VPN Tunnel Up, Packet-Tracer perfect but ping request timeout
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2022 10:30 AM - edited 02-28-2022 10:33 AM
Hi,
I have an issue that I am not sure how to solve.
So I established a VPN site-to-site Ikev1 connection. The tunnel is up. However, I cannot access any resources in the second end of this tunnel, behind the network IP.
I started troubleshooting the issue. The packet-tracer does not show any problems. However when I ping an independently from inside the cisco config or the computer connected to the internet.
Anyone knows what is the problem and potentially how to fix it?
ciscoasa(config)# ping 10.0.200.151
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.200.151, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa(config)# packet-tracer input inside_1 icmp 21.0.100.1 8 0 10.0.200.15$
...
Result:
input-interface: inside_1
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.8(2) ! ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address STATIC_IP_2.186 255.255.255.248 ! interface GigabitEthernet1/2 nameif inside_1 security-level 100 ip address 192.168.100.1 255.255.255.0 ! interface GigabitEthernet1/3 bridge-group 1 nameif inside_2 security-level 100 ! interface GigabitEthernet1/4 bridge-group 1 nameif inside_3 security-level 100 ! interface GigabitEthernet1/5 bridge-group 1 nameif inside_4 security-level 100 ! interface GigabitEthernet1/6 bridge-group 1 nameif inside_5 security-level 100 ! interface GigabitEthernet1/7 bridge-group 1 nameif inside_6 security-level 100 ! interface GigabitEthernet1/8 bridge-group 1 nameif inside_7 security-level 100 ! interface Management1/1 management-only no nameif no security-level no ip address ! interface BVI1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! ftp mode passive dns domain-lookup outside dns server-group DefaultDNS name-server 194.73.82.242 outside name-server 194.72.9.34 outside same-security-traffic permit inter-interface object network INSIDE-MAINNET subnet 192.168.100.0 255.255.255.0 object network obj_any1 subnet 0.0.0.0 0.0.0.0 object network obj_any2 subnet 0.0.0.0 0.0.0.0 object network obj_any3 subnet 0.0.0.0 0.0.0.0 object network obj_any4 subnet 0.0.0.0 0.0.0.0 object network obj_any5 subnet 0.0.0.0 0.0.0.0 object network obj_any6 subnet 0.0.0.0 0.0.0.0 object network obj_any7 subnet 0.0.0.0 0.0.0.0 object-group network NET-SITEONE network-object 10.0.100.128 255.255.255.224 network-object 10.0.200.128 255.255.255.224 object-group network XLATED-INSIDE_1-MAINNET network-object 21.0.100.0 255.255.255.0 access-list VPN-ACL-SITEONE-SITETWO extended permit ip object-group XLATED-INSIDE_1-MAINNET object-group NET-SITEONE access-list VPN-ACL-SITEONE-SITETWO-1 extended permit ip object-group NET-SITEONE object-group XLATED-INSIDE_1-MAINNET pager lines 24 logging asdm informational mtu outside 1500 mtu inside_1 1500 mtu inside_2 1500 mtu inside_3 1500 mtu inside_4 1500 mtu inside_5 1500 mtu inside_6 1500 mtu inside_7 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (inside_1,outside) source static INSIDE-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE nat (inside_1,outside) source static XLATED-INSIDE_1-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE ! object network INSIDE-MAINNET nat (inside_1,outside) dynamic interface object network obj_any1 nat (inside_1,outside) dynamic interface object network obj_any2 nat (inside_2,outside) dynamic interface object network obj_any3 nat (inside_3,outside) dynamic interface object network obj_any4 nat (inside_4,outside) dynamic interface object network obj_any5 nat (inside_5,outside) dynamic interface object network obj_any6 nat (inside_6,outside) dynamic interface object network obj_any7 nat (inside_7,outside) dynamic interface route outside 0.0.0.0 0.0.0.0 STATIC_IP_2.185 1 route inside_1 21.0.100.0 255.255.255.0 STATIC_IP_2.185 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication login-history http server enable http 192.168.1.0 255.255.255.0 inside_1 http 192.168.1.0 255.255.255.0 inside_2 http 192.168.1.0 255.255.255.0 inside_3 http 192.168.1.0 255.255.255.0 inside_4 http 192.168.1.0 255.255.255.0 inside_5 http 192.168.1.0 255.255.255.0 inside_6 http 192.168.1.0 255.255.255.0 inside_7 no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto map SITETWO-SITEONE-MAP 10 match address VPN-ACL-SITEONE-SITETWO crypto map SITETWO-SITEONE-MAP 10 set peer STATIC_IP_1.90 crypto map SITETWO-SITEONE-MAP 10 set ikev1 transform-set AES256-SHA crypto map SITETWO-SITEONE-MAP interface outside crypto ca trustpool policy crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd dns 194.73.82.242 194.72.9.34 dhcpd auto_config outside dhcpd option 3 ip 192.168.100.1 ! dhcpd address 192.168.100.2-192.168.100.254 inside_1 dhcpd enable inside_1 ! dhcpd address 192.168.1.5-192.168.1.254 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy VPN-FILTER-SITEONE-SITETWO internal group-policy VPN-FILTER-SITEONE-SITETWO attributes vpn-filter value VPN-ACL-SITEONE-SITETWO-1 vpn-tunnel-protocol ikev1 dynamic-access-policy-record DfltAccessPolicy tunnel-group STATIC_IP_1.90 type ipsec-l2l tunnel-group STATIC_IP_1.90 general-attributes default-group-policy VPN-FILTER-SITEONE-SITETWO tunnel-group STATIC_IP_1.90 ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc
- Labels:
-
IPSEC
-
Remote Access
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2022 01:40 PM
@00u113vaduihn6f9P5d7 you are pinging from the ASA, test connectivity from a device behind the ASA...that is obviously in a network defined in the crypto ACL.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2022 01:15 AM
Hi Rob, thanks for the answer.
That is helpful to know that pinging from ASA should not work.
As mentioned in the description - pinging (10.0.200.151) results in request timeouts in both the Cisco router and computer connected.
I just did not include the output of requests timeouts from the computer in the description.
Of course, there is a normal connection between the computer and the internet but not with 10.0.200.151.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2022 01:32 AM
@00u113vaduihn6f9P5d7 re-run the packet-tracer from the CLI, use the source as the original IP address (pre-translation)....provide the full output for review.
Provide the output of "show nat detail" and "show crypto ipsec sa".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2022 02:40 AM
Rob. Below there is an output from the commands from your post. I assume that original IP is 192.168.100.0 (looking at show nat detail). However, at the bottom I also provided the output of packet tracer for 192.168.1.0 (since the output is different and also does not reach VPN tunnel).
ciscoasa(config)# show nat detail Manual NAT Policies (Section 1) 1 (inside_1) to (outside) source static INSIDE-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE translate_hits = 84, untranslate_hits = 85 Source - Origin: 192.168.100.0/24, Translated: 21.0.100.0/24 Destination - Origin: 10.0.100.128/27, 10.0.200.128/27, Translated: 10.0.100.128/27, 10.0.200.128/27 2 (inside_1) to (outside) source static XLATED-INSIDE_1-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE translate_hits = 15, untranslate_hits = 15 Source - Origin: 21.0.100.0/24, Translated: 21.0.100.0/24 Destination - Origin: 10.0.100.128/27, 10.0.200.128/27, Translated: 10.0.100.128/27, 10.0.200.128/27 Auto NAT Policies (Section 2) 1 (inside_1) to (outside) source dynamic INSIDE-MAINNET interface translate_hits = 326201, untranslate_hits = 1728 Source - Origin: 192.168.100.0/24, Translated: STATIC_IP_2.186/29 2 (inside_1) to (outside) source dynamic obj_any1 interface translate_hits = 1, untranslate_hits = 0 Source - Origin: 0.0.0.0/0, Translated: STATIC_IP_2.186/29 3 (inside_2) to (outside) source dynamic obj_any2 interface translate_hits = 0, untranslate_hits = 0 Source - Origin: 0.0.0.0/0, Translated: STATIC_IP_2.186/29 4 (inside_3) to (outside) source dynamic obj_any3 interface translate_hits = 0, untranslate_hits = 0 Source - Origin: 0.0.0.0/0, Translated: STATIC_IP_2.186/29 5 (inside_4) to (outside) source dynamic obj_any4 interface translate_hits = 0, untranslate_hits = 0 Source - Origin: 0.0.0.0/0, Translated: STATIC_IP_2.186/29 6 (inside_5) to (outside) source dynamic obj_any5 interface translate_hits = 0, untranslate_hits = 0 Source - Origin: 0.0.0.0/0, Translated: STATIC_IP_2.186/29 7 (inside_6) to (outside) source dynamic obj_any6 interface translate_hits = 0, untranslate_hits = 0 Source - Origin: 0.0.0.0/0, Translated: STATIC_IP_2.186/29 8 (inside_7) to (outside) source dynamic obj_any7 interface translate_hits = 0, untranslate_hits = 0 Source - Origin: 0.0.0.0/0, Translated: STATIC_IP_2.186/29 ciscoasa(config)# packet-tracer input inside_1 icmp 192.168.100.0 8 0 10.0.200$ Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f20cd4bfe30, priority=13, domain=capture, deny=false hits=76457, user_data=0x7f20cb4723d0, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=inside_1, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7f20cc4ca740, priority=1, domain=permit, deny=false hits=8802857, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=inside_1, output_ifc=any Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside_1,outside) source static INSIDE-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE Additional Information: NAT divert to egress interface outside Untranslate 10.0.200.151/0 to 10.0.200.151/0 Result: input-interface: inside_1 input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (sp-security-failed) Slowpath security checks failed
ciscoasa(config)# show crypto ipsec sa interface: outside Crypto map tag: SITETWO-SITEONE-MAP, seq num: 10, local addr: STATIC_IP_2.186 access-list VPN-ACL-SITEONE-SITETWO extended permit ip 21.0.100.0 255.255.255.0 10.0.200.128 255.255.255.224 local ident (addr/mask/prot/port): (21.0.100.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.200.128/255.255.255.224/0/0) current_peer: STATIC_IP_1.90 #pkts encaps: 33, #pkts encrypt: 33, #pkts digest: 33 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 33, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: STATIC_IP_2.186/0, remote crypto endpt.: STATIC_IP_1.90/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 3D88B522 current inbound spi : A31A72F5 inbound esp sas: spi: 0xA31A72F5 (2736419573) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 11845632, crypto-map: SITETWO-SITEONE-MAP sa timing: remaining key lifetime (kB/sec): (4374000/28066) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0x3D88B522 (1032369442) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 11845632, crypto-map: SITETWO-SITEONE-MAP sa timing: remaining key lifetime (kB/sec): (4373997/28066) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001
ciscoasa(config)# packet-tracer input inside_1 icmp 192.168.1.0 8 0 10.0.200.1$ Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f20cd4bfe30, priority=13, domain=capture, deny=false hits=85597, user_data=0x7f20cb4723d0, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=inside_1, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7f20cc4ca740, priority=1, domain=permit, deny=false hits=8807424, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=inside_1, output_ifc=any Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop STATIC_IP_2.185 using egress ifc outside Phase: 4 Type: NAT Subtype: Result: ALLOW Config: object network obj_any1 nat (inside_1,outside) dynamic interface Additional Information: Dynamic translate 192.168.1.0/0 to 217.38.151.186/25335 Forward Flow based lookup yields rule: in id=0x7f20cc7a5e40, priority=6, domain=nat, deny=false hits=2, user_data=0x7f20cc77dfc0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside_1, output_ifc=outside Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f20cb860c40, priority=0, domain=nat-per-session, deny=true hits=3160175, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f20cc4d38e0, priority=0, domain=inspect-ip-options, deny=true hits=339204, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside_1, output_ifc=any Phase: 7 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x7f20cd4aebb0, priority=70, domain=inspect-icmp, deny=false hits=1457, user_data=0x7f20cd32d360, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=inside_1, output_ifc=any Phase: 8 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f20cc4d30f0, priority=66, domain=inspect-icmp-error, deny=false hits=1485, user_data=0x7f20cc4d2660, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=inside_1, output_ifc=any Phase: 9 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7f20cb860c40, priority=0, domain=nat-per-session, deny=true hits=3160177, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 10 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7f20cc4899f0, priority=0, domain=inspect-ip-options, deny=true hits=2418417, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 11 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 2533861, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_inspect_icmp snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_inspect_icmp snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: inside_1 input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2022 02:45 AM
@00u113vaduihn6f9P5d7 from your output....
#pkts encaps: 33, #pkts encrypt: 33, #pkts digest: 33 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
...you are encrypting the traffic, but you are not decrypting any return traffic. Check the configuration of the remote peer, NAT, routing and crypto ACL.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2022 03:36 AM
Configuration on peer remote side:
object-group network NET-LANS network-object 21.0.100.0 255.255.255.0 ! object-group network NET-TARGETS network-object 10.0.100.0 255.255.255.224 network-object 10.0.200.0 255.255.255.224 ! access-list VPN-ACL-FILTER-SITETWO extended permit ip object-group NET-LANS object-group NET-TARGETS access-list VPN-SITETWO extended permit ip object-group NET-TARGETS object-group NET-LANS nat (plus_local_transit,outside) source static NET-TARGETS NET-TARGETS destination static NET-LANS NET-LANS no-proxy-arp route-lookup crypto map ra_map 14 match address VPN-SITETWO crypto map ra_map 14 set peer STATIC_IP_2.186 crypto map ra_map 14 set ikev1 transform-set aes-256-sha crypto map ra_map 14 set security-association lifetime seconds 28800 crypto map ra_map 14 set security-association lifetime kilobytes 4608000 group-policy VPN-FILTER-SITETWO internal group-policy VPN-FILTER-SITETWO attributes vpn-filter value VPN-ACL-FILTER-SITETWO vpn-tunnel-protocol ikev1 ! tunnel-group STATIC_IP_2.186 type ipsec-l2l tunnel-group STATIC_IP_2.186 general-attributes default-group-policy VPN-FILTER-SITETWO ! tunnel-group STATIC_IP_2.186 ipsec-attributes pre-shared-key *******
My config (some of these mentioned in the first post):
ciscoasa(config)# show route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is STATIC_IP_2.185 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via STATIC_IP_2.185, outside S 21.0.100.0 255.255.255.0 [1/0] via STATIC_IP_2.185, inside_1 C 192.168.1.0 255.255.255.0 is directly connected, inside L 192.168.1.1 255.255.255.255 is directly connected, inside C 192.168.100.0 255.255.255.0 is directly connected, inside_1 L 192.168.100.1 255.255.255.255 is directly connected, inside_1 C STATIC_IP_2.184 255.255.255.248 is directly connected, outside L STATIC_IP_2.186 255.255.255.255 is directly connected, outside ciscoasa(config)# show nat Manual NAT Policies (Section 1) 1 (inside_1) to (outside) source static INSIDE-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE translate_hits = 84, untranslate_hits = 86 2 (inside_1) to (outside) source static XLATED-INSIDE_1-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE translate_hits = 15, untranslate_hits = 15 Auto NAT Policies (Section 2) 1 (inside_1) to (outside) source dynamic INSIDE-MAINNET interface translate_hits = 326724, untranslate_hits = 1730 2 (inside_1) to (outside) source dynamic obj_any1 interface translate_hits = 3, untranslate_hits = 0 3 (inside_2) to (outside) source dynamic obj_any2 interface translate_hits = 0, untranslate_hits = 0 4 (inside_3) to (outside) source dynamic obj_any3 interface translate_hits = 0, untranslate_hits = 0 5 (inside_4) to (outside) source dynamic obj_any4 interface translate_hits = 0, untranslate_hits = 0 6 (inside_5) to (outside) source dynamic obj_any5 interface translate_hits = 0, untranslate_hits = 0 7 (inside_6) to (outside) source dynamic obj_any6 interface translate_hits = 0, untranslate_hits = 0 8 (inside_7) to (outside) source dynamic obj_any7 interface translate_hits = 0, untranslate_hits = 0 ciscoasa(config)# show run crypto crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto map SITETWO-SITEONE-MAP 10 match address VPN-ACL-SITEONE-SITETWO crypto map SITETWO-SITEONE-MAP 10 set peer STATIC_IP_1.90 crypto map SITETWO-SITEONE-MAP 10 set ikev1 transform-set AES256-SHA crypto map SITETWO-SITEONE-MAP interface outside crypto ca trustpool policy crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 ciscoasa(config)# show run access-list access-list VPN-ACL-SITEONE-SITETWO extended permit ip object-group XLATED-INSIDE_1-MAINNET object-group NET-SITEONE access-list VPN-ACL-SITEONE-SITETWO-1 extended permit ip object-group NET-SITEONE object-group XLATED-INSIDE_1-MAINNET
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2022 03:48 AM
@00u113vaduihn6f9P5d7 in this latest output you've got
object-group network NET-TARGETS network-object 10.0.100.0 255.255.255.224 network-object 10.0.200.0 255.255.255.224
but in your original post you have slightly different network defined.
object-group network NET-SITEONE
network-object 10.0.100.128 255.255.255.224
network-object 10.0.200.128 255.255.255.224
Amend these to the correct network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2022 04:11 AM - edited 03-08-2022 04:23 AM
Oh sorry! actually it is my mistake when copying the current config (I copied the wrong one). The correct one includes the network-objects with .128 at the end of the IP instead of .0.
So the current config on the peer side is correct in these fields. All the output in the thread was received with .128 config on the peer side (not .0).
On the peer side:
object-group network NET-LANS network-object 21.0.100.0 255.255.255.0 ! object-group network NET-TARGETS network-object 10.0.100.128 255.255.255.224 network-object 10.0.200.128 255.255.255.224 ! access-list VPN-ACL-FILTER-SITETWO extended permit ip object-group NET-LANS object-group NET-TARGETS access-list VPN-SITETWO extended permit ip object-group NET-TARGETS object-group NET-LANS nat (plus_local_transit,outside) source static NET-TARGETS NET-TARGETS destination static NET-LANS NET-LANS no-proxy-arp route-lookup crypto map ra_map 14 match address VPN-SITETWO crypto map ra_map 14 set peer STATIC_IP_2.186 crypto map ra_map 14 set ikev1 transform-set aes-256-sha crypto map ra_map 14 set security-association lifetime seconds 28800 crypto map ra_map 14 set security-association lifetime kilobytes 4608000 group-policy VPN-FILTER-SITETWO internal group-policy VPN-FILTER-SITETWO attributes vpn-filter value VPN-ACL-FILTER-SITETWO vpn-tunnel-protocol ikev1 ! tunnel-group STATIC_IP_2.186 type ipsec-l2l tunnel-group STATIC_IP_2.186 general-attributes default-group-policy VPN-FILTER-SITETWO ! tunnel-group STATIC_IP_2.186 ipsec-attributes pre-shared-key *******
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2022 04:24 AM
@00u113vaduihn6f9P5d7 provide "show crypto ipsec sa" from the peer side.
Have you tried testing without the VPN filter applied?
Run packet-tracer from the peer side
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2022 08:12 AM
Below "crypto ipsec sa" from the peer side
Crypto map tag: ra_map, seq num: 14, local addr: STATIC_IP_1.90 access-list Crypto map tag: ra_map, seq num: 14, local addr: STATIC_IP_1.90 access-list TOKE_VPN extended permit ip 10.0.200.128 255.255.255.224 21.0.100.0 255.255.255.0 local ident (addr/mask/prot/port): (10.0.200.128/255.255.255.224/0/0) remote ident (addr/mask/prot/port): (21.0.100.0/255.255.255.0/0/0) current_peer: STATIC_IP_2.186 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: STATIC_IP_1.90/0, remote crypto endpt.: STATIC_IP_2.186/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: B76A4C1A current inbound spi : 4E5138F4 inbound esp sas: spi: 0x4E5138F4 (1313945844) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 178421760, crypto-map: ra_map sa timing: remaining key lifetime (kB/sec): (3915000/27570) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0xB76A4C1A (3077196826) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 178421760, crypto-map: ra_map sa timing: remaining key lifetime (kB/sec): (3915000/27569) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 VPN-SITETWO extended permit ip 10.0.200.128 255.255.255.224 21.0.100.0 255.255.255.0 local ident (addr/mask/prot/port): (10.0.200.128/255.255.255.224/0/0) remote ident (addr/mask/prot/port): (21.0.100.0/255.255.255.0/0/0) current_peer: STATIC_IP_2.186 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: STATIC_IP_1.90/0, remote crypto endpt.: STATIC_IP_2.186/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: B76A4C1A current inbound spi : 4E5138F4 inbound esp sas: spi: 0x4E5138F4 (1313945844) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 178421760, crypto-map: ra_map sa timing: remaining key lifetime (kB/sec): (3915000/27570) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0xB76A4C1A (3077196826) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 178421760, crypto-map: ra_map sa timing: remaining key lifetime (kB/sec): (3915000/27569) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2022 09:47 AM - edited 03-08-2022 09:52 AM
I think I was wrong when it comes to the ip (I checked my computer's IP in th network and it is different) in packet-tracer. I did some tries when it comes to nat and routes. I think that I should not remove the filter because it is set on the peer side, it works (similar configuration worked for others) and currently I cannot change the settings there.
Packet tracer seems to work fine for my computer's IP. But I still get request timeout when I ping from my computer (not cisco asa) the proper IP and try to enter the website on the other side of VPN tunnel and decaps are still 0.
ciscoasa(config)# packet-tracer input inside_1 icmp 192.168.100.4 8 0 10.0.200$ Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f20cd4bfe30, priority=13, domain=capture, deny=false hits=254647, user_data=0x7f20cb4723d0, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=inside_1, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7f20cc4ca740, priority=1, domain=permit, deny=false hits=8891927, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=inside_1, output_ifc=any Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside_1,outside) source static INSIDE-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE Additional Information: NAT divert to egress interface outside Untranslate 10.0.200.151/0 to 10.0.200.151/0 Phase: 4 Type: NAT Subtype: Result: ALLOW Config: nat (inside_1,outside) source static INSIDE-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE Additional Information: Static translate 192.168.100.4/0 to 21.0.100.4/0 Forward Flow based lookup yields rule: in id=0x7f20cd4c1ec0, priority=6, domain=nat, deny=false hits=21, user_data=0x7f20cc53cd40, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.0.200.128, mask=255.255.255.224, port=0, tag=any, dscp=0x0 input_ifc=inside_1, output_ifc=outside Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f20cb860c40, priority=0, domain=nat-per-session, deny=true hits=3168743, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f20cc4d38e0, priority=0, domain=inspect-ip-options, deny=true hits=342485, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside_1, output_ifc=any Phase: 7 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x7f20cd4aebb0, priority=70, domain=inspect-icmp, deny=false hits=1490, user_data=0x7f20cd32d360, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=inside_1, output_ifc=any Phase: 8 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f20cc4d30f0, priority=66, domain=inspect-icmp-error, deny=false hits=1518, user_data=0x7f20cc4d2660, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=inside_1, output_ifc=any Phase: 9 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0x7f20cd4d6b50, priority=70, domain=encrypt, deny=false hits=21, user_data=0x64d6c, cs_id=0x7f20ccdaf4d0, reverse, flags=0x0, protocol=0 src ip/id=21.0.100.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.0.200.128, mask=255.255.255.224, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=outside Phase: 10 Type: ACCESS-LIST Subtype: filter-aaa Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0x7f20cc781460, priority=13, domain=filter-aaa, deny=false hits=21, user_data=0x7f20c4ec6480, filter_id=0x2(VPN-ACL-GMEX-TOKENISE-1), protocol=0 src ip=21.0.100.0, mask=255.255.255.0, port=0 dst ip=10.0.200.128, mask=255.255.255.224, port=0 Phase: 11 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside_1,outside) source static INSIDE-MAINNET XLATED-INSIDE_1-MAINNET destination static NET-SITEONE NET-SITEONE Additional Information: Forward Flow based lookup yields rule: out id=0x7f20cc7198e0, priority=6, domain=nat-reverse, deny=false hits=21, user_data=0x7f20cc603b70, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.0.200.128, mask=255.255.255.224, port=0, tag=any, dscp=0x0 input_ifc=inside_1, output_ifc=outside Phase: 12 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7f20cd26e470, priority=70, domain=ipsec-tunnel-flow, deny=false hits=21, user_data=0x69fe4, cs_id=0x7f20ccdaf4d0, reverse, flags=0x0, protocol=0 src ip/id=10.0.200.128, mask=255.255.255.224, port=0, tag=any dst ip/id=21.0.100.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 13 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7f20cb860c40, priority=0, domain=nat-per-session, deny=true hits=3168745, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 14 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7f20cc4899f0, priority=0, domain=inspect-ip-options, deny=true hits=2427108, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 15 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 2542491, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_inspect_icmp snp_fp_translate snp_fp_adjacency snp_fp_encrypt snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_ipsec_tunnel_flow snp_fp_translate snp_fp_inspect_icmp snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: inside_1 input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
ciscoasa(config)# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is STATIC_IP_2.185 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via STATIC_IP_2.185, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside
C 192.168.100.0 255.255.255.0 is directly connected, inside_1
L 192.168.100.1 255.255.255.255 is directly connected, inside_1
C STATIC_IP_2.184 255.255.255.248 is directly connected, outside
L STATIC_IP_2.186 255.255.255.255 is directly connected, outside
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2022 04:45 AM
Might you other side computer windows firewall is on and it blocking the ping. worth check it and disable it for testing on remote end. The packet tracer seem to be working asa excepted.
if you can not disable the ping on remote side could you enable some other services on remote computer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2022 02:54 PM
on the remote firewall change the config
access-list VPN-SITETWO extended permit ip object-group NET-TARGETS object-group NET-LANS no access-list VPN-SITETWO extended permit ip object-group NET-LANS object-group NET-TARGETS
looking from the above output your firewall tunnel is sending the encap traffic but the remote VPN tunnel is not responding back.
in order to get this working. we need more data/config from the remote firewall.
Fristly. we can rule out there is issue with routing on outside on remote firewall as both firewall creating a VPN-Tunnel as the phase1 and phase2 is up and running.
secondly, would be great if you run the packet tracer command from the remote firewall and show us the output with show crypto ipsec sa detail.
thridly, even though the tunnel is up and running from remote firewall. could you confirm NET-TARGETS (10.0.100.128/10.0.200.128) are directly connected to a firewall or if not directly connected is static route exisits? Can you ping 10.0.100.1XX/10.0.200.1XX) from the remote firewall.
could you also show us the show tech of remote firewall?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-21-2022 11:02 AM
most probably it the remote end firewall issue. might they have not set up the NAT rules properly.
