07-22-2009 03:18 AM
Hi,
I'm trying to setup a VPN tunnel between two sites using an ASA5510 and a ASA5520.
I have successfull VPN establishment but i am unable to transfer packets accross. i want to be able to see the networks sitting behind the f/w LAN's but even the f/w LAN's cannot send packets to each other.
I have attached the two configs and a brief diagram.
Thanks.
07-22-2009 04:25 AM
check your no-nat
HTH>
07-22-2009 04:41 AM
Hi,
Can you please be a bit more specific?
Thanks.
07-22-2009 04:53 AM
Your encryption domains (interesting VPN traffic) do not match your no-nat config.
07-22-2009 06:13 AM
I've checked both configs there is no 'no-nat' reference.
is that what you mean, that no 'no-nat' rule exists?
07-22-2009 06:19 AM
You do have a no-nat, you have it configured as on the 5510:-
nat (Inside) 0 access-list Inside_nat0_outbound
access-list Inside_nat0_outbound extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0
but you interesting acl on the 5510 is:-
access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3
The ACl's do not match.
07-22-2009 06:24 AM
Ah, so if i change it to:
access-list Outside_1_cryptomap extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0
The should pick it up as interesting traffic and will mathc the no-nat rule?
07-22-2009 06:28 AM
yes - I would suggest you create another acl and name it something else, then you can switch between the two.
07-22-2009 06:28 AM
or, if i want to allow traffic from the LAN sitting behind each f/w LAN i can do:
nat (Inside) 0 access-list Inside_nat0_outbound
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3
access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3
?
07-22-2009 06:58 AM
Did the update, no joy, VPN tunnel is still up bu no packets going through.
07-22-2009 07:03 AM
Is your interesting traffic acl being hit? when you do a show crypto ipsec sa can you see packets being encrypted and decrypted at both sides?
07-22-2009 07:13 AM
both f/w are responding:
There are no ipsec sas
07-22-2009 07:17 AM
OK this is the output i got:
ASA5520:
LYV-LHC-ASA5520-01# sh crypto ipsec sa
interface: Outside
Crypto map tag: Outside_map, seq num: 1, local addr: 193.82.146.254
access-list Outside_1_cryptomap permit ip 172.24.107.0 255.255.255.0 172.16.54.0 255.255.255.0
local ident (addr/mask/prot/port): (172.24.107.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.54.0/255.255.255.0/0/0)
current_peer: 81.246.92.116
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 193.82.146.254, remote crypto endpt.: 81.246.92.116
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E27A8077
inbound esp sas:
spi: 0x5E2B2FB6 (1579888566)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 45056, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/28765)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xE27A8077 (3799679095)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 45056, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/28764)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA5510:
interface: Outside
Crypto map tag: Outside_map, seq num: 1, local addr: 81.246.92.116
access-list Outside_1_cryptomap permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.54.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.24.107.0/255.255.255.0/0/0)
current_peer: 193.82.146.254
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 81.246.92.116, remote crypto endpt.: 193.82.146.254
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 5E2B2FB6
inbound esp sas:
spi: 0xE27A8077 (3799679095)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 176128, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28678)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x5E2B2FB6 (1579888566)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 176128, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28678)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
07-22-2009 07:25 AM
Then you are either blocking or your routing is not correct or you interesting acl is wrong or your no-nat is wrong. I took some of your config into my lab with a pix 515 and ASA and put them back to back - with 2 routers on either side, this works:-
hostname FW0
int e0
nameif outside
ip address 1.1.1.1 255.255.255.0
no shut
int e1
nameif inside
ip address 172.16.51.250 255.255.255.0
no shut
!
access-list outside-in permit icmp any any echo-reply
access-list outside-in permit icmp any any traceroute
access-list outside-in permit icmp any any time-exceeded
access-list outside-in permit icmp any any unreachable
access-list vpn-tunnel extended permit ip 172.16.51.0 255.255.255.0 172.24.104.0 255.255.255.0
access-list vpn-tunnel extended permit ip 172.16.51.0 255.255.255.0 172.24.107.0 255.255.255.0
access-list vpn-tunnel extended permit ip 172.16.54.0 255.255.255.0 172.24.104.0 255.255.255.0
access-list vpn-tunnel extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0
!
global (outside) 1 interface
nat (inside) 0 access-list vpn-tunnel
nat (inside) 1 172.16.0.0 255.255.0.0
!
route outside 0.0.0.0 0.0.0.0 1.1.1.1
route inside 172.16.54.0 255.255.255.0 172.16.51.254
route outside 172.24.104.0 255.255.255.0 1.1.1.1
route outside 172.24.107.0 255.255.255.0 1.1.1.1
!
access-group outside-in in interface outside
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map vpntunnel-outside 1 match address vpn-tunnel
crypto map vpntunnel-outside 1 set peer 2.2.2.2
crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1
!
crypto map vpntunnel-outside interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key cisco1234
!
end
**********************
hostname FW1
int e0
nameif outside
ip address 2.2.2.2 255.255.255.0
no shut
int e1
nameif inside
ip address 172.24.104.250 255.255.255.0
no shut
!
access-list outside-in permit icmp any any echo-reply
access-list outside-in permit icmp any any traceroute
access-list outside-in permit icmp any any time-exceeded
access-list outside-in permit icmp any any unreachable
access-list vpn-tunnel extended permit ip 172.24.104.0 255.255.255.0 172.16.51.0 255.255.255.0
access-list vpn-tunnel extended permit ip 172.24.104.0 255.255.255.0 172.16.54.0 255.255.255.0
access-list vpn-tunnel extended permit ip 172.24.107.0 255.255.255.0 172.16.51.0 255.255.255.0
access-list vpn-tunnel extended permit ip 172.24.107.0 255.255.255.0 172.16.54.0 255.255.255.0
!
global (outside) 1 interface
nat (inside) 0 access-list vpn-tunnel
nat (inside) 1 172.24.0.0 255.255.0.0
!
route outside 0.0.0.0 0.0.0.0 2.2.2.2
route inside 172.24.107.0 255.255.255.0 172.24.104.254
route outside 172.16.51.0 255.255.255.0 2.2.2.2
route outside 172.16.54.0 255.255.255.0 2.2.2.2
!
access-group outside-in in interface outside
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map vpntunnel-outside 1 match address vpn-usmay
crypto map vpntunnel-outside 1 set peer 1.1.1.1
crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1
!
crypto map vpntunnel-outside interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key cisco1234
!
end
07-22-2009 07:35 AM
I ran a packet trace and the ICMP was blocked on the 'Implicit Deny Rule' on the Inside interface of the ASA5520. I have a rule that allows all ICMP for that same interface so why is th implicit rule blocking packets?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: