isakmp

Answered Question
Oct 5th, 2010
User Badges:

Gurus,


we are testing site-to-site vpn from asa and router. our end can ping the other host from inside the asa, but from our host we are not.

when the ping is started from host behind asa, the state is nothing in crypto isakmp sa.



thanks in advance for suggestions.

Correct Answer by Rudresh V about 6 years 10 months ago

Hi,


ok, then if we have nat exempt correct, and we can ping remote network from inside interface of ASA (correct me if i understood wrong here), you need to check if the packets from the host is reaching the ASA when you ping (routing issue).

If routing is correct, then check the access-lists on the inside interface of ASA to see if we are blocking vpn traffic.

If access-lists are ok, then i suggest you run a packet tracer on the ASA as mentioned below, and share the output here:


example topology:


10.0.0.0/24-------ASA==========================router------------192.168.0.0/24



packet-tracer input inside icmp 10.0.0.10 8 0 192.168.0.10 detailed             ---------------->packet from inside to outside of ASA, make sure yuo do not use                                                                                                                                 inside interface ip address of ASA for packet-tracer, it fails. You                                                                                                                                 can use any random ip address


packet-tracer input outside icmp 192.168.0.10 8 0 10.0.0.10 detailed           ------------------>packet from outside to inside.



Cheers,

Rudresh V

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Rudresh V Tue, 10/05/2010 - 04:09
User Badges:
  • Cisco Employee,

Hi,


I think you are missing NAT exemption on either ASA or Router or both. you ideally need to exempt the vpn traffic from Natting.


For NAT emsmption on ASA: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#NEX1

For NAT exemption on Router:


example:


ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list extended NAT
deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any


wherein 192.168.1.0 is an example network behind ASA and 10.0.0.0 is behind router.


192.168.1.0/24----------ASA=====================router----------------10.0.0.0/24


Let me know if this helps,


Cheers,

Rudresh V

Correct Answer
Rudresh V Tue, 10/05/2010 - 04:43
User Badges:
  • Cisco Employee,

Hi,


ok, then if we have nat exempt correct, and we can ping remote network from inside interface of ASA (correct me if i understood wrong here), you need to check if the packets from the host is reaching the ASA when you ping (routing issue).

If routing is correct, then check the access-lists on the inside interface of ASA to see if we are blocking vpn traffic.

If access-lists are ok, then i suggest you run a packet tracer on the ASA as mentioned below, and share the output here:


example topology:


10.0.0.0/24-------ASA==========================router------------192.168.0.0/24



packet-tracer input inside icmp 10.0.0.10 8 0 192.168.0.10 detailed             ---------------->packet from inside to outside of ASA, make sure yuo do not use                                                                                                                                 inside interface ip address of ASA for packet-tracer, it fails. You                                                                                                                                 can use any random ip address


packet-tracer input outside icmp 192.168.0.10 8 0 10.0.0.10 detailed           ------------------>packet from outside to inside.



Cheers,

Rudresh V

mirober2 Tue, 10/05/2010 - 05:18
User Badges:
  • Cisco Employee,

Hello,


If you're not seeing a phase 1 SA come up, try enabling 'debug crypto isakmp' and starting the ping again. You might also check the syslogs that are generated at the same time. This should give you some indication of why the tunnel is not coming up correctly.


Hope that helps.


-Mike

suthomas1 Tue, 10/05/2010 - 08:54
User Badges:

Thanks Rudresh & Mike,

i will get asa site personnel to try the trace, may take couple of days before they get this. meanwhile, a question, if asa has lan as 192.168.100.1 /27 and router 1841 has lan as 172.16.1.4 /24. and the list on both of the allow as below for vpn,


asa - acl extended permit ip 192.168.100.0 255.255.255.224 to 172.16.1.112 255.255.255.224

1841-   acl extended permit ip 172.16.1.112 255.255.255.224  192.168.100.0 255.255.255.224


will these hamper the described ping or vpn problem. or should the interface ip of router be also included.


Thanks in advance!

suthomas1 Tue, 10/05/2010 - 18:39
User Badges:

since the remote device is a router 1841, my thinking says that esp/ah/nat-t, isakmp specific access lists are not required on the router.

please suggest if this is right or pls correct the statement.


Thanks in advance.

suthomas1 Fri, 10/08/2010 - 01:15
User Badges:

Thanks all here.

this topic was fixed. the connection was established, there was some firewall devices at remote end, unknown to those personnel ( strange though ).


It would help me if someone can throw some light on ways to reduce latency or improve performance over vpn. the is used for sort of animation drawing transfers and i am told , those are quite heavy images.


thanks.

Actions

This Discussion