Site to Site VPN between Cisco 1800 and ASA 5510

jbeckles · ‎06-22-2010

Hi Cisco Guru,

I am trying to set up a site to site VPn between IOS router and ASA as per above. Phase 1 and Phase 2 seems fine as per the following but I could not ping internal interface of the router or ASA or any device either endpoint of the VPN tunnel. Please show the show crypto isakmp sa and ipsec sa below.

I also paste the VPN config details for both devices below ASA and Cisco 1800

REMOTE-A#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

216.191.92.30 99.226.165.96 QM_IDLE 2056 0 ACTIVE

IPv6 Crypto ISAKMP SA

REMOTE-A#sh crypto ipsec sa

interface: FastEthernet0

Crypto map tag: SDM_CMAP_1, local addr 99.226.165.96

protected vrf: (none)

local ident (addr/mask/prot/port): (172.17.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.20.0/255.255.252.0/0/0)

current_peer 216.191.9x.30 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 2, #recv errors 0

local crypto endpt.: 99.226.165.96, remote crypto endpt.: 216.191.9x.30

path mtu 1500, ip mtu 1500

current outbound spi: 0x99132F9D(2568171421)

inbound esp sas:

spi: 0x9ABAC98(162245784)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 43, flow_id: Motorola SEC 2.0:43, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4508527/3520)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x99132F9D(2568171421)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 44, flow_id: Motorola SEC 2.0:44, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4508526/3509)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

config scrip for both router/ASA:

ASA Version 7.0(5)

!

hostname PO-ASA

!

interface Ethernet0/0

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.2x.xx 255.255.252.0 standby 192.168.2x.xx

!

interface Ethernet0/2

speed 100

duplex full

nameif outside

security-level 0

ip address 216.191.9x.xx 255.255.255.0 standby 216.191.9x.31

!

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 192.168.2x.0 255.255.252.0 172.17.100.0 255.255.255.0

access-list acl_inside_in extended permit tcp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 eq netbios-ssn

access-list acl_inside_in extended permit udp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 eq netbios-ns

access-list acl_inside_in extended permit udp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 eq netbios-dgm

access-list acl_inside_in extended deny udp any any eq netbios-dgm

access-list acl_inside_in extended deny udp any any eq netbios-ns

access-list acl_inside_in extended deny tcp any any eq netbios-ssn

access-list acl_inside_in extended permit ip any any

access-list test_only extended permit ip 192.168.2x.0 255.255.252.0 172.17.100.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0

access-group acl_inside_in in interface inside

route outside 0.0.0.0 0.0.0.0 216.191.9x.1 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key cisco123

tunnel-group 99.226.165.96 type ipsec-l2l

tunnel-group 99.226.165.96 ipsec-attributes

pre-shared-key cisco123

configuration for IOS Router 1800 12.4 ver

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 216.191.9x.30

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 ipsec-isakmp

description Tunnel to216.191.92.30

set peer 216.191.9x.xx

set transform-set ESP-3DES-SHA

match address 103

!

interface FastEthernet0

description Internet Connection$FW_OUTSIDE$$ETH-WAN$

ip address dhcp client-id FastEthernet0

ip access-group 102 in

ip nat outside

ip inspect SDM_MEDIUM out

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

description Internal LAN$FW_INSIDE$

ip address 172.17.100.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip nat inside source list NAT_IP_TRAFFIC interface FastEthernet0 overload

!

ip access-list extended NAT_IP_TRAFFIC

remark Allow IP Traffic to be NATed except IPSec traffic

deny ip 172.17.100.0 0.0.0.255 192.168.2x.0 0.0.3.255

permit ip any any

!

access-list 100 remark SDM_ACL Category=17

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 103 permit ip 172.17.100.0 0.0.0.255 192.168.20.0 0.0.3.255

!

end

Please help what is wrong on the configuration. Please note that the IOS router is connected dynamically from ISP

Thanks in advance for your help.

Marcin Latosiewicz · ‎06-22-2010

Edit: removing initial post had a skewed look.

So no encapsulated packets are hitting the firewall.

Please check nat and routing on router side + check with captures on firewall to see if ESP packets are arriving.

If encaps on router but no decaps on firewall - check devices in between.

jbeckles · ‎06-22-2010

Hi,

I tried injecting set reverse-route on ASA as follows and run ping from router using internal interface but no luck. It seems tarffic is hitting the ASA from router as the per show crypto isa... on. Encaps packet from router and decaps from ASA but no reply from ASA back to router

crypto dynamic-map outside_dyn_map 40 set reverse-route

PO-ASA# sh crypto ipsec sa peer 99.226.165.96
peer address: 99.226.165.96
Crypto map tag: outside_dyn_map, seq num: 40, local addr: 216.191.92.30

      local ident (addr/mask/prot/port): (192.168.20.0/255.255.252.0/0/0)
      remote ident (addr/mask/prot/port): (172.17.100.0/255.255.255.0/0/0)
      current_peer: 99.226.165.96

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 216.191.92.30, remote crypto endpt.: 99.226.165.96

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 16D40E64

    inbound esp sas:
      spi: 0x06D85EAA (114843306)
         transform: esp-3des esp-sha-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2251, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (kB/sec): (4274999/3340)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x16D40E64 (382996068)
         transform: esp-3des esp-sha-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2251, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (kB/sec): (4275000/3331)
         IV size: 8 bytes
         replay detection support: Y

PO-ASA#

REMOTE-A#sh cryp
REMOTE-A#sh crypto ipsec sa

interface: FastEthernet0
Crypto map tag: SDM_CMAP_1, local addr 99.226.165.96

   protected vrf: (none)
   local ident (addr/mask/prot/port): (172.17.100.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.20.0/255.255.252.0/0/0)
   current_peer 216.191.92.30 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 32
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: 99.226.165.96, remote crypto endpt.: 216.191.92.30
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x6D85EAA(114843306)

     inbound esp sas:
      spi: 0x16D40E64(382996068)
        transform: esp-3des esp-sha-hmac ,

please help

Marcin Latosiewicz · ‎06-22-2010

OK problem apears on router - no traffic hitting crypto.

Can you check if you have NAT entries for those hosts? I know there's a deny in NAT lines but I want to doublecheck.

Also routing table on router would be interseting to investigate.