=1518, user_data=0x7f20cc4d2660, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside_1, output_ifc=any

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7f20cd4d6b50, priority=70, domain=encrypt, deny=false
        hits=21, user_data=0x64d6c, cs_id=0x7f20ccdaf4d0, reverse, flags=0x0, protocol=0
        src ip/id=21.0.100.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=10.0.200.128, mask=255.255.255.224, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 10
Type: ACCESS-LIST
Subtype: filter-aaa
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7f20cc781460, priority=13, domain=filter-aaa, deny=false
        hits=21, user_data=0x7f20c4ec6480, filter_id=0x2(VPN-ACL-GMEX-TOKENISE-1), protocol=0
        src ip=21.0.100.0, mask=255.255.255.0, port=0
        dst ip=10.0.200.128, mask=255.255.255.224, port=0

Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside_1,outside) source static INSIDE-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7f20cc7198e0, priority=6, domain=nat-reverse, deny=false
        hits=21, user_data=0x7f20cc603b70, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=10.0.200.128, mask=255.255.255.224, port=0, tag=any, dscp=0x0
        input_ifc=inside_1, output_ifc=outside

Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7f20cd26e470, priority=70, domain=ipsec-tunnel-flow, deny=false
        hits=21, user_data=0x69fe4, cs_id=0x7f20ccdaf4d0, reverse, flags=0x0, protocol=0
        src ip/id=10.0.200.128, mask=255.255.255.224, port=0, tag=any
        dst ip/id=21.0.100.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 13
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7f20cb860c40, priority=0, domain=nat-per-session, deny=true
        hits=3168745, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 14
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7f20cc4899f0, priority=0, domain=inspect-ip-options, deny=true
        hits=2427108, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 15
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:       
Additional Information:
New flow created with id 2542491, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside_1
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ciscoasa(config)# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is STATIC_IP_2.185 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via STATIC_IP_2.185, outside
C        192.168.1.0 255.255.255.0 is directly connected, inside
L        192.168.1.1 255.255.255.255 is directly connected, inside
C        192.168.100.0 255.255.255.0 is directly connected, inside_1
L        192.168.100.1 255.255.255.255 is directly connected, inside_1
C        STATIC_IP_2.184 255.255.255.248 is directly connected, outside
L        STATIC_IP_2.186 255.255.255.255 is directly connected, outside

Sheraz.Salim · ‎03-14-2022

Might you other side computer windows firewall is on and it blocking the ping. worth check it and disable it for testing on remote end. The packet tracer seem to be working asa excepted.

if you can not disable the ping on remote side could you enable some other services on remote computer.

please do not forget to rate.

Sheraz.Salim · ‎03-14-2022

on the remote firewall change the config

access-list VPN-SITETWO extended permit ip object-group NET-TARGETS object-group NET-LANS
no access-list VPN-SITETWO extended permit ip object-group NET-LANS object-group NET-TARGETS

looking from the above output your firewall tunnel is sending the encap traffic but the remote VPN tunnel is not responding back.

in order to get this working. we need more data/config from the remote firewall.

Fristly. we can rule out there is issue with routing on outside on remote firewall as both firewall creating a VPN-Tunnel as the phase1 and phase2 is up and running.

secondly, would be great if you run the packet tracer command from the remote firewall and show us the output with show crypto ipsec sa detail.

thridly, even though the tunnel is up and running from remote firewall. could you confirm NET-TARGETS (10.0.100.128/10.0.200.128) are directly connected to a firewall or if not directly connected is static route exisits? Can you ping 10.0.100.1XX/10.0.200.1XX) from the remote firewall.

could you also show us the show tech of remote firewall?

please do not forget to rate.

Sheraz.Salim · ‎03-21-2022

most probably it the remote end firewall issue. might they have not set up the NAT rules properly.

please do not forget to rate.