09-14-2009 02:47 AM
Hello,
I have a working L2L tunnel from Cisco ASA5505 to an Astaro security device. There are 4 remote LANs that are routed over this tunnel: 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 and 143.65.0.0/16.
However I cannot reach any remote device of this LAN 143.65.0.0 but I can reach devices from the other 3 LANs.
The 'show crypto ipsec sa' shows that only IPSec seesions are established for the other LAN but not for 143.65.0.0.
Can anyone tell me why? Any LAN limitation or is it not allowed to use public IP range for LAN? But It works just fine with the old Pix 501.
His is part of my configuration:
ASA Version 7.2(4)
...
interface Vlan1
nameif inside
security-level 100
ip address 192.168.94.200 255.255.255.0
...
object-group network test
network-object 192.168.0.0 255.255.0.0
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 143.65.0.0 255.255.0.0
access-list outside_cryptomap_10 extended permit ip 192.168.94.0 255.255.255.0 object-group test
access-list outside_nonat_10 extended permit ip 192.168.94.0 255.255.255.0 object-group test
...
global (outside) 1 interface
nat (inside) 0 access-list outside_nonat_10
nat (inside) 1 0.0.0.0 0.0.0.0
...
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map raagfw02 10 match address outside_cryptomap_10
crypto map raagfw02 10 set pfs
crypto map raagfw02 10 set peer x.x.x.x
crypto map raagfw02 10 set transform-set ESP-AES-128-SHA
crypto map raagfw02 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 13
authentication pre-share
encryption aes
hash sha
group 2
lifetime 7800
crypto isakmp nat-traversal 20
...
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
Any soon response warmthly welcomed.
Thanks
09-14-2009 03:27 AM
Kim
There are no limitations in terms of private/public subnets. The ASA doesn't really care one way or the other.
I assume that to get to all the remote VPN subnets you have to route out of the same interface ?
If so then there doesn't look to be a lot wrong with your config. Have you tried debugging ipsec to see what is happening when the tunnel is initiated ?
You may also want to verify that the Astaro is configured correctly.
Jon
09-14-2009 04:20 AM
Hi Jon,
Thanks for fast response.
When I ping an device from 143.65.0.0/16 I can see that IPSec sa is created but then remove again:
IPSEC: New embryonic SA created @ 0x0396ACB0,
SCB: 0x01D293F8,
Direction: inbound
SPI : 0x333C7B2B
Session ID: 0x0000000D
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
...
Sep 14 14:13:45 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: Invalid message id (9)
Sep 14 14:13:53 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x1d26588, mess id 0x954c9c0d)!
Sep 14 14:13:53 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, IKE QM Initiator FSM error history (struct &0x1d26588)
Sep 14 14:13:53 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message
Sep 14 14:13:53 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Sep 14 14:13:53 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Sep 14 14:13:53 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 143.65.0.0, Local Proxy 192.168.94.0
Sep 14 14:13:53 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!
I don't have any route set for the other subnet and still I can reach them.
Astaro is configured correctly.
Kim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide