Problems with LAN to LAN VPN Config

Unanswered Question
Aug 26th, 2010

I am attempting to establish a site-to-site tunnel between an ASA 5505 device and a Cisco 2811 Router. I can get the tunnel established successfully, but have no connectitivy between the two inside LAN's. If I attempt to ping from one LAN to another, it times out in either direction. Can't use RDP either. I'm lost and need help. I've attached the running-configs from both endpoints. Any help would be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 08/26/2010 - 17:59

Hi,

Let's do one first troubleshooting step.

Enter this command on the ASA:

management-access inside

Then the following command on the ASA as well:

ping inside x.x.x.x (x.x.x.x shoud be the LAN IP of the router on the other end).

The opposite now...

On the router

ping y.y.y.y source x.x.x.x (y.y.y.y is the LAN IP of the ASA and x.x.x.x is the LAN IP of the router.

Then, check the output of

sh cry ips sa

on both sides to check if we have packets encrypted/decrypted through the tunnel.

Federico.

kltconsulting Fri, 08/27/2010 - 07:14

I performed the ping from both sides, and then checked the output of ch cry ips sa. The 2811 produced the following output:

CISCO2811#ping 192.168.1.1 source 10.4.167.252

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.4.167.252
.....
Success rate is 0 percent (0/5)


CISCO2811#sh cry ips sa

interface: FastEthernet0/1
    Crypto map tag: SDM_CMAP_1, local addr <2811 Public IP>

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.4.167.0/255.255.255.0/6/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/6/0)
   current_peer port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 28563, #pkts encrypt: 28563, #pkts digest: 28563
    #pkts decaps: 31635, #pkts decrypt: 31635, #pkts verify: 31635
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 9, #recv errors 0

     local crypto endpt.: <2811 Public IP>, remote crypto endpt.:
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x2CA3636D(748905325)

     inbound esp sas:
      spi: 0x9AA00F17(2594180887)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
--More--

The ASA produced the following output:

Result of the command: "sh cry ips sa"

interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr:

      access-list outside_20_cryptomap_1 permit tcp 192.168.1.0 255.255.255.0 10.4.167.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/6/0)
      remote ident (addr/mask/prot/port): (10.4.167.0/255.255.255.0/6/0)
      current_peer:
<2811 Public IP>

      #pkts encaps: 6237, #pkts encrypt: 6237, #pkts digest: 6237
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 6237, #pkts comp failed: 0, #pkts decomp failed: 0
      #post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: , remote crypto endpt.: <2811 Public IP>

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 9AA00F17

    inbound esp sas:
      spi: 0x2CA3636D (748905325)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 12, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4275000/3162)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x9AA00F17 (2594180887)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 12, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4274992/3162)
         IV size: 8 bytes
         replay detection support: Y

gatlin007 Fri, 08/27/2010 - 13:02

Only TCP is allowed in the encryption domain.


access-list outside_20_cryptomap_1 extended permit tcp 192.168.1.0 255.255.255.0 10.4.167.0 255.255.255.0


At least for troubleshooting change this to 'permit ip' so that UDP and ICMP can cross the tunnel for troubleshooting.  Encryption domains should be based on IP not the transport layer protocol.  If Layer 4 security is required use ACL's on the interfaces.




Chris

Actions

This Discussion