VPN no Packets

Arif . · ‎07-22-2009

Hi,

I'm trying to setup a VPN tunnel between two sites using an ASA5510 and a ASA5520.

I have successfull VPN establishment but i am unable to transfer packets accross. i want to be able to see the networks sitting behind the f/w LAN's but even the f/w LAN's cannot send packets to each other.

I have attached the two configs and a brief diagram.

Thanks.

andrew.prince · ‎07-22-2009

check your no-nat

HTH>

Arif . · ‎07-22-2009

Hi,

Can you please be a bit more specific?

Thanks.

andrew.prince · ‎07-22-2009

Your encryption domains (interesting VPN traffic) do not match your no-nat config.

Arif . · ‎07-22-2009

I've checked both configs there is no 'no-nat' reference.

is that what you mean, that no 'no-nat' rule exists?

andrew.prince · ‎07-22-2009

You do have a no-nat, you have it configured as on the 5510:-

nat (Inside) 0 access-list Inside_nat0_outbound

access-list Inside_nat0_outbound extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0

but you interesting acl on the 5510 is:-

access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3

The ACl's do not match.

Arif . · ‎07-22-2009

Ah, so if i change it to:

access-list Outside_1_cryptomap extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0

The should pick it up as interesting traffic and will mathc the no-nat rule?

andrew.prince · ‎07-22-2009

yes - I would suggest you create another acl and name it something else, then you can switch between the two.

Arif . · ‎07-22-2009

or, if i want to allow traffic from the LAN sitting behind each f/w LAN i can do:

nat (Inside) 0 access-list Inside_nat0_outbound

access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3

access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3

?

Arif . · ‎07-22-2009

Did the update, no joy, VPN tunnel is still up bu no packets going through.

andrew.prince · ‎07-22-2009

Is your interesting traffic acl being hit? when you do a show crypto ipsec sa can you see packets being encrypted and decrypted at both sides?

Arif . · ‎07-22-2009

both f/w are responding:

There are no ipsec sas

Arif . · ‎07-22-2009

OK this is the output i got:

ASA5520:

LYV-LHC-ASA5520-01# sh crypto ipsec sa

interface: Outside

Crypto map tag: Outside_map, seq num: 1, local addr: 193.82.146.254

access-list Outside_1_cryptomap permit ip 172.24.107.0 255.255.255.0 172.16.54.0 255.255.255.0

local ident (addr/mask/prot/port): (172.24.107.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.16.54.0/255.255.255.0/0/0)

current_peer: 81.246.92.116

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 193.82.146.254, remote crypto endpt.: 81.246.92.116

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: E27A8077

inbound esp sas:

spi: 0x5E2B2FB6 (1579888566)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 45056, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (4374000/28765)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0xE27A8077 (3799679095)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 45056, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (4374000/28764)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

ASA5510:

interface: Outside

Crypto map tag: Outside_map, seq num: 1, local addr: 81.246.92.116

access-list Outside_1_cryptomap permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0

local ident (addr/mask/prot/port): (172.16.54.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.24.107.0/255.255.255.0/0/0)

current_peer: 193.82.146.254

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 81.246.92.116, remote crypto endpt.: 193.82.146.254

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 5E2B2FB6

inbound esp sas:

spi: 0xE27A8077 (3799679095)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 176128, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (3915000/28678)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x5E2B2FB6 (1579888566)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 176128, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (3915000/28678)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

andrew.prince · ‎07-22-2009

Then you are either blocking or your routing is not correct or you interesting acl is wrong or your no-nat is wrong. I took some of your config into my lab with a pix 515 and ASA and put them back to back - with 2 routers on either side, this works:-

hostname FW0

int e0

nameif outside

ip address 1.1.1.1 255.255.255.0

no shut

int e1

nameif inside

ip address 172.16.51.250 255.255.255.0

no shut

!

access-list outside-in permit icmp any any echo-reply

access-list outside-in permit icmp any any traceroute

access-list outside-in permit icmp any any time-exceeded

access-list outside-in permit icmp any any unreachable

access-list vpn-tunnel extended permit ip 172.16.51.0 255.255.255.0 172.24.104.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.16.51.0 255.255.255.0 172.24.107.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.16.54.0 255.255.255.0 172.24.104.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0

!

global (outside) 1 interface

nat (inside) 0 access-list vpn-tunnel

nat (inside) 1 172.16.0.0 255.255.0.0

!

route outside 0.0.0.0 0.0.0.0 1.1.1.1

route inside 172.16.54.0 255.255.255.0 172.16.51.254

route outside 172.24.104.0 255.255.255.0 1.1.1.1

route outside 172.24.107.0 255.255.255.0 1.1.1.1

!

access-group outside-in in interface outside

!

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto map vpntunnel-outside 1 match address vpn-tunnel

crypto map vpntunnel-outside 1 set peer 2.2.2.2

crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1

!

crypto map vpntunnel-outside interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key cisco1234

!

end

**********************

hostname FW1

int e0

nameif outside

ip address 2.2.2.2 255.255.255.0

no shut

int e1

nameif inside

ip address 172.24.104.250 255.255.255.0

no shut

!

access-list outside-in permit icmp any any echo-reply

access-list outside-in permit icmp any any traceroute

access-list outside-in permit icmp any any time-exceeded

access-list outside-in permit icmp any any unreachable

access-list vpn-tunnel extended permit ip 172.24.104.0 255.255.255.0 172.16.51.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.24.104.0 255.255.255.0 172.16.54.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.24.107.0 255.255.255.0 172.16.51.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.24.107.0 255.255.255.0 172.16.54.0 255.255.255.0

!

global (outside) 1 interface

nat (inside) 0 access-list vpn-tunnel

nat (inside) 1 172.24.0.0 255.255.0.0

!

route outside 0.0.0.0 0.0.0.0 2.2.2.2

route inside 172.24.107.0 255.255.255.0 172.24.104.254

route outside 172.16.51.0 255.255.255.0 2.2.2.2

route outside 172.16.54.0 255.255.255.0 2.2.2.2

!

access-group outside-in in interface outside

!

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto map vpntunnel-outside 1 match address vpn-usmay

crypto map vpntunnel-outside 1 set peer 1.1.1.1

crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1

!

crypto map vpntunnel-outside interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key cisco1234

!

end

Arif . · ‎07-22-2009

I ran a packet trace and the ICMP was blocked on the 'Implicit Deny Rule' on the Inside interface of the ASA5520. I have a rule that allows all ICMP for that same interface so why is th implicit rule blocking packets?