06-24-2010 08:20 PM
Hi there,
I was setting up an remote access VPN on ASA 5520. The client could be able to connect, both isakmp sa and ipsec sa have established. But the client cannot access remote lan resources.
1. nat 0 has added.
2. Reverse-route checked. Could see a static route to client on ASA.
3. Status checked on client. With a continus ping, encrypted packet was increasing. Packet sniffer shows only traffic out, no packets in.
4. Added a static route on the router connect to ASA for the client address pool. Ping test results: .....
5. Ping on ASA to client, results: ?????
I've stucked on it for three days, does anyone could help me out of this?
Thanks in advance.
Best regards,
Victor
06-25-2010 01:31 AM
Victor,
Please enable management-access inside (if inside is your inside interface) and ping the inside interface of ASA.
You will also need to add coresponding "icmp permit ..." entry to allow pings.
At the same time please inspect "show crypto ipsec sa" to see if decapsulations and encapsulations are increasing.
Marcin
edit:
06-25-2010 03:02 AM
Victor,
Please enable management-access inside (if inside is your inside interface) and ping the inside interface of ASA.
You will also need to add coresponding "icmp permit ..." entry to allow pings.
At the same time please inspect "show crypto ipsec sa" to see if decapsulations and encapsulations are increasing.
Marcin
======================================
Marcin,
Thanks for your reply.
show crypto ipsec sa shows des and en packets are both 0 !!!
Let me introduce more about the environment:
Test PC---- ASA ---L2L VPN-----ASA (RA VPN server) ------Test server
There is already an L2L tunnel running on two office. I configurated remote access VPN server on one side and tried to test the client in another side.
I could see the dec and en packets increasing on L2L tunnel while the RA tunnel is 0. Tested from internet for the RA VPN works.
But I still don't understand why the traffic all goes under L2L, none packet run under RA tunnel. The peer (vpn client side)have the same address, why only one tunnel is working?
Thanks,
Victor
06-25-2010 04:13 AM
Victor,
Just to confirm.
You are connecting from site1 to RA server in side 2, site1 has already l2l tunnel with site2.
So you have a L2L tunnel spcifying
site1 subnet to site 2 subnet should be encrypted. Both subnets are inside.
Normally RA vpn should connect to public IP address of site 2. So unless there's a crypto SA covering this on site 1 it should not be a problem.
OK so let's talk subnets.
What is encrypted in L2L , what is the subnet used by RA client etc etc.
06-27-2010 10:39 PM
Marcin,
The subnes encrypted in L2L is 172.16.0.0 --10.23.0.0, the RA clients is in 10.16.0.0 network and were giving 192.168.254.0 network by the server on side 2.
I found a crypto sa on side 1 that the local ident and remote ident are the public IP address of two sides, I don't understand it, I think this is the problem? What is the usage of the crypto sa?
Thanks,
Victor
06-30-2010 01:01 AM
Hi Marcin,
The subnes encrypted in L2L is 172.16.0.0 --10.23.0.0, the RA clients is in
10.16.0.0 network and were giving 192.168.254.0 network by the server on
side 2.
I found a crypto sa on side 1 that the local ident and remote ident are the
public IP address of two sides, I don't understand it, I think this is the
problem? What is the usage of the crypto sa?
Thanks,
Victor
2010/6/25 mlatosie
victor ma,
>
A new message was posted in the Discussion thread "VPN connects but no
remote lan access":
>
https://supportforums.cisco.com/message/3126713#3126713
>
Author : Marcin Latosiewicz
Profile : https://supportforums.cisco.com/people/mlatosie
>
Message:
06-30-2010 08:33 AM
Victor,
Indeed typical L2L tunnel does not require public IP addresses to be put into the tunnel (unless some management considerations....?).
We can remove them on bothe sides and re-test right?
Marcin
06-30-2010 11:44 PM
Marcin,
Sorry, I made a mistake, no, there isn't only ipsec sa with site 1 and site 2 public IPs. Only lan addresses. It's site 1 and site 3's public IPs shows in the ipsec sa.
But still, my question is, why public IPs?
Could you check below settings and let me know your thought.
sh crypto ipsec sa shows:
crypto map tag: crymap, seq num 50, local addr 1.1.1.1
access-list oo_temp_crymap50 permit ip host 1.1.1.1 3.3.3.3
local ident 1.1.1.1/255.255.255.255
remote ident 3.3.3.3/255.255.255.255
current_peer: 3.3.3.3
pkts encaps: 0
pkts decaps: 0
local crypto endpt:1.1.1.1, remote crypto endtp:3.3.3.3
sh run shows:
crypto map crymap 50 match address k1
crypto map crymap 50 set connection-type originate-only
crypto map crymap 50 set peer 2.2.2.2 3.3.3.3 ---- Try 2 peers? If first fail, then the second? Am I right here?
crypto map crymap 50 set transform-set ESP-AES-SHA
access-list k1 extended permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0
Thanks,
Victor
07-01-2010 04:08 AM
Victor,
access-list oo_temp_crymap50
Indeed normally I would have not expected to have public IPs there, maybe it's a quesion of multiple peers (another thing I probably didn't do since my ccie)
Can you paste me whole "show crypto ipsec sa peer ..." ?
Regarding multiple peers, it will cycle between the two AFAIR:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2238774
Marcin
07-01-2010 07:30 PM
Hi Marvin,
I sent you private message about this, please have a check. I changed the real IP addresses and map names. But should be the same for trouble shooting.
Thanks,
Victor
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: