06-23-2010 06:26 AM
Hello,
I've this problem. I've put an image with an extract of my network topology.
In Milan w've two main network connected directly by a 2821 router (192.168.2.0/23 and 192.168.4.0/23), then a network that I use as dmz (192.168.40.0). On the other side, at Hong Kong, we have a LAN (192.168.200.0) and a DMZ (192.168.210.0).
I've some trouble on connect the network 192.168.4.0/23 with 192.168.200.0.
These are my config...
Router Milan:
interface GigabitEthernet0/0
ip address 192.168.2.100 255.255.254.0
interface GigabitEthernet0/1
ip address 192.168.4.100 255.255.254.0
ip route 192.168.200.0 255.255.255.0 192.168.2.201
ip route 192.168.200.0 255.255.255.0 192.168.2.201
ASA Milan (192.168.2.201):
access-list vpn_hk extended permit ip 192.168.2.0 255.255.254.0 192.168.200.0 255.255.255.0
access-list vpn_hk extended permit ip 192.168.4.0 255.255.254.0 192.168.200.0 255.255.255.0
access-list vpn_hk extended permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list vpn_hk extended permit ip 192.168.2.0 255.255.254.0 192.168.210.0 255.255.255.0
access-list vpn_hk extended permit ip 192.168.4.0 255.255.254.0 192.168.210.0 255.255.255.0
access-list vpn_hk extended permit ip 192.168.10.0 255.255.255.0 192.168.210.0 255.255.255.0access-list no_nat extended permit ip any 192.168.0.0 255.255.0.0
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list no_nat
nat (dmz) 1 0.0.0.0 0.0.0.0crypto map partner-map 1 match address vpn_hk
crypto map partner-map 1 set peer xxxxxxxx
crypto map partner-map 1 set transform-set ESP-3DES-MD5
ASA Hong Kong:
access-list 80 extended permit ip any 192.168.0.0 255.255.0.0
access-list vpn_mi extended permit ip 192.168.200.0 255.255.255.0 192.168.4.0 255.255.254.0
access-list vpn_mi extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list vpn_mi extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn_mi extended permit ip 192.168.210.0 255.255.255.0 192.168.4.0 255.255.254.0
access-list vpn_mi extended permit ip 192.168.210.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list vpn_mi extended permit ip 192.168.210.0 255.255.255.0 192.168.10.0 255.255.255.0nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list 80
nat (dmz) 1 0.0.0.0 0.0.0.0crypto map partner-map 15 match address vpn_mi
crypto map partner-map 15 set peer xxxxxx
crypto map partner-map 1 set transform-set ESP-3DES-MD5
The situation is this:
- from router I can ping everything
- from network 192.168.2.0 and 192.168.10.0 I can ping everything
- from network 192.168.210.0 I can ping everything
- from network 192.168.200.0 I can ping only 192.168.2.0 and 192.168.10.0
- from network 192.168.200.0 I can't ping 192.168.4.0 (and vice versa)
I've passed the last 4 hours making any type of test and redoing the configuration more and more time.
Anyone can help me?
06-23-2010 08:20 AM
Try by changing the ACL for the interesting traffic. I think that is the problem. Be more specific
In ASA milan the no-nat should be equal that the ACL for interesting traffic
access-list no_nat extended permit ip 192.168.2.0 255.255.254.0 192.168.200.0 255.255.255.0
access-list no_nat extended permit ip 192.168.4.0 255.255.254.0 192.168.200.0 255.255.255.0
access-list no_nat extended permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list no_nat extended permit ip 192.168.2.0 255.255.254.0 192.168.210.0 255.255.255.0
access-list no_nat extended permit ip 192.168.4.0 255.255.254.0 192.168.210.0 255.255.255.0
access-list no_nat extended permit ip 192.168.10.0 255.255.255.0 192.168.210.0 255.255.255.0
NO access-list no_nat extended permit ip any 192.168.0.0 255.255.0.0
The same for the ASA in Hing Kong
access-list 80 extended permit ip 192.168.200.0 255.255.255.0 192.168.4.0 255.255.254.0
access-list 80 extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list 80 extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 80 extended permit ip 192.168.210.0 255.255.255.0 192.168.4.0 255.255.254.0
access-list 80 extended permit ip 192.168.210.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list 80 extended permit ip 192.168.210.0 255.255.255.0 192.168.10.0 255.255.255.0
NO access-list 80 extended permit ip any 192.168.0.0 255.255.0.0
Try that and let me know.
06-23-2010 02:45 PM
Hi Diego,
thanks for your help.
I've tried to make the config change that you've suggested but I have the same issue.
The very strange thing is that I can ping 192.168.210.0 hosts but not .200. that are managed by the same crypto map...
do you have any other idea?
06-24-2010 05:19 AM
Ok ... Soon I do a crash test of two ASA5510 throwing them out the window ...
I'm still trying to solve my problem without results.
It seem to be a NAT problem but I've double checked the NAT exception and they're right.
If I do a packet tracer form Milann everything is ok:
Result of the command: "packet-tracer input inside icmp 192.168.4.101 8 1 1 192.168.200.101"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.200.0 255.255.255.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.4.0 255.255.254.0 outside 192.168.200.0 255.255.255.0
NAT exempt
translate_hits = 760, untranslate_hits = 264
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.254.0
match ip inside 192.168.4.0 255.255.254.0 dmz any
static translation to 192.168.4.0
translate_hits = 0, untranslate_hits = 3862
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (xxxxxxxxxxx [Interface PAT])
translate_hits = 722540, untranslate_hits = 20773
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10657677, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Same results from HK:
Result of the command: "packet-tracer input inside icmp 192.168.200.101 8 1 1 192.168.4.101"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.200.0 255.255.255.0 outside 192.168.4.0 255.255.254.0
NAT exempt
translate_hits = 1250, untranslate_hits = 0
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
match ip inside 192.168.200.0 255.255.255.0 dmz any
static translation to 192.168.200.0
translate_hits = 649, untranslate_hits = 7538
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (xxxxxxxxxxxxxxxxx [Interface PAT])
translate_hits = 140299, untranslate_hits = 28149
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 408170, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Moreover I've noticed a strange thing: on crypto stats in Milan, I see that there are some bytes received but 0 sends. This can confirm the NAT problem, but I can't see anything wrong in the no_nat ACL...
The crypyo map is up and apparently working
This is from Milan:
Crypto map tag: partner-map, seq num: 10, local addr: xxxxxxxxxxxxxxxxxx
access-list vpn_hk extended permit ip 192.168.4.0 255.255.254.0 192.168.200.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.4.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
current_peer: xxxxxxxxxxxxxx
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 474, #pkts decrypt: 474, #pkts verify: 474
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxxxxxxxxxxx, remote crypto endpt.: xxxxxxxxxxxxx
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: EC2CAEEE
current inbound spi : 38E0C067inbound esp sas:
spi: 0x38E0C067 (954253415)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2002944, crypto-map: partner-map
sa timing: remaining key lifetime (kB/sec): (4373965/24660)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFDFFFFFF
outbound esp sas:
spi: 0xEC2CAEEE (3962351342)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2002944, crypto-map: partner-map
sa timing: remaining key lifetime (kB/sec): (4374000/24660)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And this from HK:
Crypto map tag: partner-map, seq num: 10, local addr: xxxxxxxxxxxxx
access-list vpn_mi-rm permit ip 192.168.200.0 255.255.255.0 LAN-ROMA 255.255.254.0
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (LAN-ROMA/255.255.254.0/0/0)
current_peer: xxxxxxxxxxxxxxxxxxxx
#pkts encaps: 516, #pkts encrypt: 516, #pkts digest: 516
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 516, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxxxxxxxxxxx, remote crypto endpt.: xxxxxxxxxxxxxxxxx
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 38E0C067
inbound esp sas:
spi: 0xEC2CAEEE (3962351342)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1445888, crypto-map: partner-map
sa timing: remaining key lifetime (kB/sec): (3915000/24545)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x38E0C067 (954253415)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1445888, crypto-map: partner-map
sa timing: remaining key lifetime (kB/sec): (3914962/24545)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Th sw version are 8.2(2) in Milan and 8.0(4) in Hong Kong. Now I'm searching also if there are any know problem about NAT/VPN on these version.
In the meantime if anyone have can give any suggestion I thank him so much!
Regards,
Fabio
Messaggio modificato da Fabio Grasso
06-24-2010 06:58 AM
that's very strange. Can you post the whole config. maybe I am not seeing something an ACL on a interface or something.
06-24-2010 07:00 AM
Could you post a sh ip route from the router as well.
06-24-2010 08:16 AM
I've sent you a private message with the complete configuration.
This is the routing table of my router:
D 192.168.30.0/24 [90/3072] via 192.168.2.243, 1d07h, GigabitEthernet0/0.2
D EX 192.168.210.0/24
[170/28416] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
S 192.168.8.0/24 [1/0] via 192.168.2.205
D 192.168.9.0/24
[90/281856] via 192.168.255.9, 1d07h, GigabitEthernet0/0.255
D 192.168.10.0/24 [90/3072] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
D 192.168.40.0/24 [90/28416] via 192.168.4.201, 1d07h, GigabitEthernet0/0.4
D EX 192.168.200.0/24
[170/28416] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
D 192.168.20.0/24 [90/3072] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
10.0.0.0/24 is subnetted, 4 subnets
D EX 10.0.9.0 [170/281856] via 192.168.255.9, 1d07h, GigabitEthernet0/0.255
D EX 10.10.4.0 [170/28416] via 192.168.4.201, 1d07h, GigabitEthernet0/0.4
D EX 10.10.100.0 [170/28416] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
S 10.10.200.0 [1/0] via 192.168.2.200
S 192.168.6.0/24 [1/0] via 192.168.2.205
D 192.168.7.0/24
[90/28416] via 192.168.255.4, 1d07h, GigabitEthernet0/0.255
[90/28416] via 192.168.4.244, 1d07h, GigabitEthernet0/0.4
[90/28416] via 192.168.2.244, 1d07h, GigabitEthernet0/0.2
C 192.168.255.0/24 is directly connected, GigabitEthernet0/0.255
D EX 192.168.0.0/24 [170/28416] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
D EX 192.168.100.0/24
[170/28416] via 192.168.2.201, 1d07h, GigabitEthernet0/0.2
S* 0.0.0.0/0 [1/0] via 192.168.2.110
C 192.168.4.0/23 is directly connected, GigabitEthernet0/0.4
C 192.168.2.0/23 is directly connected, GigabitEthernet0/0.2
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: