VPN Lan2Lan and router

Unanswered Question
Jun 23rd, 2010

Hello,

I've this problem. I've put an image with an extract of my network topology.

In Milan w've two main network connected directly by a 2821 router (192.168.2.0/23 and 192.168.4.0/23), then a network that I use as dmz (192.168.40.0). On the other side, at Hong Kong, we have a LAN (192.168.200.0) and a DMZ (192.168.210.0).

I've some trouble on connect the network 192.168.4.0/23 with 192.168.200.0.

These are my config...

Router Milan:

interface GigabitEthernet0/0

   ip address 192.168.2.100 255.255.254.0

interface GigabitEthernet0/1

   ip address 192.168.4.100 255.255.254.0

ip route 192.168.200.0 255.255.255.0 192.168.2.201

ip route 192.168.200.0 255.255.255.0 192.168.2.201

ASA Milan (192.168.2.201):

access-list vpn_hk extended permit ip 192.168.2.0 255.255.254.0 192.168.200.0 255.255.255.0
access-list vpn_hk extended permit ip 192.168.4.0 255.255.254.0 192.168.200.0 255.255.255.0
access-list vpn_hk extended permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list vpn_hk extended permit ip 192.168.2.0 255.255.254.0 192.168.210.0 255.255.255.0
access-list vpn_hk extended permit ip 192.168.4.0 255.255.254.0 192.168.210.0 255.255.255.0
access-list vpn_hk extended permit ip 192.168.10.0 255.255.255.0 192.168.210.0 255.255.255.0

access-list no_nat extended permit ip any 192.168.0.0 255.255.0.0

nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list no_nat
nat (dmz) 1 0.0.0.0 0.0.0.0

crypto map partner-map 1 match address vpn_hk
crypto map partner-map 1 set peer xxxxxxxx
crypto map partner-map 1 set transform-set ESP-3DES-MD5

ASA Hong Kong:

access-list 80 extended permit ip any 192.168.0.0 255.255.0.0

access-list vpn_mi extended permit ip 192.168.200.0 255.255.255.0 192.168.4.0 255.255.254.0
access-list vpn_mi extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list vpn_mi extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn_mi extended permit ip 192.168.210.0 255.255.255.0 192.168.4.0 255.255.254.0
access-list vpn_mi extended permit ip 192.168.210.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list vpn_mi extended permit ip 192.168.210.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list 80
nat (dmz) 1 0.0.0.0 0.0.0.0

crypto map partner-map 15 match address vpn_mi

crypto map partner-map 15 set peer xxxxxx

crypto map partner-map 1 set transform-set ESP-3DES-MD5 

The situation is this:

- from router I can ping everything

- from network 192.168.2.0 and 192.168.10.0 I can ping everything

- from network 192.168.210.0 I can ping everything

- from network 192.168.200.0 I can ping only 192.168.2.0 and 192.168.10.0

- from network 192.168.200.0 I can't ping 192.168.4.0 (and vice versa)

I've passed the last 4 hours making any type of test and redoing the configuration more and more time.

Anyone can help me?

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Armando C... Wed, 06/23/2010 - 08:20

Try by changing the ACL for the interesting traffic. I think that is the problem. Be more specific

In ASA milan the no-nat should be equal that the ACL for interesting traffic

access-list no_nat extended permit ip 192.168.2.0 255.255.254.0 192.168.200.0 255.255.255.0

access-list no_nat extended permit ip 192.168.4.0 255.255.254.0 192.168.200.0 255.255.255.0

access-list no_nat extended permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list no_nat extended permit ip 192.168.2.0 255.255.254.0 192.168.210.0 255.255.255.0

access-list no_nat extended permit ip 192.168.4.0 255.255.254.0 192.168.210.0 255.255.255.0

access-list no_nat extended permit ip 192.168.10.0 255.255.255.0 192.168.210.0 255.255.255.0

NO access-list no_nat extended permit ip any 192.168.0.0 255.255.0.0

The same for the ASA in Hing Kong

access-list 80 extended permit ip 192.168.200.0 255.255.255.0 192.168.4.0 255.255.254.0

access-list 80 extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.254.0

access-list 80 extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 80 extended permit ip 192.168.210.0 255.255.255.0 192.168.4.0 255.255.254.0

access-list 80 extended permit ip 192.168.210.0 255.255.255.0 192.168.2.0 255.255.254.0

access-list 80 extended permit ip 192.168.210.0 255.255.255.0 192.168.10.0 255.255.255.0

NO access-list 80 extended permit ip any 192.168.0.0 255.255.0.0

Try that and let me know.

Fabio Grasso Wed, 06/23/2010 - 14:45

Hi Diego,

thanks for your help.

I've tried to make the config change that you've suggested but I have the same issue.

The very strange thing is that I can ping 192.168.210.0 hosts but not .200. that are managed by the same crypto map...

do you have any other idea?

Fabio Grasso Thu, 06/24/2010 - 05:19

Ok ... Soon I do a crash test of two ASA5510 throwing them out the window ...

I'm still trying to solve my problem without results.

It seem to be a NAT problem but I've double checked the NAT exception and they're right.

If I do a packet tracer form Milann everything is ok:

Result of the command: "packet-tracer input inside icmp 192.168.4.101 8 1 1 192.168.200.101"


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list


Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow


Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.200.0   255.255.255.0   outside


Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:


Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:


Phase: 6
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:


Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 192.168.4.0 255.255.254.0 outside 192.168.200.0 255.255.255.0
    NAT exempt
    translate_hits = 760, untranslate_hits = 264
Additional Information:


Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.254.0
  match ip inside 192.168.4.0 255.255.254.0 dmz any
    static translation to 192.168.4.0
    translate_hits = 0, untranslate_hits = 3862
Additional Information:


Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (xxxxxxxxxxx [Interface PAT])
    translate_hits = 722540, untranslate_hits = 20773
Additional Information:


Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:


Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10657677, packet dispatched to next module


Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Same results from HK:

Result of the command: "packet-tracer input inside icmp 192.168.200.101 8 1 1 192.168.4.101"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 192.168.200.0 255.255.255.0 outside 192.168.4.0 255.255.254.0
    NAT exempt
    translate_hits = 1250, untranslate_hits = 0
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
  match ip inside 192.168.200.0 255.255.255.0 dmz any
    static translation to 192.168.200.0
    translate_hits = 649, untranslate_hits = 7538
Additional Information:

Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (xxxxxxxxxxxxxxxxx [Interface PAT])
    translate_hits = 140299, untranslate_hits = 28149
Additional Information:

Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 408170, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Moreover I've noticed a strange thing: on crypto stats in Milan, I see that there are some bytes received but 0 sends. This can confirm the NAT problem, but I can't see anything wrong in the no_nat ACL...

The crypyo map is up and apparently working

This is from Milan:

    Crypto map tag: partner-map, seq num: 10, local addr: xxxxxxxxxxxxxxxxxx

      access-list vpn_hk extended permit ip 192.168.4.0 255.255.254.0 192.168.200.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.4.0/255.255.254.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
      current_peer: xxxxxxxxxxxxxx

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 474, #pkts decrypt: 474, #pkts verify: 474
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: xxxxxxxxxxxx, remote crypto endpt.: xxxxxxxxxxxxx

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: EC2CAEEE
      current inbound spi : 38E0C067

    inbound esp sas:
      spi: 0x38E0C067 (954253415)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2002944, crypto-map: partner-map
         sa timing: remaining key lifetime (kB/sec): (4373965/24660)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFDFFFFFF
    outbound esp sas:
      spi: 0xEC2CAEEE (3962351342)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2002944, crypto-map: partner-map
         sa timing: remaining key lifetime (kB/sec): (4374000/24660)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

And this from HK:

   Crypto map tag: partner-map, seq num: 10, local addr: xxxxxxxxxxxxx

      access-list vpn_mi-rm permit ip 192.168.200.0 255.255.255.0 LAN-ROMA 255.255.254.0
      local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (LAN-ROMA/255.255.254.0/0/0)
      current_peer: xxxxxxxxxxxxxxxxxxxx

      #pkts encaps: 516, #pkts encrypt: 516, #pkts digest: 516
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 516, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: xxxxxxxxxxxx, remote crypto endpt.: xxxxxxxxxxxxxxxxx

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 38E0C067

    inbound esp sas:
      spi: 0xEC2CAEEE (3962351342)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1445888, crypto-map: partner-map
         sa timing: remaining key lifetime (kB/sec): (3915000/24545)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001
    outbound esp sas:
      spi: 0x38E0C067 (954253415)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1445888, crypto-map: partner-map
         sa timing: remaining key lifetime (kB/sec): (3914962/24545)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

Th sw version are 8.2(2) in Milan and 8.0(4) in Hong Kong. Now I'm searching also if there are any know problem about NAT/VPN on these version.

In the meantime if anyone have can give any suggestion I thank him so much!

Regards,

    Fabio

Messaggio modificato da Fabio Grasso

Attachment: 
Diego Armando C... Thu, 06/24/2010 - 06:58

that's very strange. Can you post the whole config. maybe I am not seeing something an ACL on a interface or something.

Fabio Grasso Thu, 06/24/2010 - 08:16

I've sent you a private message with the complete configuration.

This is the routing table of my router:

D    192.168.30.0/24 [90/3072] via 192.168.2.243, 1d07h, GigabitEthernet0/0.2
D EX 192.168.210.0/24
           [170/28416] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
S    192.168.8.0/24 [1/0] via 192.168.2.205
D    192.168.9.0/24
           [90/281856] via 192.168.255.9, 1d07h, GigabitEthernet0/0.255
D    192.168.10.0/24 [90/3072] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
D    192.168.40.0/24 [90/28416] via 192.168.4.201, 1d07h, GigabitEthernet0/0.4
D EX 192.168.200.0/24
           [170/28416] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
D    192.168.20.0/24 [90/3072] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
     10.0.0.0/24 is subnetted, 4 subnets
D EX    10.0.9.0 [170/281856] via 192.168.255.9, 1d07h, GigabitEthernet0/0.255
D EX    10.10.4.0 [170/28416] via 192.168.4.201, 1d07h, GigabitEthernet0/0.4
D EX    10.10.100.0 [170/28416] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
S       10.10.200.0 [1/0] via 192.168.2.200
S    192.168.6.0/24 [1/0] via 192.168.2.205
D    192.168.7.0/24
           [90/28416] via 192.168.255.4, 1d07h, GigabitEthernet0/0.255
           [90/28416] via 192.168.4.244, 1d07h, GigabitEthernet0/0.4
           [90/28416] via 192.168.2.244, 1d07h, GigabitEthernet0/0.2
C    192.168.255.0/24 is directly connected, GigabitEthernet0/0.255
D EX 192.168.0.0/24 [170/28416] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
D EX 192.168.100.0/24
           [170/28416] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
S*   0.0.0.0/0 [1/0] via 192.168.2.110
C    192.168.4.0/23 is directly connected, GigabitEthernet0/0.4
C    192.168.2.0/23 is directly connected, GigabitEthernet0/0.2

Actions

This Discussion