VPN Lan2Lan and router

Unanswered Question
Jun 23rd, 2010
User Badges:

Hello,

I've this problem. I've put an image with an extract of my network topology.

In Milan w've two main network connected directly by a 2821 router (192.168.2.0/23 and 192.168.4.0/23), then a network that I use as dmz (192.168.40.0). On the other side, at Hong Kong, we have a LAN (192.168.200.0) and a DMZ (192.168.210.0).


I've some trouble on connect the network 192.168.4.0/23 with 192.168.200.0.


These are my config...


Router Milan:

interface GigabitEthernet0/0

   ip address 192.168.2.100 255.255.254.0

interface GigabitEthernet0/1

   ip address 192.168.4.100 255.255.254.0


ip route 192.168.200.0 255.255.255.0 192.168.2.201

ip route 192.168.200.0 255.255.255.0 192.168.2.201



ASA Milan (192.168.2.201):

access-list vpn_hk extended permit ip 192.168.2.0 255.255.254.0 192.168.200.0 255.255.255.0
access-list vpn_hk extended permit ip 192.168.4.0 255.255.254.0 192.168.200.0 255.255.255.0
access-list vpn_hk extended permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list vpn_hk extended permit ip 192.168.2.0 255.255.254.0 192.168.210.0 255.255.255.0
access-list vpn_hk extended permit ip 192.168.4.0 255.255.254.0 192.168.210.0 255.255.255.0
access-list vpn_hk extended permit ip 192.168.10.0 255.255.255.0 192.168.210.0 255.255.255.0


access-list no_nat extended permit ip any 192.168.0.0 255.255.0.0


nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list no_nat
nat (dmz) 1 0.0.0.0 0.0.0.0


crypto map partner-map 1 match address vpn_hk
crypto map partner-map 1 set peer xxxxxxxx
crypto map partner-map 1 set transform-set ESP-3DES-MD5



ASA Hong Kong:

access-list 80 extended permit ip any 192.168.0.0 255.255.0.0


access-list vpn_mi extended permit ip 192.168.200.0 255.255.255.0 192.168.4.0 255.255.254.0
access-list vpn_mi extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list vpn_mi extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn_mi extended permit ip 192.168.210.0 255.255.255.0 192.168.4.0 255.255.254.0
access-list vpn_mi extended permit ip 192.168.210.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list vpn_mi extended permit ip 192.168.210.0 255.255.255.0 192.168.10.0 255.255.255.0


nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list 80
nat (dmz) 1 0.0.0.0 0.0.0.0


crypto map partner-map 15 match address vpn_mi

crypto map partner-map 15 set peer xxxxxx

crypto map partner-map 1 set transform-set ESP-3DES-MD5 



The situation is this:

- from router I can ping everything

- from network 192.168.2.0 and 192.168.10.0 I can ping everything

- from network 192.168.210.0 I can ping everything

- from network 192.168.200.0 I can ping only 192.168.2.0 and 192.168.10.0

- from network 192.168.200.0 I can't ping 192.168.4.0 (and vice versa)


I've passed the last 4 hours making any type of test and redoing the configuration more and more time.

Anyone can help me?

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Armando C... Wed, 06/23/2010 - 08:20
User Badges:
  • Bronze, 100 points or more

Try by changing the ACL for the interesting traffic. I think that is the problem. Be more specific


In ASA milan the no-nat should be equal that the ACL for interesting traffic



access-list no_nat extended permit ip 192.168.2.0 255.255.254.0 192.168.200.0 255.255.255.0

access-list no_nat extended permit ip 192.168.4.0 255.255.254.0 192.168.200.0 255.255.255.0

access-list no_nat extended permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list no_nat extended permit ip 192.168.2.0 255.255.254.0 192.168.210.0 255.255.255.0

access-list no_nat extended permit ip 192.168.4.0 255.255.254.0 192.168.210.0 255.255.255.0

access-list no_nat extended permit ip 192.168.10.0 255.255.255.0 192.168.210.0 255.255.255.0


NO access-list no_nat extended permit ip any 192.168.0.0 255.255.0.0



The same for the ASA in Hing Kong





access-list 80 extended permit ip 192.168.200.0 255.255.255.0 192.168.4.0 255.255.254.0

access-list 80 extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.254.0

access-list 80 extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 80 extended permit ip 192.168.210.0 255.255.255.0 192.168.4.0 255.255.254.0

access-list 80 extended permit ip 192.168.210.0 255.255.255.0 192.168.2.0 255.255.254.0

access-list 80 extended permit ip 192.168.210.0 255.255.255.0 192.168.10.0 255.255.255.0


NO access-list 80 extended permit ip any 192.168.0.0 255.255.0.0



Try that and let me know.

Fabio Grasso Wed, 06/23/2010 - 14:45
User Badges:

Hi Diego,

thanks for your help.


I've tried to make the config change that you've suggested but I have the same issue.


The very strange thing is that I can ping 192.168.210.0 hosts but not .200. that are managed by the same crypto map...


do you have any other idea?

Fabio Grasso Thu, 06/24/2010 - 05:19
User Badges:

Ok ... Soon I do a crash test of two ASA5510 throwing them out the window ...


I'm still trying to solve my problem without results.


It seem to be a NAT problem but I've double checked the NAT exception and they're right.


If I do a packet tracer form Milann everything is ok:


Result of the command: "packet-tracer input inside icmp 192.168.4.101 8 1 1 192.168.200.101"


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list


Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow


Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.200.0   255.255.255.0   outside


Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:


Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:


Phase: 6
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:


Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 192.168.4.0 255.255.254.0 outside 192.168.200.0 255.255.255.0
    NAT exempt
    translate_hits = 760, untranslate_hits = 264
Additional Information:


Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.254.0
  match ip inside 192.168.4.0 255.255.254.0 dmz any
    static translation to 192.168.4.0
    translate_hits = 0, untranslate_hits = 3862
Additional Information:


Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (xxxxxxxxxxx [Interface PAT])
    translate_hits = 722540, untranslate_hits = 20773
Additional Information:


Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:


Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10657677, packet dispatched to next module


Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow


Same results from HK:

Result of the command: "packet-tracer input inside icmp 192.168.200.101 8 1 1 192.168.4.101"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 192.168.200.0 255.255.255.0 outside 192.168.4.0 255.255.254.0
    NAT exempt
    translate_hits = 1250, untranslate_hits = 0
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
  match ip inside 192.168.200.0 255.255.255.0 dmz any
    static translation to 192.168.200.0
    translate_hits = 649, untranslate_hits = 7538
Additional Information:

Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (xxxxxxxxxxxxxxxxx [Interface PAT])
    translate_hits = 140299, untranslate_hits = 28149
Additional Information:

Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 408170, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow


Moreover I've noticed a strange thing: on crypto stats in Milan, I see that there are some bytes received but 0 sends. This can confirm the NAT problem, but I can't see anything wrong in the no_nat ACL...


The crypyo map is up and apparently working


This is from Milan:

    Crypto map tag: partner-map, seq num: 10, local addr: xxxxxxxxxxxxxxxxxx

      access-list vpn_hk extended permit ip 192.168.4.0 255.255.254.0 192.168.200.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.4.0/255.255.254.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
      current_peer: xxxxxxxxxxxxxx

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 474, #pkts decrypt: 474, #pkts verify: 474
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: xxxxxxxxxxxx, remote crypto endpt.: xxxxxxxxxxxxx

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: EC2CAEEE
      current inbound spi : 38E0C067


    inbound esp sas:
      spi: 0x38E0C067 (954253415)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2002944, crypto-map: partner-map
         sa timing: remaining key lifetime (kB/sec): (4373965/24660)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFDFFFFFF
    outbound esp sas:
      spi: 0xEC2CAEEE (3962351342)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2002944, crypto-map: partner-map
         sa timing: remaining key lifetime (kB/sec): (4374000/24660)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


And this from HK:

   Crypto map tag: partner-map, seq num: 10, local addr: xxxxxxxxxxxxx

      access-list vpn_mi-rm permit ip 192.168.200.0 255.255.255.0 LAN-ROMA 255.255.254.0
      local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (LAN-ROMA/255.255.254.0/0/0)
      current_peer: xxxxxxxxxxxxxxxxxxxx

      #pkts encaps: 516, #pkts encrypt: 516, #pkts digest: 516
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 516, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: xxxxxxxxxxxx, remote crypto endpt.: xxxxxxxxxxxxxxxxx

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 38E0C067

    inbound esp sas:
      spi: 0xEC2CAEEE (3962351342)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1445888, crypto-map: partner-map
         sa timing: remaining key lifetime (kB/sec): (3915000/24545)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001
    outbound esp sas:
      spi: 0x38E0C067 (954253415)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1445888, crypto-map: partner-map
         sa timing: remaining key lifetime (kB/sec): (3914962/24545)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001



Th sw version are 8.2(2) in Milan and 8.0(4) in Hong Kong. Now I'm searching also if there are any know problem about NAT/VPN on these version.


In the meantime if anyone have can give any suggestion I thank him so much!


Regards,

    Fabio


Messaggio modificato da Fabio Grasso

Attachment: 
Diego Armando C... Thu, 06/24/2010 - 06:58
User Badges:
  • Bronze, 100 points or more

that's very strange. Can you post the whole config. maybe I am not seeing something an ACL on a interface or something.

Fabio Grasso Thu, 06/24/2010 - 08:16
User Badges:

I've sent you a private message with the complete configuration.


This is the routing table of my router:

D    192.168.30.0/24 [90/3072] via 192.168.2.243, 1d07h, GigabitEthernet0/0.2
D EX 192.168.210.0/24
           [170/28416] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
S    192.168.8.0/24 [1/0] via 192.168.2.205
D    192.168.9.0/24
           [90/281856] via 192.168.255.9, 1d07h, GigabitEthernet0/0.255
D    192.168.10.0/24 [90/3072] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
D    192.168.40.0/24 [90/28416] via 192.168.4.201, 1d07h, GigabitEthernet0/0.4
D EX 192.168.200.0/24
           [170/28416] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
D    192.168.20.0/24 [90/3072] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
     10.0.0.0/24 is subnetted, 4 subnets
D EX    10.0.9.0 [170/281856] via 192.168.255.9, 1d07h, GigabitEthernet0/0.255
D EX    10.10.4.0 [170/28416] via 192.168.4.201, 1d07h, GigabitEthernet0/0.4
D EX    10.10.100.0 [170/28416] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
S       10.10.200.0 [1/0] via 192.168.2.200
S    192.168.6.0/24 [1/0] via 192.168.2.205
D    192.168.7.0/24
           [90/28416] via 192.168.255.4, 1d07h, GigabitEthernet0/0.255
           [90/28416] via 192.168.4.244, 1d07h, GigabitEthernet0/0.4
           [90/28416] via 192.168.2.244, 1d07h, GigabitEthernet0/0.2
C    192.168.255.0/24 is directly connected, GigabitEthernet0/0.255
D EX 192.168.0.0/24 [170/28416] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
D EX 192.168.100.0/24
           [170/28416] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
S*   0.0.0.0/0 [1/0] via 192.168.2.110
C    192.168.4.0/23 is directly connected, GigabitEthernet0/0.4
C    192.168.2.0/23 is directly connected, GigabitEthernet0/0.2

Actions

This Discussion