SNChelpdesk Fri, 10/23/2009 - 06:26
User Badges:

I have a site-to-site VPN. I have a device in one location and the software in the other in which they need in to interchange on port 3001. I haven't been able to figure out how to get both the device and software to communicate.

OK - with that in mind, can you answer:-


1) From thje remote end, can you ping the "device"?

2) From a computer that is running the software can it ping the "device" ?

3) Can the "device" ping the remote computer trying to access the software?

4) Do you control both ends of the VPN tunnel?

5) Are you blocking traffic at one end or both ends?

SNChelpdesk Fri, 10/23/2009 - 06:35
User Badges:

1) I can ping the device on the inside of one end but not the other.

2) I can't ping the device across the tunnel at all.

3) I can control both ends of the tunnel.

Panos Kampanakis Fri, 10/23/2009 - 06:29
User Badges:
  • Cisco Employee,

You mean you want hosts in site1 to be able to talk to hosts in site2 on port 3001 through the site2site VPN?


In that case you need to make sure that this port is include in the crypto-map ACL of course so it goes encrypted and also if you have ACLs blocking that port on the inside of the sites open those up.


I hope it helps.


PK


SNChelpdesk Fri, 10/23/2009 - 06:31
User Badges:

That helps but I'm new at this can you explain on how to setup those actions.

SNChelpdesk Fri, 10/23/2009 - 06:41
User Badges:

If you would like a copy of the running configs I can provide one.

SNChelpdesk Fri, 10/23/2009 - 06:59
User Badges:

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 MorganCity-inside 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 MorganCity-inside 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 Thibodaux-inside 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 EBA_Inside 255.255.255.0

access-list inside_nat0_outbound remark For remote access clients

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 65.82.224.50 host MorganCityPublic

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 Thibodaux-inside 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 EBA_Inside 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list outside_access_in extended permit icmp any any

access-list MUVPN_SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0

access-list split standard permit 192.168.1.0 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list SNC_splitTunnelAcl standard permit any

access-list outside_nat0_outbound_3 extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_nat0_outbound

One Side:


interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 65.82.224.50 255.255.255.248


extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_nat0_outbound_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list Local_LAN_Access standard permit host 0.0.0.0


SNChelpdesk Fri, 10/23/2009 - 07:00
User Badges:

Second Side:


interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 65.82.227.138 255.255.255.248


access-list inside_access_in extended permit icmp any any

access-list outside_access_in extended permit icmp any any

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 EBA_Internal 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.2.0 192.168.7.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.4.5.0 255.255.255.224

access-list outside_2_cryptomap extended permit ip 192.168.2.0 255.255.255.0 EBA_Internal 255.255.255.0

access-list outside_6_cryptomap extended permit ip host 192.168.2.60 192.168.7.0 255.255.255.0

access-list outside_cryptomap_6 extended permit ip host 192.168.2.60 host 192.168.11.1

access-list outside_cryptomap_4 extended permit ip host 192.168.2.60 host 192.168.11.1

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list inside_access_in_1 extended permit ip any any

access-list inside_access_in_1 extended permit icmp any any

access-list Mobile_splitTunnelAcl standard permit any

access-list outside_3_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

francisco_1 Fri, 10/23/2009 - 07:42
User Badges:
  • Gold, 750 points or more

i believe your configs looks fine. you are permiting IP on the tunnel so that should take care of your interesting traffic on the tunnel. can you ping the hosts from the pixs?

SNChelpdesk Fri, 10/23/2009 - 07:45
User Badges:

I can only ping the devices from the ASA side not across the tunnel.

francisco_1 Fri, 10/23/2009 - 07:51
User Badges:
  • Gold, 750 points or more

can you do "show crypto ipsec sa" on both pix and upload the output.

francisco_1 Fri, 10/23/2009 - 08:10
User Badges:
  • Gold, 750 points or more

tunnel from ciscoasa to ciscoasa2 is up.. tunnel is built. see below...


Crypto map tag: outside_map, seq num: 2, local addr: 65.82.224.50


access-list outside_2_cryptomap permit ip 192.168.1.0 255.255.255.0 Thibodaux-inside 255.255.255.0

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (Thibodaux-inside/255.255.255.0/0/0)

current_peer: 65.82.227.138


#pkts encaps: 70966519, #pkts encrypt: 70970711, #pkts digest: 70970711

#pkts decaps: 58306128, #pkts decrypt: 58306128, #pkts verify: 58306128

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 70966519, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 4192, #pre-frag failures: 0, #fragments created: 8384

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 13619

#send errors: 0, #recv errors: 0


local crypto endpt.: 65.82.224.50, remote crypto endpt.: 65.82.227.138



do you have output from ciscoasa2 to ciscoasa. cant see it! unless i am going blind!!!

francisco_1 Fri, 10/23/2009 - 08:26
User Badges:
  • Gold, 750 points or more

OK. I am confused. I thought the ipsec problem is between 65.82.227.138 (ciscoasa2) and 65.82.224.50 (ciscoasa). is that not so?

francisco_1 Fri, 10/23/2009 - 08:28
User Badges:
  • Gold, 750 points or more

which device is 74.165.244.10?

SNChelpdesk Fri, 10/23/2009 - 08:32
User Badges:

there are three ASAs all with site-to-site VPN tunnels. the IPsec tunnel is between the 65.x.x.x. the 74.x.x.x is the one in which i need to get the pin holes put in.

francisco_1 Fri, 10/23/2009 - 09:00
User Badges:
  • Gold, 750 points or more

earlier you mentioned the problem is communication between 192.168.2.0 and 192.168.1.0 subnet on port 3001 over the ipsec tunnel between 65.82.224.50 - > 65.85.227.138!!


kevin, for clarity please explain what extactly is the problem.


thanks

francisco



SNChelpdesk Fri, 10/23/2009 - 09:05
User Badges:

I'm sorry Francisco the problem lies between subnets 192.168.3.0/24 & 192.168.1.0/24 on port 3001.

francisco_1 Fri, 10/23/2009 - 09:23
User Badges:
  • Gold, 750 points or more

your tunnel is up. can you ping inside interfaces from both firewalls through the tunnel. for eaxmple ping 192.168.1.1 (select outside interface)


Crypto map tag: outside_map, seq num: 1, local addr: 65.82.224.50


access-list outside_1_cryptomap permit ip 192.168.1.0 255.255.255.0 MorganCity-inside 255.255.255.0

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (MorganCity-inside/255.255.255.0/0/0)

current_peer: MorganCityPublic


#pkts encaps: 22361951, #pkts encrypt: 22361955, #pkts digest: 22361955

#pkts decaps: 17685532, #pkts decrypt: 17685532, #pkts verify: 17685532







Crypto map tag: outside_map, seq num: 1, local addr: 74.165.244.10


access-list outside_1_cryptomap permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 65.82.224.50


#pkts encaps: 5499955, #pkts encrypt: 5499955, #pkts digest: 5499955

#pkts decaps: 6493468, #pkts decrypt: 6493468, #pkts verify: 6493468

#pkts compressed: 0, #pkts decompressed: 0

Also

Can you do debug crypto ipsec and debug crypto engine and finally clear crypto ipsec sa.



after clearing crypto ipsec sa, if it doesnt work, send me debugs output



are your hosts sitting behind the ASAs conencted to a switch? can the ASA's ping your hosts?

SNChelpdesk Fri, 10/23/2009 - 10:21
User Badges:

Francisco still trying to run those commands. Not able to run the debug commands from the command window line and I'm having trouble connecting via ssh any other thoughts on how to connect?

francisco_1 Fri, 10/23/2009 - 23:52
User Badges:
  • Gold, 750 points or more

are you having difficulties connecting to both firewalls? make sure the IP you're connecting from is permited on the firewalls...


do you have console access?

SNChelpdesk Fri, 10/23/2009 - 10:38
User Badges:

the host are connected to a switch and the ASA can ping the hosts

francisco_1 Mon, 10/26/2009 - 10:32
User Badges:
  • Gold, 750 points or more

Kevin,


Have you managed to connect to firewalls to run debugs?

Actions

This Discussion