06-22-2010 09:23 AM
Hi Cisco Guru,
I am trying to set up a site to site VPn between IOS router and ASA as per above. Phase 1 and Phase 2 seems fine as per the following but I could not ping internal interface of the router or ASA or any device either endpoint of the VPN tunnel. Please show the show crypto isakmp sa and ipsec sa below.
I also paste the VPN config details for both devices below ASA and Cisco 1800
REMOTE-A#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
216.191.92.30 99.226.165.96 QM_IDLE 2056 0 ACTIVE
IPv6 Crypto ISAKMP SA
REMOTE-A#sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: SDM_CMAP_1, local addr 99.226.165.96
protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.252.0/0/0)
current_peer 216.191.9x.30 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 99.226.165.96, remote crypto endpt.: 216.191.9x.30
path mtu 1500, ip mtu 1500
current outbound spi: 0x99132F9D(2568171421)
inbound esp sas:
spi: 0x9ABAC98(162245784)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 43, flow_id: Motorola SEC 2.0:43, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4508527/3520)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x99132F9D(2568171421)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 44, flow_id: Motorola SEC 2.0:44, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4508526/3509)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
config scrip for both router/ASA:
ASA Version 7.0(5)
!
hostname PO-ASA
!
interface Ethernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.2x.xx 255.255.252.0 standby 192.168.2x.xx
!
interface Ethernet0/2
speed 100
duplex full
nameif outside
security-level 0
ip address 216.191.9x.xx 255.255.255.0 standby 216.191.9x.31
!
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.2x.0 255.255.252.0 172.17.100.0 255.255.255.0
access-list acl_inside_in extended permit tcp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 eq netbios-ssn
access-list acl_inside_in extended permit udp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 eq netbios-ns
access-list acl_inside_in extended permit udp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 eq netbios-dgm
access-list acl_inside_in extended deny udp any any eq netbios-dgm
access-list acl_inside_in extended deny udp any any eq netbios-ns
access-list acl_inside_in extended deny tcp any any eq netbios-ssn
access-list acl_inside_in extended permit ip any any
access-list test_only extended permit ip 192.168.2x.0 255.255.252.0 172.17.100.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
access-group acl_inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 216.191.9x.1 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key cisco123
tunnel-group 99.226.165.96 type ipsec-l2l
tunnel-group 99.226.165.96 ipsec-attributes
pre-shared-key cisco123
configuration for IOS Router 1800 12.4 ver
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 216.191.9x.30
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 ipsec-isakmp
description Tunnel to216.191.92.30
set peer 216.191.9x.xx
set transform-set ESP-3DES-SHA
match address 103
!
!
interface FastEthernet0
description Internet Connection$FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id FastEthernet0
ip access-group 102 in
ip nat outside
ip inspect SDM_MEDIUM out
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description Internal LAN$FW_INSIDE$
ip address 172.17.100.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
ip nat inside source list NAT_IP_TRAFFIC interface FastEthernet0 overload
!
ip access-list extended NAT_IP_TRAFFIC
remark Allow IP Traffic to be NATed except IPSec traffic
deny ip 172.17.100.0 0.0.0.255 192.168.2x.0 0.0.3.255
permit ip any any
!
access-list 100 remark SDM_ACL Category=17
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 103 permit ip 172.17.100.0 0.0.0.255 192.168.20.0 0.0.3.255
!
end
Please help what is wrong on the configuration. Please note that the IOS router is connected dynamically from ISP
Thanks in advance for your help.
06-22-2010 10:51 AM
Edit: removing initial post had a skewed look.
So no encapsulated packets are hitting the firewall.
Please check nat and routing on router side + check with captures on firewall to see if ESP packets are arriving.
If encaps on router but no decaps on firewall - check devices in between.
06-22-2010 11:29 AM
Hi,
I tried injecting set reverse-route on ASA as follows and run ping from router using internal interface but no luck. It seems tarffic is hitting the ASA from router as the per show crypto isa... on. Encaps packet from router and decaps from ASA but no reply from ASA back to router
crypto dynamic-map outside_dyn_map 40 set reverse-route
PO-ASA# sh crypto ipsec sa peer 99.226.165.96
peer address: 99.226.165.96
Crypto map tag: outside_dyn_map, seq num: 40, local addr: 216.191.92.30
local ident (addr/mask/prot/port): (192.168.20.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (172.17.100.0/255.255.255.0/0/0)
current_peer: 99.226.165.96
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.191.92.30, remote crypto endpt.: 99.226.165.96
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 16D40E64
inbound esp sas:
spi: 0x06D85EAA (114843306)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2251, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4274999/3340)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x16D40E64 (382996068)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2251, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4275000/3331)
IV size: 8 bytes
replay detection support: Y
PO-ASA#
REMOTE-A#sh cryp
REMOTE-A#sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: SDM_CMAP_1, local addr 99.226.165.96
protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.252.0/0/0)
current_peer 216.191.92.30 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 32
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
local crypto endpt.: 99.226.165.96, remote crypto endpt.: 216.191.92.30
path mtu 1500, ip mtu 1500
current outbound spi: 0x6D85EAA(114843306)
inbound esp sas:
spi: 0x16D40E64(382996068)
transform: esp-3des esp-sha-hmac ,
please help
06-22-2010 01:27 PM
OK problem apears on router - no traffic hitting crypto.
Can you check if you have NAT entries for those hosts? I know there's a deny in NAT lines but I want to doublecheck.
Also routing table on router would be interseting to investigate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide