VPN no Packets

Unanswered Question
Jul 22nd, 2009

Hi,


I'm trying to setup a VPN tunnel between two sites using an ASA5510 and a ASA5520.


I have successfull VPN establishment but i am unable to transfer packets accross. i want to be able to see the networks sitting behind the f/w LAN's but even the f/w LAN's cannot send packets to each other.


I have attached the two configs and a brief diagram.


Thanks.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Arif . Wed, 07/22/2009 - 04:41

Hi,


Can you please be a bit more specific?


Thanks.

Arif . Wed, 07/22/2009 - 06:13

I've checked both configs there is no 'no-nat' reference.


is that what you mean, that no 'no-nat' rule exists?

You do have a no-nat, you have it configured as on the 5510:-


nat (Inside) 0 access-list Inside_nat0_outbound

access-list Inside_nat0_outbound extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0


but you interesting acl on the 5510 is:-

access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3


The ACl's do not match.

Arif . Wed, 07/22/2009 - 06:24

Ah, so if i change it to:


access-list Outside_1_cryptomap extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0


The should pick it up as interesting traffic and will mathc the no-nat rule?

Arif . Wed, 07/22/2009 - 06:28

or, if i want to allow traffic from the LAN sitting behind each f/w LAN i can do:


nat (Inside) 0 access-list Inside_nat0_outbound

access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3


access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3


?

Arif . Wed, 07/22/2009 - 06:58

Did the update, no joy, VPN tunnel is still up bu no packets going through.

Arif . Wed, 07/22/2009 - 07:17

OK this is the output i got:


ASA5520:


LYV-LHC-ASA5520-01# sh crypto ipsec sa

interface: Outside

Crypto map tag: Outside_map, seq num: 1, local addr: 193.82.146.254


access-list Outside_1_cryptomap permit ip 172.24.107.0 255.255.255.0 172.16.54.0 255.255.255.0


local ident (addr/mask/prot/port): (172.24.107.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.16.54.0/255.255.255.0/0/0)

current_peer: 81.246.92.116


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0


local crypto endpt.: 193.82.146.254, remote crypto endpt.: 81.246.92.116


path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: E27A8077


inbound esp sas:

spi: 0x5E2B2FB6 (1579888566)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 45056, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (4374000/28765)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0xE27A8077 (3799679095)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 45056, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (4374000/28764)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001



ASA5510:


interface: Outside

Crypto map tag: Outside_map, seq num: 1, local addr: 81.246.92.116


access-list Outside_1_cryptomap permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0

local ident (addr/mask/prot/port): (172.16.54.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.24.107.0/255.255.255.0/0/0)

current_peer: 193.82.146.254


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0


local crypto endpt.: 81.246.92.116, remote crypto endpt.: 193.82.146.254


path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 5E2B2FB6


inbound esp sas:

spi: 0xE27A8077 (3799679095)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 176128, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (3915000/28678)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x5E2B2FB6 (1579888566)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 176128, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (3915000/28678)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001


Then you are either blocking or your routing is not correct or you interesting acl is wrong or your no-nat is wrong. I took some of your config into my lab with a pix 515 and ASA and put them back to back - with 2 routers on either side, this works:-


hostname FW0

int e0

nameif outside

ip address 1.1.1.1 255.255.255.0

no shut

int e1

nameif inside

ip address 172.16.51.250 255.255.255.0

no shut

!

access-list outside-in permit icmp any any echo-reply

access-list outside-in permit icmp any any traceroute

access-list outside-in permit icmp any any time-exceeded

access-list outside-in permit icmp any any unreachable

access-list vpn-tunnel extended permit ip 172.16.51.0 255.255.255.0 172.24.104.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.16.51.0 255.255.255.0 172.24.107.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.16.54.0 255.255.255.0 172.24.104.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0

!

global (outside) 1 interface

nat (inside) 0 access-list vpn-tunnel

nat (inside) 1 172.16.0.0 255.255.0.0

!

route outside 0.0.0.0 0.0.0.0 1.1.1.1

route inside 172.16.54.0 255.255.255.0 172.16.51.254

route outside 172.24.104.0 255.255.255.0 1.1.1.1

route outside 172.24.107.0 255.255.255.0 1.1.1.1

!

access-group outside-in in interface outside

!

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto map vpntunnel-outside 1 match address vpn-tunnel

crypto map vpntunnel-outside 1 set peer 2.2.2.2

crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1

!

crypto map vpntunnel-outside interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key cisco1234

!

end

**********************


hostname FW1

int e0

nameif outside

ip address 2.2.2.2 255.255.255.0

no shut

int e1

nameif inside

ip address 172.24.104.250 255.255.255.0

no shut

!

access-list outside-in permit icmp any any echo-reply

access-list outside-in permit icmp any any traceroute

access-list outside-in permit icmp any any time-exceeded

access-list outside-in permit icmp any any unreachable

access-list vpn-tunnel extended permit ip 172.24.104.0 255.255.255.0 172.16.51.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.24.104.0 255.255.255.0 172.16.54.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.24.107.0 255.255.255.0 172.16.51.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.24.107.0 255.255.255.0 172.16.54.0 255.255.255.0

!

global (outside) 1 interface

nat (inside) 0 access-list vpn-tunnel

nat (inside) 1 172.24.0.0 255.255.0.0

!

route outside 0.0.0.0 0.0.0.0 2.2.2.2

route inside 172.24.107.0 255.255.255.0 172.24.104.254

route outside 172.16.51.0 255.255.255.0 2.2.2.2

route outside 172.16.54.0 255.255.255.0 2.2.2.2

!

access-group outside-in in interface outside

!

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto map vpntunnel-outside 1 match address vpn-usmay

crypto map vpntunnel-outside 1 set peer 1.1.1.1

crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1

!

crypto map vpntunnel-outside interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key cisco1234

!

end


Arif . Wed, 07/22/2009 - 07:35

I ran a packet trace and the ICMP was blocked on the 'Implicit Deny Rule' on the Inside interface of the ASA5520. I have a rule that allows all ICMP for that same interface so why is th implicit rule blocking packets?

Arif . Wed, 07/22/2009 - 08:02

I have checked the config, if it was somthing i'd spotted i would not have put up the post.


the whole point is that the VPN tunnel is up and i would like to get and opinion on why traffic is not being transfered accross.


Writing out the configs from scratch is not an options, unfortunatly and check check check does'nt help resolve the problem.

Actions

This Discussion