cisco ASA5505 with dual ISP + IPSEC

Answered Question
Sep 19th, 2011

Hello guys,

I have problem with dual ISP + IPSEC on my cisco ASA5505 sec plus licence.

Routing is working correct (connect to Internet from siteA is working trought

1st also second ISP) but IPSEC is working just trought the first

ISP! It seemt that phase 1 and 2 of IPSEC is correct but packets

are just encrypting but not decrypting. Do you have any idea what is wrong?

I'm trying ping from siteA (PC - 10.4.1.66) to siteB (PC - 10.3.128.50)

Thanks

config site A:

##########################################################################

ASA5505 Version 8.2(1)

interface Vlan1

nameif inside

security-level 100

ip address 10.4.1.65 255.255.255.248

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.2 255.255.255.0

!

interface Vlan3

nameif internet

security-level 0

ip address 212.89.235.yy 255.255.255.248

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

access-list outside_cryptomap extended permit icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0

access-list nonat extended permit ip 10.4.1.64 255.255.255.248 10.3.0.0 255.255.0.0

access-list nonat extended permit ip 10.4.1.64 255.255.255.248 10.16.0.0 255.255.0.0

access-list inside extended permit ip any any

access-list inside extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu internet 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (internet) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 10.4.1.64 255.255.255.248

access-group internet_in in interface outside

access-group internet_in in interface internet

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1

route internet 0.0.0.0 0.0.0.0 212.89.235.yy 254

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123

type echo protocol ipIcmpEcho 212.89.229.xx interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set peer 212.89.229.xx

crypto map outside_map0 1 set transform-set ESP-AES-256-SHA

crypto map outside_map0 1 set security-association lifetime seconds 28800

crypto map outside_map0 1 set security-association lifetime kilobytes 4608000

crypto map outside_map0 2 match address outside_cryptomap_1

crypto map outside_map0 interface outside

crypto map outside_map0 interface internet

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp enable internet

crypto isakmp policy 3

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 300

!

track 1 rtr 123 reachability

telnet 10.4.1.64 255.255.255.248 inside

telnet timeout 1440

ssh 10.4.1.64 255.255.255.248 inside

ssh 212.89.229.xx 255.255.255.255 outside

ssh timeout 60

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 194.160.23.2 source outside

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

username xx

tunnel-group 212.89.229.xx type ipsec-l2l

tunnel-group 212.89.229.xx ipsec-attributes

pre-shared-key *

siteA# sh crypto isakmp sa d

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 212.89.229.xx

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

    Encrypt : aes-256         Hash    : SHA

    Auth    : preshared       Lifetime: 300

    Lifetime Remaining: 91

siteA# sh crypto ipsec sa

interface: internet

    Crypto map tag: outside_map0, seq num: 1, local addr: 212.89.235.yy

      access-list outside_cryptomap permit icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.4.1.64/255.255.255.248/1/0)

      remote ident (addr/mask/prot/port): (10.3.128.0/255.255.255.0/1/0)

      current_peer: 212.89.229.xx

      #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 212.89.235.115, remote crypto endpt.: 212.89.229.2

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 2A9B550B

    inbound esp sas:

      spi: 0xCF456F65 (3477434213)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 32768, crypto-map: outside_map0

         sa timing: remaining key lifetime (kB/sec): (4374000/28629)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x2A9B550B (714822923)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 32768, crypto-map: outside_map0

         sa timing: remaining key lifetime (kB/sec): (4373999/28629)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

siteA# sh logging asdm | i 10.3.128.50

6|Sep 19 2011 10:27:37|302020: Built outbound ICMP connection for faddr 10.3.128.50/0 gaddr 10.4.1.66/1024 laddr 10.4.1.66/1024

6|Sep 19 2011 10:27:39|302021: Teardown ICMP connection for faddr 10.3.128.50/0 gaddr 10.4.1.66/1024 laddr 10.4.1.66/1024

config site B:

##########################################################################

ASA 5510 Version 8.0(4)

interface Ethernet0/0

nameif outside

security-level 0

ip address 212.89.229.xx 255.255.255.240

ospf cost 10

interface Ethernet0/1.10

vlan 10

nameif users

security-level 50

ip address 10.3.128.0 255.255.255.0

access-list siteA extended permit ip 10.3.128.0 255.255.255.0 10.4.1.64 255.255.255.248

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 9 match address SiteA

crypto map outside_map 9 set peer 212.89.229.xx

crypto map outside_map 9 set transform-set ESP-AES-256-SHA

crypto map outside_map 9 set security-association lifetime seconds 28800

crypto map outside_map 9 set security-association lifetime kilobytes 4608000

crypto map outside_map 10 match address SiteA

crypto map outside_map 10 set peer 212.89.235.yy

crypto map outside_map 10 set transform-set ESP-AES-256-SHA

crypto map outside_map 10 set security-association lifetime seconds 28800

crypto map outside_map 10 set security-association lifetime kilobytes 4608000

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

tunnel-group 212.89.229.xx type ipsec-l2l

tunnel-group 212.89.229.xx ipsec-attributes

pre-shared-key *

tunnel-group 212.89.235.yy type ipsec-l2l

tunnel-group 212.89.235.yy ipsec-attributes

pre-shared-key *

SiteB# sh crypto isakmp sa d

   Active SA: 7

    Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 8

8   IKE Peer: 212.89.235.115

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

    Encrypt : aes-256         Hash    : SHA

    Auth    : preshared       Lifetime: 300

    Lifetime Remaining: 245

SiteB# sh crypto ipsec sa | b 212.89.235.yy

      current_peer: 212.89.235.yy

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 212.89.229.xx, remote crypto endpt.: 212.89.235.yy

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: CF456F65

    inbound esp sas:

      spi: 0x2A9B550B (714822923)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 4378624, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914999/27310)

         IV size: 16 bytes

         replay detection support: Y

Anti replay bitmap:

        0x00000000 0x00001FFF

    outbound esp sas:

      spi: 0xCF456F65 (3477434213)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 4378624, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3915000/27308)

         IV size: 16 bytes

         replay detection support: Y

siteB# sh logging asdm | i 10.4.1.66

6|Sep 19 2011 10:29:49|302021: Teardown ICMP connection for faddr 10.4.1.66/1024 gaddr 10.3.128.50/0 laddr 10.3.128.50/0

6|Sep 19 2011 10:29:50|302020: Built inbound ICMP connection for faddr 10.4.1.66/1024 gaddr 10.3.128.50/0 laddr 10.3.128.50/0

Attachment: 
I have this problem too.
0 votes
Correct Answer by bmigette about 2 years 7 months ago

I'm glad that this answer your question, don't hesitate to mark the post as answered and rate useful posts

Have a nice day.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
bmigette Mon, 09/19/2011 - 02:33

Hi Martin,

Did you applied crypto map in the interface of siteB ? I don't see any crypto map interface command in your config (whereas it's on siteA's config).

If you didn't applied the crypto map, also check if the output route for the SiteA is thru the interface where the crypto map is applied.

martin.elias Mon, 09/19/2011 - 03:14

sorry, yes it is also on siteB:

crypto map outside_map interface outside

routing on siteA is working ok and crypto map is applied on bought interfaces

martin.elias Mon, 09/19/2011 - 03:44

Mistake in topology on picture. I changed IP 212.89.236.xx to IP 212.89.229.xx

and IP 194.228.44 to 192.168.1.2

martin.elias Wed, 09/21/2011 - 01:25

I found the problem but dont know how to fix it now!

Problem is on siteB with using the same ACL name "siteA" in both sequence numbers in cryptomap "outside_map"

crypto map outside_map 9 match address SiteA

crypto map outside_map 9 set peer 212.89.229.xx

crypto map outside_map 9 set transform-set ESP-AES-256-SHA

crypto map outside_map 9 set security-association lifetime seconds 28800

crypto map outside_map 9 set security-association lifetime kilobytes 4608000

crypto map outside_map 10 match address SiteA

crypto map outside_map 10 set peer 212.89.235.yy

crypto map outside_map 10 set transform-set ESP-AES-256-SHA

crypto map outside_map 10 set security-association lifetime seconds 28800

crypto map outside_map 10 set security-association lifetime kilobytes 4608000

If I remove:

no crypto map outside_map 9 match address SiteA

the IPSEC through 2nd ISP on siteA is working correct

bmigette Wed, 09/21/2011 - 01:35

Hello Martin,

The crypto maps are sequential, that means as you have the same ACL on both entry, the traffic will match every time seq #9 and be directed to the peer defined in this sequence. If you want to do active/Standby IPSEC tunnels between your two ISPs, you can use multiple peers, like:

crypto map outside_map 9 match address SiteA

crypto map outside_map 9 set peer 212.89.229.xx 212.89.235.yy

crypto map outside_map 9 set transform-set ESP-AES-256-SHA

crypto map outside_map 9 set security-association lifetime seconds 28800

crypto map outside_map 9 set security-association lifetime kilobytes 4608000

If you want to load balance between your two ISPs, you will need to have different ACLs, like sequence 9 is for traffic directed to remote network 1, and sequence 10 for remote network 2, but in that case, if remote peer is down, half of the traffic will be down.

Correct Answer
bmigette Wed, 09/21/2011 - 02:31

I'm glad that this answer your question, don't hesitate to mark the post as answered and rate useful posts

Have a nice day.

Actions

Login or Register to take actions

This Discussion

Posted September 19, 2011 at 2:16 AM
Stats:
Replies:7 Avg. Rating:5
Views:1725 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard