Cisco ASA IPSEC VPN Tunnel not Passing traffic

Answered Question
Oct 21st, 2014
User Badges:

 Hi Guys

 

I am trying to setup a new IPSEC VPN connection between a Cisco ASA 5520 (verion 8.4(4)) and Checkpoint Firewall. I have successfully established IKE and IPSEC phases and I can see tunnel is UP. But I can't see any traffic going through the tunnel. I have verified the cryptomap both ends and trying to test using a contionuous ping from inside network of ASA. 

 

I have done a capture for ICMP packets but cannot see them in ASA. I have allowed icmp on the inside interface of ASA. 

I have done a packet tracer and it ends with vpn-filter dropping packets. But cannot see any filter configured ..

 

Your help is much appreciated..

 

Thanks

Correct Answer by cisco.met.co.uk about 2 years 10 months ago

you will probably need to add the negate nat statements:- something like.

object-group network OBJ-LOCAL
network 10.155.176.0 255.255.255.0
object-group network OBJ-REMOTE
network-object 192.168.101.0 255.255.255.0
nat (inside,outside) source static OBJ-LOCALOBJ- LOCAL destination static OBJ-REMOTE OBJ-REMOTE -no-proxy-arp

As you are running 8.4 the nat 0 has been depreciated

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Karsten Iwen Tue, 10/21/2014 - 04:13
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

Try to configure an ACL with "permit ip any any" and attach that as a VPN-filter into the used group-policy. That typically solves the problem when packet-tracer shows "dropping" in VPN-filter.

 

vinovinom Tue, 10/21/2014 - 05:38
User Badges:

 

 Hi , Many thanks for your reply... below is the last output for when I do the packet tracer from CLI.

I beleive that the packets are not encrypting or hitting the cryptoaccess lists .. is that because there is no NAT 0 configuration ? Doesn't ASA automatically create one ? or am I looking into wrong area of troubleshooting? 

Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7c603ce8, priority=70, domain=encrypt, deny=false
        hits=6, user_data=0x0, cs_id=0x87a97aa8, reverse, flags=0x0, protocol=1
        src ip/id=10.155.176.0, mask=255.255.255.0, icmp-type=0
        dst ip/id=192.168.101.0, mask=255.255.255.0, icmp-code=0, dscp=0x0
        input_ifc=any, output_ifc=outside

 

cisco.met.co.uk Tue, 10/21/2014 - 05:55
User Badges:

No  the ASA wont "automatically" create a NAT negate rule, you might want to NAT.

Have you looked at the output of the sh crypto ipsec sa ? to see if packets are being encrypted/decrypted?

 

vinovinom Tue, 10/21/2014 - 06:07
User Badges:

 

 Hi

 

I have looked in to the ipsec sa and the output is as below ... but cannot see any traffic being encrypted or decrypted ...

 

internetasa# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map1, seq num: 1, local addr: 194.168.166.1

      access-list outside_cryptomap extended permit tcp 10.155.176.0 255.255.255.0 192.168.101.0 255.255.255.0 range 9005 9015
      local ident (addr/mask/prot/port): (10.155.176.0/255.255.255.0/6/0)
      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/6/9010)
      current_peer: 94.199.235.225

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 194.168.166.1/0, remote crypto endpt.: 94.199.235.225/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: F94D0033
      current inbound spi : 1BB937BF

    inbound esp sas:
      spi: 0x1BB937BF (465123263)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 242356224, crypto-map: outside_map1
         sa timing: remaining key lifetime (kB/sec): (4374000/27493)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xF94D0033 (4182573107)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 242356224, crypto-map: outside_map1
         sa timing: remaining key lifetime (kB/sec): (4374000/27493)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Correct Answer
cisco.met.co.uk Tue, 10/21/2014 - 06:18
User Badges:

you will probably need to add the negate nat statements:- something like.

object-group network OBJ-LOCAL
network 10.155.176.0 255.255.255.0
object-group network OBJ-REMOTE
network-object 192.168.101.0 255.255.255.0
nat (inside,outside) source static OBJ-LOCALOBJ- LOCAL destination static OBJ-REMOTE OBJ-REMOTE -no-proxy-arp

As you are running 8.4 the nat 0 has been depreciated

 

 

vinovinom Tue, 10/21/2014 - 06:34
User Badges:

Hi 

 

Adding the Nat Exemption did have a impact and it now checks the NAT and allows in packet tracer ... but still dropped by the VPN-user access list ... any ideas ?

 

Thanks

cisco.met.co.uk Tue, 10/21/2014 - 07:19
User Badges:

Hi

What's the VPN-user ACL? an outbound ACL in the inside interface or something else?

if possible could you post a sanitized config?

vinovinom Tue, 10/21/2014 - 08:56
User Badges:

Hi 

 

I got it working and it was quite unusual.

1. I changed the crypto access list to a /19 rather than /24 and tested it and        started seeing encrypted packets and not decrypted packets... - problem existed

2. Confirmed with to other end and enabled PFS (group 5) and tested again .. this time packets not encrypted /decrypted.. - problem existed..

3. Removed PFS both ends and tested again... Packets got encrypted and decrypted.. - Problem Resolved.

4. Turned on PFS on both ends and tested again ...Packets got encrypted and decrypted.. - Problem Resolved.

For some reason this has happened and cannot why it has happened... Maybe remote site access list wasn't configured properly ??? and they haven't realised it ?? 

 

Thanks all your input in this regards...

cisco.met.co.uk Tue, 10/21/2014 - 09:02
User Badges:

Great news, vinovinom.

The debug crypto isakmp 255 and debug crypto IPsec 255 commands can help determining phase 1 and phase 2 problems. There  can be a lot of output in the debugs, but a good root around usually helps diagnosing the issue.

Glad I could give some  input.

 

 

vinovinom Wed, 10/22/2014 - 02:17
User Badges:

 

 

 Hi 

 

I would like to get advise on Static NAT. Customer would like to NAT around 60 IP address one-to-one and they want this to be implemented in ASA. Is this a efficient way of doing it or are there any other options ? 

 

Thanks

vinovinom Tue, 10/21/2014 - 05:52
User Badges:

Also I had done adding any as you suggested into the group policy and now its denied differently as below... 

Phase: 6
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x731b7b38, priority=12, domain=vpn-user, deny=true
        hits=19011, user_data=0x6f6ed740, filter_id=0x0(-implicit deny-), protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

 

 

Thanks

Actions

This Discussion