cisco ASA5505 with dual ISP + IPSEC

Answered Question
Sep 19th, 2011
User Badges:

Hello guys,


I have problem with dual ISP + IPSEC on my cisco ASA5505 sec plus licence.

Routing is working correct (connect to Internet from siteA is working trought

1st also second ISP) but IPSEC is working just trought the first

ISP! It seemt that phase 1 and 2 of IPSEC is correct but packets

are just encrypting but not decrypting. Do you have any idea what is wrong?


I'm trying ping from siteA (PC - 10.4.1.66) to siteB (PC - 10.3.128.50)



Thanks


config site A:

##########################################################################


ASA5505 Version 8.2(1)


interface Vlan1

nameif inside

security-level 100

ip address 10.4.1.65 255.255.255.248

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.2 255.255.255.0

!

interface Vlan3

nameif internet

security-level 0

ip address 212.89.235.yy 255.255.255.248


interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3


access-list outside_cryptomap extended permit icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0


access-list nonat extended permit ip 10.4.1.64 255.255.255.248 10.3.0.0 255.255.0.0

access-list nonat extended permit ip 10.4.1.64 255.255.255.248 10.16.0.0 255.255.0.0


access-list inside extended permit ip any any

access-list inside extended permit icmp any any


pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu internet 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400


global (outside) 1 interface

global (internet) 1 interface


nat (inside) 0 access-list nonat

nat (inside) 1 10.4.1.64 255.255.255.248


access-group internet_in in interface outside

access-group internet_in in interface internet


route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1

route internet 0.0.0.0 0.0.0.0 212.89.235.yy 254


snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123

type echo protocol ipIcmpEcho 212.89.229.xx interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now


crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac


crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000


crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set peer 212.89.229.xx

crypto map outside_map0 1 set transform-set ESP-AES-256-SHA

crypto map outside_map0 1 set security-association lifetime seconds 28800

crypto map outside_map0 1 set security-association lifetime kilobytes 4608000

crypto map outside_map0 2 match address outside_cryptomap_1


crypto map outside_map0 interface outside

crypto map outside_map0 interface internet


crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp enable internet


crypto isakmp policy 3

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 300

!

track 1 rtr 123 reachability

telnet 10.4.1.64 255.255.255.248 inside

telnet timeout 1440

ssh 10.4.1.64 255.255.255.248 inside

ssh 212.89.229.xx 255.255.255.255 outside

ssh timeout 60

ssh version 2

console timeout 0


management-access inside


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 194.160.23.2 source outside

webvpn


group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec


username xx


tunnel-group 212.89.229.xx type ipsec-l2l

tunnel-group 212.89.229.xx ipsec-attributes

pre-shared-key *





siteA# sh crypto isakmp sa d


   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1


1   IKE Peer: 212.89.229.xx

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

    Encrypt : aes-256         Hash    : SHA

    Auth    : preshared       Lifetime: 300

    Lifetime Remaining: 91






siteA# sh crypto ipsec sa

interface: internet

    Crypto map tag: outside_map0, seq num: 1, local addr: 212.89.235.yy


      access-list outside_cryptomap permit icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.4.1.64/255.255.255.248/1/0)

      remote ident (addr/mask/prot/port): (10.3.128.0/255.255.255.0/1/0)

      current_peer: 212.89.229.xx


      #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 212.89.235.115, remote crypto endpt.: 212.89.229.2


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 2A9B550B


    inbound esp sas:

      spi: 0xCF456F65 (3477434213)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 32768, crypto-map: outside_map0

         sa timing: remaining key lifetime (kB/sec): (4374000/28629)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x2A9B550B (714822923)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 32768, crypto-map: outside_map0

         sa timing: remaining key lifetime (kB/sec): (4373999/28629)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001




siteA# sh logging asdm | i 10.3.128.50

6|Sep 19 2011 10:27:37|302020: Built outbound ICMP connection for faddr 10.3.128.50/0 gaddr 10.4.1.66/1024 laddr 10.4.1.66/1024

6|Sep 19 2011 10:27:39|302021: Teardown ICMP connection for faddr 10.3.128.50/0 gaddr 10.4.1.66/1024 laddr 10.4.1.66/1024








config site B:

##########################################################################


ASA 5510 Version 8.0(4)


interface Ethernet0/0

nameif outside

security-level 0

ip address 212.89.229.xx 255.255.255.240

ospf cost 10


interface Ethernet0/1.10

vlan 10

nameif users

security-level 50

ip address 10.3.128.0 255.255.255.0



access-list siteA extended permit ip 10.3.128.0 255.255.255.0 10.4.1.64 255.255.255.248


crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000



crypto map outside_map 9 match address SiteA

crypto map outside_map 9 set peer 212.89.229.xx

crypto map outside_map 9 set transform-set ESP-AES-256-SHA

crypto map outside_map 9 set security-association lifetime seconds 28800

crypto map outside_map 9 set security-association lifetime kilobytes 4608000



crypto map outside_map 10 match address SiteA

crypto map outside_map 10 set peer 212.89.235.yy

crypto map outside_map 10 set transform-set ESP-AES-256-SHA

crypto map outside_map 10 set security-association lifetime seconds 28800

crypto map outside_map 10 set security-association lifetime kilobytes 4608000


crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400



tunnel-group 212.89.229.xx type ipsec-l2l

tunnel-group 212.89.229.xx ipsec-attributes

pre-shared-key *



tunnel-group 212.89.235.yy type ipsec-l2l

tunnel-group 212.89.235.yy ipsec-attributes

pre-shared-key *




SiteB# sh crypto isakmp sa d


   Active SA: 7

    Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 8


8   IKE Peer: 212.89.235.115

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

    Encrypt : aes-256         Hash    : SHA

    Auth    : preshared       Lifetime: 300

    Lifetime Remaining: 245



SiteB# sh crypto ipsec sa | b 212.89.235.yy


      current_peer: 212.89.235.yy


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 212.89.229.xx, remote crypto endpt.: 212.89.235.yy


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: CF456F65


    inbound esp sas:

      spi: 0x2A9B550B (714822923)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 4378624, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914999/27310)

         IV size: 16 bytes

         replay detection support: Y

Anti replay bitmap:

        0x00000000 0x00001FFF

    outbound esp sas:

      spi: 0xCF456F65 (3477434213)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 4378624, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3915000/27308)

         IV size: 16 bytes

         replay detection support: Y




siteB# sh logging asdm | i 10.4.1.66

6|Sep 19 2011 10:29:49|302021: Teardown ICMP connection for faddr 10.4.1.66/1024 gaddr 10.3.128.50/0 laddr 10.3.128.50/0

6|Sep 19 2011 10:29:50|302020: Built inbound ICMP connection for faddr 10.4.1.66/1024 gaddr 10.3.128.50/0 laddr 10.3.128.50/0

Attachment: 
Correct Answer by Bastien Migette about 5 years 7 months ago

I'm glad that this answer your question, don't hesitate to mark the post as answered and rate useful posts

Have a nice day.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Bastien Migette Mon, 09/19/2011 - 02:33
User Badges:
  • Cisco Employee,

Hi Martin,

Did you applied crypto map in the interface of siteB ? I don't see any crypto map interface command in your config (whereas it's on siteA's config).


If you didn't applied the crypto map, also check if the output route for the SiteA is thru the interface where the crypto map is applied.

martin.elias Mon, 09/19/2011 - 03:14
User Badges:

sorry, yes it is also on siteB:

crypto map outside_map interface outside


routing on siteA is working ok and crypto map is applied on bought interfaces

martin.elias Mon, 09/19/2011 - 03:44
User Badges:

Mistake in topology on picture. I changed IP 212.89.236.xx to IP 212.89.229.xx

and IP 194.228.44 to 192.168.1.2

martin.elias Wed, 09/21/2011 - 01:25
User Badges:

I found the problem but dont know how to fix it now!

Problem is on siteB with using the same ACL name "siteA" in both sequence numbers in cryptomap "outside_map"


crypto map outside_map 9 match address SiteA

crypto map outside_map 9 set peer 212.89.229.xx

crypto map outside_map 9 set transform-set ESP-AES-256-SHA

crypto map outside_map 9 set security-association lifetime seconds 28800

crypto map outside_map 9 set security-association lifetime kilobytes 4608000


crypto map outside_map 10 match address SiteA

crypto map outside_map 10 set peer 212.89.235.yy

crypto map outside_map 10 set transform-set ESP-AES-256-SHA

crypto map outside_map 10 set security-association lifetime seconds 28800

crypto map outside_map 10 set security-association lifetime kilobytes 4608000


If I remove:

no crypto map outside_map 9 match address SiteA

the IPSEC through 2nd ISP on siteA is working correct

Bastien Migette Wed, 09/21/2011 - 01:35
User Badges:
  • Cisco Employee,

Hello Martin,

The crypto maps are sequential, that means as you have the same ACL on both entry, the traffic will match every time seq #9 and be directed to the peer defined in this sequence. If you want to do active/Standby IPSEC tunnels between your two ISPs, you can use multiple peers, like:


crypto map outside_map 9 match address SiteA

crypto map outside_map 9 set peer 212.89.229.xx 212.89.235.yy

crypto map outside_map 9 set transform-set ESP-AES-256-SHA

crypto map outside_map 9 set security-association lifetime seconds 28800

crypto map outside_map 9 set security-association lifetime kilobytes 4608000


If you want to load balance between your two ISPs, you will need to have different ACLs, like sequence 9 is for traffic directed to remote network 1, and sequence 10 for remote network 2, but in that case, if remote peer is down, half of the traffic will be down.

Correct Answer
Bastien Migette Wed, 09/21/2011 - 02:31
User Badges:
  • Cisco Employee,

I'm glad that this answer your question, don't hesitate to mark the post as answered and rate useful posts

Have a nice day.

Actions

This Discussion