Site to Site VPN Established, but not passing traffic properly

Unanswered Question
Apr 26th, 2010
User Badges:

We have a cisco ASA5505 with site-to-site VPN to a Cisco SA520. The VPN is up and I can confirm that on both devices. I have a FTP server behind the ASA and a web server behind the SA520. Here is the network setup:




FTP server (10.0.6.100/24) ---> (10.0.6.254) ASA (172.16.16.2) <----> (172.16.10.2) SA520 (10.0.1.254/24) <---- web server (10.0.1.100/24)


I can browse to the FTP server from the WEB server and download a file just fine, however when im on the FTP server I cannot access anything on the WEB server. I believe the issue is on the ASA so I will post the relavent configuration:


nhla-asa# show ver


Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)


Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"


nhla-asa up 50 mins 55 secs


Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB


Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0    : address is 8843.e111.9ff6, irq 11
1: Ext: Ethernet0/0         : address is 8843.e111.9fee, irq 255
2: Ext: Ethernet0/1         : address is 8843.e111.9fef, irq 255
3: Ext: Ethernet0/2         : address is 8843.e111.9ff0, irq 255
4: Ext: Ethernet0/3         : address is 8843.e111.9ff1, irq 255
5: Ext: Ethernet0/4         : address is 8843.e111.9ff2, irq 255
6: Ext: Ethernet0/5         : address is 8843.e111.9ff3, irq 255
7: Ext: Ethernet0/6         : address is 8843.e111.9ff4, irq 255
8: Ext: Ethernet0/7         : address is 8843.e111.9ff5, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255


Licensed features for this platform:
Maximum Physical Interfaces  : 8        
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : 50       
Failover                     : Disabled
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
SSL VPN Peers                : 2        
Total VPN Peers              : 10       
Dual ISPs                    : Disabled 
VLAN Trunk Ports             : 0        
Shared License               : Disabled
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
AnyConnect Essentials        : Disabled 
Advanced Endpoint Assessment : Disabled 
UC Phone Proxy Sessions      : 2        
Total UC Proxy Sessions      : 2        
Botnet Traffic Filter        : Disabled 


This platform has a Base license.


Serial Number:
Running Activation Key:
Configuration register is 0x1
Configuration last modified by enable_15 at 10:23:46.299 UTC Mon Apr 26 2010
nhla-asa#

nhla-asa# show ipsec sa
interface: outside
    Crypto map tag: Outside_Map, seq num: 11, local addr: 172.16.16.2


      access-list Outside_Map_11 permit ip 10.0.6.0 255.255.255.0 10.0.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.6.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
      current_peer: 172.16.10.2


      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0


      local crypto endpt.: 172.16.16.2, remote crypto endpt.: 172.16.10.2


      path mtu 1404, ipsec overhead 58, media mtu 1500
      current outbound spi: 01E2B3B5


    inbound esp sas:
      spi: 0x91971A9D (2442599069)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8192, crypto-map: Outside_Map
         sa timing: remaining key lifetime (sec): 28749
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0x01E2B3B5 (31634357)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8192, crypto-map: Outside_Map
         sa timing: remaining key lifetime (sec): 28749
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


nhla-asa#

nhla-asa# show run
: Saved
:
ASA Version 8.2(1)
!
hostname nhla-asa
domain-name nhla.local
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.6.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.16.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name nhla.local
object-group service mail tcp
port-object eq https
port-object eq smtp
access-list nonat extended permit ip 10.0.6.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inbound extended permit tcp any host 172.16.16.2 object-group mail
access-list inbound extended permit icmp any any
access-list NHLA_VPN extended permit ip 10.0.6.0 255.255.255.0 192.168.255.0 255.255.255.0
access-list Outside_Map_10 extended permit ip 10.0.6.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list Outside_Map_10 remark Manchester
access-list Outside_Map_11 extended permit ip 10.0.6.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list Outside_Map_11 remark Claremont
access-list Outside_Map_12 extended permit ip 10.0.6.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list Outside_Map_12 remark Littleton
access-list Outside_Map_13 extended permit ip 10.0.6.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list Outside_Map_13 remark Portsmouth
access-list Outside_Map_14 extended permit ip 10.0.6.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list Outside_Map_14 remark Berlin
access-list Outside_Map_15 extended permit ip 10.0.6.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list Outside_Map_15 remark Nashua
pager lines 24
mtu inside 1404
mtu outside 1404
ip local pool VPN_Pool 192.168.255.1-192.168.255.50
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.6.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 10.0.6.1 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.0.6.1 smtp netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 172.16.16.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server NHLA protocol radius
aaa-server NHLA (inside) host 10.0.6.1
aaa authentication ssh console LOCAL
crypto ipsec transform-set Tunnels esp-3des esp-md5-hmac
crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP_3DES_SHA
crypto map Outside_Map 10 match address Outside_Map_10
crypto map Outside_Map 10 set peer 172.16.13.2
crypto map Outside_Map 10 set transform-set Tunnels
crypto map Outside_Map 11 match address Outside_Map_11
crypto map Outside_Map 11 set peer 172.16.10.2
crypto map Outside_Map 11 set transform-set Tunnels
crypto map Outside_Map 12 match address Outside_Map_12
crypto map Outside_Map 12 set peer 172.16.12.2
crypto map Outside_Map 12 set transform-set Tunnels
crypto map Outside_Map 13 match address Outside_Map_13
crypto map Outside_Map 13 set peer 172.16.15.2
crypto map Outside_Map 13 set transform-set Tunnels
crypto map Outside_Map 14 match address Outside_Map_14
crypto map Outside_Map 14 set peer 172.16.11.2
crypto map Outside_Map 14 set transform-set Tunnels
crypto map Outside_Map 15 match address Outside_Map_15
crypto map Outside_Map 15 set peer 172.16.14.2
crypto map Outside_Map 15 set transform-set Tunnels
crypto map Outside_Map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map Outside_Map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 9
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
             
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy NHLA internal
group-policy NHLA attributes
wins-server value 10.0.6.1
dns-server value 10.0.6.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NHLA_VPN
default-domain value nhla.local
tunnel-group NHLA_Remote_Clients type remote-access
tunnel-group NHLA_Remote_Clients general-attributes
address-pool VPN_Pool
authentication-server-group NHLA
default-group-policy NHLA
tunnel-group NHLA_Remote_Clients ipsec-attributes
pre-shared-key *
tunnel-group 172.16.13.2 type ipsec-l2l
tunnel-group 172.16.13.2 ipsec-attributes
pre-shared-key *
tunnel-group 172.16.10.2 type ipsec-l2l
tunnel-group 172.16.10.2 ipsec-attributes
pre-shared-key *
tunnel-group 172.16.12.2 type ipsec-l2l
tunnel-group 172.16.12.2 ipsec-attributes
pre-shared-key *
tunnel-group 172.16.15.2 type ipsec-l2l
tunnel-group 172.16.15.2 ipsec-attributes
pre-shared-key *
tunnel-group 172.16.11.2 type ipsec-l2l
tunnel-group 172.16.11.2 ipsec-attributes
pre-shared-key *
tunnel-group 172.16.14.2 type ipsec-l2l
tunnel-group 172.16.14.2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5341dbf059dbada608646ae3aa5f2a8b
: end
nhla-asa#




When I issue a ping from my web server to my FTP server, it goes through just fine and you can see the "pkts encaps" & "pkts decaps" counters increment. When I issue a ping from my FTP server to my Web server, i get request time out, and no counters increment. I've done a crypto isakmp, ipsec, and engine debug with 255 for verbosity and i recieve no messages when i ping from FTP to web. I've even configured the ASA to do a packet capture and it does not pick up any packets when i ping from FTP to WEB.



ANY THOUGHTS?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dapogsdapogs Mon, 04/26/2010 - 18:03
User Badges:

Hi Jeremy,


Just a thought, I don't see any reverse-route statements on your crypto-maps so that will make the traffic over the VPN one-way. Try adding this line:


cypto map Outside_Map "acl number" set reverse-route

Actions

This Discussion

Related Content