04-24-2017 11:54 AM
Hi guys,
I setted up a S2S VPN between an ASA and Azure, but when I run the command : "show crypto ikev1 sa" it returns me "There are no ikev1 sa", and when I try to ping Google DNS to test the connectivity with Internet, it doesn't work.
All pings work, Host><ASA><Gateway.
I tried almost everything I found on the Internet about these problems (inspect icmp, twice NAT, PAT, etc.) but nothing solved them.
So here is my config: https://pastebin.com/QKqPQZXc
Solved! Go to Solution.
04-24-2017 01:41 PM
There is no default gateway on the ASA. Please add default gateway and it should work fine:
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
x.x.x.x - default gateway ip address.
HTH
-
AJ
04-24-2017 01:41 PM
There is no default gateway on the ASA. Please add default gateway and it should work fine:
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
x.x.x.x - default gateway ip address.
HTH
-
AJ
04-24-2017 02:35 PM
Yes, you're right, I will try that tomorrow, thanks.
04-25-2017 01:16 AM
Alright, I can now ping Internet, but I still have the "There are no ikev1 sa" error.
04-25-2017 05:08 AM
To see that output, you would need to enable some traffic. Try to ping a known destination across the sites and see if you can see that output.
-AJ
04-25-2017 11:01 AM
What do you mean by output?
I can ping the ASA from a host, I can also ping the gateway from the ASA and I can ping Internet from the ASA.
04-25-2017 11:07 AM
Thats not what I am saying. I meant that to make the ipsec tunnel live, you need to trigger some traffic. And that traffic needs to be from your subnet to the network on azure site.
HTH
-
AJ
04-25-2017 11:11 AM
Alright, but I have already tried to ping from a host a VM in Azure, but it didn't work.
04-25-2017 11:13 AM
Could you please run a packet-tracer output using source as your subnet and destination as azure subnet.
-
AJ
04-25-2017 11:19 AM
Like that: packet-tracer input inside icmp 172.18.64.2 8 0 10.0.1.4 ?
04-25-2017 11:20 AM
yeah, or try for tcp traffic like
packet-tracer input inside tcp 172.18.64.2 3344 10.0.1.4 80 det
04-25-2017 11:41 AM
Got it, I will try this tomorrow, thanks.
04-26-2017 01:29 AM
packet-tracer input inside icmp 172.18.64.2 8 0 10.0.1.4 detailed
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static onPremNetwork onPremNetwork destination static azureNetwork azureNetwork
Additional Information:
NAT divert to egress interface outside
Untranslate 10.0.1.4/0 to 10.0.1.4/0
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static onPremNetwork onPremNetwork destination static azureNetwork azureNetwork
Additional Information:
Static translate 172.18.64.2/0 to 172.18.64.2/0
Forward Flow based lookup yields rule:
in id=0xb5bf78c8, priority=6, domain=nat, deny=false
hits=3, user_data=0xb61ba6a0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xb545a650, priority=0, domain=nat-per-session, deny=true
hits=13, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xb5bb46d8, priority=0, domain=inspect-ip-options, deny=true
hits=17, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xb61ab210, priority=70, domain=inspect-icmp, deny=false
hits=5, user_data=0xb61a9ab8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xb5bb4178, priority=66, domain=inspect-icmp-error, deny=false
hits=5, user_data=0xb5bb3798, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xb61ba398, priority=70, domain=encrypt, deny=false
hits=4, user_data=0x342c, cs_id=0xb610aa18, reverse, flags=0x0, protocol=0
src ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static onPremNetwork onPremNetwork destination static azureNetwork azureNetwork
Additional Information:
Forward Flow based lookup yields rule:
out id=0xb5779058, priority=6, domain=nat-reverse, deny=false
hits=4, user_data=0xb5be9460, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xb5777fc0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=4, user_data=0x5fa4, cs_id=0xb610aa18, reverse, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0
dst ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xb545a650, priority=0, domain=nat-per-session, deny=true
hits=15, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xb5b8cc28, priority=0, domain=inspect-ip-options, deny=true
hits=21, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
04-26-2017 02:37 AM
show crypto ipsec sa peer 52.178.X.X
peer address: 52.178.X.X
Crypto map tag: s2s-crypto-map, seq num: 1, local addr: 84.199.X.X
access-list s2s-vpn-acl extended permit ip 172.18.64.0 255.255.255.0 10.0.0.0 255.255.0.0
local ident (addr/mask/prot/port): (172.18.64.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
current_peer: 52.178.X.X
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 84.199.X.X/0, remote crypto endpt.: 52.178.X.X/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: FE082EF0
current inbound spi : EFB9A569
inbound esp sas:
spi: 0xEFB9A569 (4021921129)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: s2s-crypto-map
sa timing: remaining key lifetime (kB/sec): (97200000/3472)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xFE082EF0 (4261949168)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: s2s-crypto-map
sa timing: remaining key lifetime (kB/sec): (97200000/3472)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
04-26-2017 06:07 AM
I have added the nat command under the object group onPremNetwork, and like that, the tunnel seems to work.
The "show crypto ikev1 sa" command tells me that the tunnel is active now, but I still can't access to the azure Network.
Also, do I need to keep the dynamic NAT (PAT) since I'm not usign the firewall to access the Internet but only for accessing the VPN?
I have this ACL that I use with my crypto map : access-list s2s-vpn-acl extended permit ip object onPremNetwork object azureNetwork
But do I need to add a second ACL that permit the reverse : access-list s2s-vpn-acl extended permit ip object azureNetwork object onPremNetwork ?
EDIT : It works now, I have just to wait (a little bit much). Thanks for your help.
packet-tracer input inside tcp 172.18.64.2 3344 10.0.1.4 80 detailed
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static onPremNetwork onPremNetwork destination static azureNetwork azureNetwork
Additional Information:
NAT divert to egress interface outside
Untranslate 10.0.1.4/50 to 10.0.1.4/50
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static onPremNetwork onPremNetwork destination static azureNetwork azureNetwork
Additional Information:
Static translate 172.18.64.2/3344 to 172.18.64.2/3344
Forward Flow based lookup yields rule:
in id=0xb5bf78c8, priority=6, domain=nat, deny=false
hits=2, user_data=0xb61ba6a0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xb5458090, priority=0, domain=nat-per-session, deny=false
hits=22, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xb5bb46d8, priority=0, domain=inspect-ip-options, deny=true
hits=16, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xb61ba398, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x342c, cs_id=0xb610aa18, reverse, flags=0x0, protocol=0
src ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static onPremNetwork onPremNetwork destination static azureNetwork azureNetwork
Additional Information:
Forward Flow based lookup yields rule:
out id=0xb5779058, priority=6, domain=nat-reverse, deny=false
hits=3, user_data=0xb5be9460, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xb5777fc0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=3, user_data=0x5fa4, cs_id=0xb610aa18, reverse, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0
dst ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xb5458090, priority=0, domain=nat-per-session, deny=false
hits=24, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xb5b8cc28, priority=0, domain=inspect-ip-options, deny=true
hits=20, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 22, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: