02-18-2012 02:20 PM - edited 03-11-2019 03:31 PM
Well I’ve configured site-to-site vpns using ASDM several times before and everything went smoothly using the ipsec wizard , recently I got one ASA with version 8.2(1) and another with version 8.2(5) both are out of the box . The tunnel comes up normally if initiated from version 8.2(1) but no communication can come through, since using packet tracer I noticed that the 8.2(5) version ASA was dropping packets destined to the other site, though the access lists created by asdm seemed fine.
I’ve also noticed that in packet tracer in version 8.2(1) these steps were listed:
Flow-Lookup->Route-lookup->IP-Options->Nat-exempt->Nat->Nat->Host-limit->VPN->flow-creation->Result- The packet is allowed
While in version 8.2(5)
Access-list (which points to an access list that doesn’t show in access list table since its default as a message window indicates when clicking on show rule in access table) -> Route-Lookup-> then gets dropped by the inside network implicit deny rule) (acl-drop) flow is denied by configured rule
I appreciate any help concerning this issue, here is the config of both ASAs, I’ve already checked if there was a configuration mismatch and tried finding the changes in config between the 2 versions but wasn’t able to find anything significant also tried configuring through CLI but some command I used were depreciated by cisco and I guess it might be something related to the default setting related to the 8.2(5) version
ASA Version 8.2(5)
Uses internal network: 192.168.10.0
ASA Version 8.2(1)
Uses internal network: 192.168.1.0
-----------------------------------------------------------------
ASA Version 8.2(5)
!
hostname xxxxx
domain-name xxxxxx
names
name 192.168.1.0 remote
!
interface Ethernet0/0
switchport access vlan 2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ppoe
ip address pppoe setroute
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxx
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 remote 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 remote 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http remote 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group dsl request dialout pppoe
vpdn group dsl localname xxxxxx
vpdn group dsl ppp authentication chap
vpdn username xxxxxx password ***** store-local
dhcpd auto_config outside
!
dhcpd address 192.168.10.5-192.168.10.32 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
------------------------------------------------------------------------
ASA Version 8.2(1)
!
hostname yyyyy
domain-name yyyyyy
names
name 192.168.10.0 remote
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.101 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 remote 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 remote 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.0.0.0 dmz
http 0.0.0.0 0.0.0.0 outside
http Remote 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer y.y.y.y
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Solved! Go to Solution.
02-18-2012 06:57 PM
Hello Tarek,
The configuration looks good to me but here is the thing:
I can see that you have the ip address on one site assigned via PPOE, you should use a dynamic crypto map for this, as the other site does not know wich will be your permanent ip address.
Regards,
Julio
02-19-2012 07:21 AM
I notice your non-working configuration has:
interface Ethernet0/0
switchport access vlan 2
...and the working one does not.
Also, when you initiate from the 8.2(5) side, what is your source address?
02-19-2012 08:45 AM
Didn't notice any route statements in the 8.2(5) config. Check your routing with a show route command?
Sent from Cisco Technical Support iPhone App
02-18-2012 06:57 PM
Hello Tarek,
The configuration looks good to me but here is the thing:
I can see that you have the ip address on one site assigned via PPOE, you should use a dynamic crypto map for this, as the other site does not know wich will be your permanent ip address.
Regards,
Julio
02-19-2012 05:24 AM
Thanks for your suggestion, but I'm getting assigned a permanent real IP through the ISP on ppoe connection and the other site can initiate the tunnel the issue is that the ASA with ppoe and version 8.2(5) is not detecting 192.168.1.0 traffic from inbound interface as vpn traffic although I made sure that the "enable inbound ipsec sessions to bypass interface access lists" check box is checked in site-to-site wizard and that nat traversal is enabled and I already have another site with a ppoe assigned IP and its working fine.
On both sides when I ping the internal ip of the other side from inside I get :
Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.1.101/0 to inside:192.168.10.1/0
I noticed that cisco changed some options and features in version 8.2(5) and the DfltGrpPolicy isn’t shown in the group policy field in asdm though its assigned when I click on the edit section on the site-to-site connection , I’m not sure if this can have an effect on the tunnel though I didn’t change anything in its settings ?
02-19-2012 06:36 AM
Ok I've captured the commands sent by both ASA versions and they are identical so I guess Its something related to ASA 8.2(5) defualt settings , I followed Cisco's Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions but still no luck
02-19-2012 07:21 AM
I notice your non-working configuration has:
interface Ethernet0/0
switchport access vlan 2
...and the working one does not.
Also, when you initiate from the 8.2(5) side, what is your source address?
02-19-2012 08:45 AM
Didn't notice any route statements in the 8.2(5) config. Check your routing with a show route command?
Sent from Cisco Technical Support iPhone App
02-19-2012 09:07 AM
yeh I’m getting assigned the default route through the ISPs dhcp “ip address pppoe setroute ” and I have access to internet through the firewall
02-19-2012 09:11 AM
And thanks for your suggestion Marvin, but I double checked and I didn’t copy the interface part of configuration of the second ASA so it’s also assigned to vlan2 which is the outside vlan
But I guess it is related to internal interface since I changed the IP of internal interface and packet traced using the old internal IP 192.168.10.1 from inside to the other ASA internal IP 192.168.1.1 and the tunnel came up successfully
That is I configured the internal network of ASA 8.2(5) to 7.7.7.0 and added networks 192.168.10.0 and 7.7.7.0 as inside networks in site-to-site vpn configuration
I’ve added command management-access inside which unlike older ASA versions it wasn’t enabled but still it didn’t work
02-28-2012 01:23 PM
I've solved the issue last week and thought I'll post how I solved it so I can close the thread
the symptoms I was having was similar to the ones listed in this document PIX/ASA 7.2(1) and later: Intra-Interface Communications anyway there isn't much difference between the 2 ASA versions I listed, other than that version 8.5(2) did't have the management-access inside command , I've also double checked and corrected the NAT settings for the 7.x.x.x subnet that I created for testing and that eventually got the tunnel working again.
Thank you all for your help and suggestions
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: