10-15-2014 06:59 AM - edited 03-11-2019 09:56 PM
Hello,
I have an IPSEC tunnel to a vendor who I can reach and i see encaps/decaps. When he tries to ping my IP 192.168.26.10 i decap but can't encap. Can any one assist?
cleaned up config below. Please let me know if anyone wants to see more.
!
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 209.120.152.138 255.255.255.248
!
interface GigabitEthernet0/1
nameif Inside
security-level 90
ip address 172.31.2.89 255.255.255.252
!
!
boot system disk0:/asa841-k8.bin
ftp mode passive
access-list Outside_cryptomap extended permit ip host 10.121.4.2 host 212.247.19.43
access-list Outside_cryptomap extended permit ip host 192.168.25.10 host 212.247.19.43
access-list Outside_cryptomap extended permit ip host 192.168.26.10 host 212.247.19.43
access-list Outside_cryptomap extended permit ip host 209.120.152.138 host 212.247.19.46
nat (Inside,Outside) source dynamic my-inside-net interface
nat (InternetAccess,Outside) source dynamic InternetAccess interface
nat (InternetAccess,Outside) source dynamic Wireless interface
nat (VPN_IN,Outside) source static VPN OBJ-OUTSIDE-NETWORKS
!
route Outside 0.0.0.0 0.0.0.0 209.120.152.137 1
route InternetAccess 192.168.1.0 255.255.255.0 192.168.51.2 1
route InternetAccess 192.168.9.0 255.255.255.0 192.168.51.2 1
route InternetAccess 192.168.10.0 255.255.255.0 192.168.51.2 1
crypto ipsec ikev1 transform-set officevpn esp-aes-256 esp-sha-hmac
crypto map vendor 1 match address Outside_cryptomap
crypto map vendor 1 set peer 212.247.19.42
crypto map vendor 1 set ikev1 transform-set officevpn
crypto map vendor interface Outside
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1
webvpn
tunnel-group vendor type ipsec-l2l
tunnel-group 212.247.19.42 type ipsec-l2l
tunnel-group 212.247.19.42 ipsec-attributes
ikev1 pre-shared-key *****
!
Show commands
interface: Outside
Crypto map tag: tbricks, seq num: 1, local addr: 209.120.152.138
access-list Outside_cryptomap extended permit ip host 192.168.26.10 host 212.247.19.43
local ident (addr/mask/prot/port): (192.168.26.10/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (212.247.19.43/255.255.255.255/0/0)
current_peer: 212.247.19.42
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 134664, #pkts decrypt: 134664, #pkts verify: 134664
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 209.120.152.138/0, remote crypto endpt.: 212.247.19.42/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: DD73567E
current inbound spi : F5809969
inbound esp sas:
spi: 0xF5809969 (4118845801)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 16384, crypto-map: tbricks
sa timing: remaining key lifetime (kB/sec): (3914506/13686)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xDD73567E (3715323518)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 16384, crypto-map: tbricks
sa timing: remaining key lifetime (kB/sec): (3915000/13686)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: tbricks, seq num: 1, local addr: 209.120.152.138
access-list Outside_cryptomap extended permit ip host 209.120.152.138 host 212.247.19.46
local ident (addr/mask/prot/port): (209.120.152.138/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (212.247.19.46/255.255.255.255/0/0)
current_peer: 212.247.19.42
#pkts encaps: 522, #pkts encrypt: 522, #pkts digest: 522
#pkts decaps: 585, #pkts decrypt: 585, #pkts verify: 585
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 522, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 209.120.152.138/0, remote crypto endpt.: 212.247.19.42/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 52B73700
current inbound spi : 6456A473
inbound esp sas:
spi: 0x6456A473 (1683399795)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 16384, crypto-map: tbricks
sa timing: remaining key lifetime (kB/sec): (3914313/28366)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x52B73700 (1387738880)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 16384, crypto-map: tbricks
sa timing: remaining key lifetime (kB/sec): (3914958/28366)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Thank you in advance
10-15-2014 11:31 AM
Your cryptomap is pointing to his public IP addresses (assuming that's the case as they appear to be in the same subnet as his peering address). We would normally use his private addresses as the decapsulation at his end would bypass his ingress NAT.
10-15-2014 01:08 PM
I thought some similar to that but i guess this is how he has it set up with other customers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide