cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15024
Views
0
Helpful
8
Replies

Site-to-site VPN issue using ASA version 8.2(5)

Tarekeid1_2
Level 1
Level 1

Well I’ve configured site-to-site vpns using ASDM several times before and everything went smoothly using the ipsec wizard , recently I got one ASA with version 8.2(1) and another with version 8.2(5) both are out of the box . The tunnel comes up normally if initiated from version 8.2(1) but no communication can come through, since using packet tracer I noticed that the 8.2(5) version ASA was dropping packets destined to the other site, though the access lists created by asdm seemed fine.

I’ve also noticed that in packet tracer in version 8.2(1) these steps were listed:

Flow-Lookup->Route-lookup->IP-Options->Nat-exempt->Nat->Nat->Host-limit->VPN->flow-creation->Result- The packet is allowed

While in version 8.2(5)

Access-list (which points to an access list that doesn’t show in access list table since its default as a message window indicates when clicking on show rule in access table) -> Route-Lookup-> then gets dropped by the inside network implicit deny rule) (acl-drop) flow is denied by configured rule

I appreciate any help concerning this issue, here is the config of both ASAs, I’ve already checked if there was a configuration mismatch and tried finding the changes in config between the 2 versions but wasn’t able to find anything significant also tried configuring through CLI but some command I used were depreciated by cisco and I guess it might be something related to the default setting related to the 8.2(5) version

ASA Version 8.2(5)

Uses internal network: 192.168.10.0

ASA Version 8.2(1)

Uses internal network: 192.168.1.0

-----------------------------------------------------------------

ASA Version 8.2(5)

!

hostname xxxxx

domain-name xxxxxx

names

name 192.168.1.0 remote

!

interface Ethernet0/0

switchport access vlan 2

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group ppoe

ip address pppoe setroute

!

ftp mode passive

dns server-group DefaultDNS

domain-name xxxxx

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 remote 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 remote 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http remote 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group dsl request dialout pppoe

vpdn group dsl localname xxxxxx

vpdn group dsl ppp authentication chap

vpdn username xxxxxx password ***** store-local

dhcpd auto_config outside

!

dhcpd address 192.168.10.5-192.168.10.32 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

------------------------------------------------------------------------

ASA Version 8.2(1)

!

hostname yyyyy

domain-name yyyyyy

names

name 192.168.10.0 remote

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.101 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 remote 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 remote 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.0.0 255.0.0.0 dmz

http 0.0.0.0 0.0.0.0 outside

http Remote 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer y.y.y.y

crypto map outside_map 1 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group y.y.y.y type ipsec-l2l

tunnel-group y.y.y.y ipsec-attributes

pre-shared-key *

!

!

prompt hostname context

3 Accepted Solutions

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Tarek,

The configuration looks good to me but here is the thing:

I can see that you have the ip address on one site assigned via PPOE, you should use a dynamic crypto map for this, as the other site does not know wich will be your permanent ip address.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

I notice your non-working configuration has:

interface Ethernet0/0

switchport access vlan 2

...and the working one does not.

Also, when you initiate from the 8.2(5) side, what is your source address?

View solution in original post

drewspot
Level 1
Level 1

Didn't notice any route statements in the 8.2(5) config. Check your routing with a show route command?

Sent from Cisco Technical Support iPhone App

View solution in original post

8 Replies 8

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Tarek,

The configuration looks good to me but here is the thing:

I can see that you have the ip address on one site assigned via PPOE, you should use a dynamic crypto map for this, as the other site does not know wich will be your permanent ip address.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for your suggestion, but I'm getting assigned a permanent real IP through the ISP on ppoe connection and the other site can initiate the tunnel the issue is that the ASA with ppoe and version 8.2(5) is not detecting 192.168.1.0 traffic from inbound interface as vpn traffic although I made sure that the "enable inbound ipsec sessions to bypass interface access lists" check box is checked in site-to-site wizard and that nat traversal is enabled and I already have another site with a ppoe assigned IP and its working fine.

On both sides when I ping the internal ip of the other side from inside I get :

Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.1.101/0 to inside:192.168.10.1/0

I noticed that cisco changed some options and features in version 8.2(5) and the DfltGrpPolicy isn’t shown in the group policy field in asdm though its assigned when I click on the edit section on the site-to-site connection , I’m not sure if this can have an effect on the tunnel though I didn’t change anything in its settings ?

Tarekeid1_2
Level 1
Level 1

Ok I've captured the commands sent by both ASA versions and they are identical so I guess Its something related to ASA 8.2(5) defualt settings , I followed Cisco's Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions but still no luck

  •       access-list outside_1_cryptomap line 1 extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
          tunnel-group x.x.x.x type ipsec-l2l
          tunnel-group x.x.x.x ipsec-attributes
            pre-shared-key **********
            isakmp keepalive threshold 10 retry 2
          crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
          crypto map outside_map 1 match address outside_1_cryptomap
          crypto map outside_map 1 set  peer  x.x.x.x
          crypto map outside_map 1 set  transform-set  ESP-DES-MD5
          crypto map outside_map interface  outside


  •       access-list outside_1_cryptomap line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
          tunnel-group x.x.x.x type ipsec-l2l
          tunnel-group x.x.x.x ipsec-attributes
            pre-shared-key **********
            isakmp keepalive threshold 10 retry 2
          crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
          crypto map outside_map 1 match address outside_1_cryptomap
          crypto map outside_map 1 set  peer  x.x.x.x
          crypto map outside_map 1 set  transform-set  ESP-DES-MD5
          crypto map outside_map interface  outside

I notice your non-working configuration has:

interface Ethernet0/0

switchport access vlan 2

...and the working one does not.

Also, when you initiate from the 8.2(5) side, what is your source address?

drewspot
Level 1
Level 1

Didn't notice any route statements in the 8.2(5) config. Check your routing with a show route command?

Sent from Cisco Technical Support iPhone App

yeh I’m getting assigned the default route through the ISPs dhcp “ip address pppoe setroute ” and I have access to internet through the firewall

Tarekeid1_2
Level 1
Level 1

And thanks for your suggestion Marvin, but I double checked and I didn’t copy the interface part of configuration of the second ASA so it’s also assigned to vlan2 which is the outside vlan

But I guess it is related to internal interface since I changed the IP of internal interface and packet traced using the old internal IP 192.168.10.1 from inside to the other ASA internal IP 192.168.1.1 and the tunnel came up successfully

That is I configured the internal network of ASA 8.2(5) to 7.7.7.0 and added networks 192.168.10.0 and 7.7.7.0 as inside networks in site-to-site vpn configuration

  • When I packet trace with source 192.168.10.1 (configured on vpn as internal but not assigned to inside vlan1) to destination 192.168.1.1 (internal ip of ASA 8.2(1)) the tunnel comes up
  • When I packet trace with source 7.7.7.7 1 (configured on vpn as internal and assigned to inside vlan1) to destination 192.168.1.1 the tunnel doesn’t initiate and packet gets dropped


I’ve added command management-access inside which unlike older ASA versions it wasn’t enabled but still it didn’t work

I've solved the issue  last week  and thought I'll post how I solved it so I can close the thread

the symptoms I was having was similar to the ones listed in this document PIX/ASA 7.2(1) and later: Intra-Interface Communications anyway there isn't much difference between the 2 ASA versions I listed, other than that version 8.5(2) did't have the management-access inside command , I've also double checked and corrected the NAT settings for the 7.x.x.x subnet that I created for testing and that eventually got the tunnel working again.

Thank you all for your help and suggestions

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: