08-26-2010 01:49 PM - edited 03-04-2019 09:33 AM
I am attempting to establish a site-to-site tunnel between an ASA 5505 device and a Cisco 2811 Router. I can get the tunnel established successfully, but have no connectitivy between the two inside LAN's. If I attempt to ping from one LAN to another, it times out in either direction. Can't use RDP either. I'm lost and need help. I've attached the running-configs from both endpoints. Any help would be greatly appreciated.
08-26-2010 05:59 PM
Hi,
Let's do one first troubleshooting step.
Enter this command on the ASA:
management-access inside
Then the following command on the ASA as well:
ping inside x.x.x.x (x.x.x.x shoud be the LAN IP of the router on the other end).
The opposite now...
On the router
ping y.y.y.y source x.x.x.x (y.y.y.y is the LAN IP of the ASA and x.x.x.x is the LAN IP of the router.
Then, check the output of
sh cry ips sa
on both sides to check if we have packets encrypted/decrypted through the tunnel.
Federico.
08-27-2010 07:14 AM
I performed the ping from both sides, and then checked the output of ch cry ips sa. The 2811 produced the following output:
CISCO2811#ping 192.168.1.1 source 10.4.167.252
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.4.167.252
.....
Success rate is 0 percent (0/5)
CISCO2811#sh cry ips sa
interface: FastEthernet0/1
Crypto map tag: SDM_CMAP_1, local addr <2811 Public IP>
protected vrf: (none)
local ident (addr/mask/prot/port): (10.4.167.0/255.255.255.0/6/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/6/0)
current_peer
PERMIT, flags={origin_is_acl,}
#pkts encaps: 28563, #pkts encrypt: 28563, #pkts digest: 28563
#pkts decaps: 31635, #pkts decrypt: 31635, #pkts verify: 31635
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 9, #recv errors 0
local crypto endpt.: <2811 Public IP>, remote crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x2CA3636D(748905325)
inbound esp sas:
spi: 0x9AA00F17(2594180887)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
--More--
The ASA produced the following output:
Result of the command: "sh cry ips sa"
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr:
access-list outside_20_cryptomap_1 permit tcp 192.168.1.0 255.255.255.0 10.4.167.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/6/0)
remote ident (addr/mask/prot/port): (10.4.167.0/255.255.255.0/6/0)
current_peer: <2811 Public IP>
#pkts encaps: 6237, #pkts encrypt: 6237, #pkts digest: 6237
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 6237, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.:
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 9AA00F17
inbound esp sas:
spi: 0x2CA3636D (748905325)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 12, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/3162)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x9AA00F17 (2594180887)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 12, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274992/3162)
IV size: 8 bytes
replay detection support: Y
08-27-2010 01:02 PM
Only TCP is allowed in the encryption domain.
access-list outside_20_cryptomap_1 extended permit tcp 192.168.1.0 255.255.255.0 10.4.167.0 255.255.255.0
At least for troubleshooting change this to 'permit ip' so that UDP and ICMP can cross the tunnel for troubleshooting. Encryption domains should be based on IP not the transport layer protocol. If Layer 4 security is required use ACL's on the interfaces.
Chris
10-21-2010 08:43 AM
Any updates?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: