Solved: New site-to-site VPN_LAB

Stephen Sisson · ‎09-03-2013

Hello everyone,

Last week I created a new discussion for NEW site-to-site VPN, worked with Jouni Forss to configure the ASA 5505 running-config for 8.4 for connecting to a remote company using public IP addresses for our site-to-site VPN.

I thought best to deploy this in the lab for two reasons, to confirm I understand the CLI for the VPN, confirm I can deploy this is a lab by myself, confirmed I can’t figure out what’s missing from the running-config or how to fix this issue we have in the lab.

I’m sending you the running-config from both ASA 5505 firewalls we have in the lab, need your help to figure out what I missed on either ASA or both firewalls.

Both ASA’s are online and able to ping each other’s Public IP address, not able to bring the tunnel online.

Thank you

Jouni Forss · ‎09-03-2013

Hi,

The outputs would seem to indicate that the L2L VPN is working. If it wasnt you would see a DROP in VPN Phase.

Next you could try to issue either of those "packet-tracer" command again and take the following outputs from that same ASA unit.

show vpn-sessiondb l2l

show crypto ipsec sa

Also one important thing to confirm. Since you say that this is not wokring. Are you sure that you are using hosts with the IP addresses that have the Static NAT configured?

So on the other end you should be using the host with IP address 10.10.10.10 to connect to the IP address of 70.61.194.182 and on the other end you have to be testing on the host with IP 172.16.5.50 and connect to IP address 209.177.212.104.

As you can see from the L2L VPN configurations the only traffic that will bring up the L2L VPN is traffic between these 2 hosts as no other hosts/networks are defined in the L2L VPN configurations.

How have you tested the connectivity so far and how has it failed?

- Jouni

View solution in original post

Jouni Forss · ‎09-03-2013

Hi,

Please dont change the crypto map as the correct ones are already applied to the correct interfaces.

If you change the crypto map configuration then the configuration wont match the requiments anymore.

As the above "packet-tracer" output already showed, the L2L VPN goes up as a result of the command issued and that tells us that the L2L VPN configurations themselves are already correct.

The current configurations in use are

crypto map cryptomap 1 match address EARLY-WARNING-L2LVPN

crypto map cryptomap 1 set peer 70.61.194.178

crypto map cryptomap 1 set ikev1 transform-set EARLY-WARNING-TS

crypto map cryptomap 1 set security-association lifetime seconds 3600

crypto map cryptomap interface outside

crypto map cryptomap 1 match address EARLY-WARNING-L2LVPN

crypto map cryptomap 1 set peer 209.177.212.103

crypto map cryptomap 1 set ikev1 transform-set EARLY-WARNING-TS

crypto map cryptomap 1 set security-association lifetime seconds 3600

crypto map cryptomap interface outside

- Jouni

View solution in original post

mvsheik123 · ‎09-03-2013

Got it. Thanks Jouni.

Thx

MS

View solution in original post

Jouni Forss · ‎09-03-2013

Hi,

The problem might have been using wrong target IP addresses or perhaps something related to the translations on the ASA.

All the traffic between hosts on the L2L VPN will be using the public IP address to which the hosts are Static NATed to on their ASA firewalls.

So when using the PC 10.10.10.10 it should be able to connect to the IP address 70.61.194.182

When using the PC 172.16.5.50 it should be able to connect to the IP address 209.177.212.104

So both hosts should be connecting to the remote ends public NAT IP address and not the real/local IP address

I would try ICMP from both hosts and monitor the counters in "show crypto ipsec sa" output. This should tell if traffic is flowing both directions.

You should also consider that when using ICMP or something else to test connectivity that the actual hosts might be blocking this traffic and therefore it might seem that the VPN is not working.

- Jouni

View solution in original post

Jouni Forss · ‎09-03-2013

Hi,

No problem at all Stephen,

Without finding the specific documents and having no prior knowledge of the situation at hand I would imagine it would be really hard to find the correct commands to troubleshoot a situation or implement a configuration that you need.

I am also here to learn. Trying to troubleshoot here on the forums and test setups that people are asking about is a great way to learn something new and also make it easier to troubleshoot situations in my actual work.

Dont hesitate to post here if you have some problems or want to double check something.

Please do remember to mark a reply as the correct answer if it answered your question and/or rate helpfull answers

- Jouni

View solution in original post

Jouni Forss · ‎09-03-2013

Hi,

Can you take "packet-tracer" outputs from both units?

ASA names taken from the configurations

Take both output twice and then paste the second output from each command here.

ASAFW-A

packet-tracer input inside tcp 10.10.10.10 12345 70.61.194.182 80

PCS-EW-VPN

packet-tracer input EWVPN tcp 172.16.5.50 12345 209.177.212.104 80

On a quick glance I didnt find a problem.

- Jouni

Stephen Sisson · ‎09-03-2013

Hello Jouni

Thanks for that – about on first glance didn’t see a problem, makes me think I’m learning this ASA

ASAFW-A

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

object network LAN-SERVER

nat (inside,outside) static 209.177.212.104

Additional Information:

Static translate 10.10.10.10/12345 to 209.177.212.104/12345

Phase: 4

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3947, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

PCS-EW-VPN

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

object network LAN-SERVER

nat (EWVPN,outside) static 70.61.194.182

Additional Information:

Static translate 172.16.5.50/12345 to 70.61.194.182/12345

Phase: 4

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (EWVPN,outside) after-auto source dynamic any interface

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 7742, packet dispatched to next module

Result:

input-interface: EWVPN

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Thank you

Jouni Forss · ‎09-03-2013

Hi,

The outputs would seem to indicate that the L2L VPN is working. If it wasnt you would see a DROP in VPN Phase.

Next you could try to issue either of those "packet-tracer" command again and take the following outputs from that same ASA unit.

show vpn-sessiondb l2l

show crypto ipsec sa

Also one important thing to confirm. Since you say that this is not wokring. Are you sure that you are using hosts with the IP addresses that have the Static NAT configured?

So on the other end you should be using the host with IP address 10.10.10.10 to connect to the IP address of 70.61.194.182 and on the other end you have to be testing on the host with IP 172.16.5.50 and connect to IP address 209.177.212.104.

As you can see from the L2L VPN configurations the only traffic that will bring up the L2L VPN is traffic between these 2 hosts as no other hosts/networks are defined in the L2L VPN configurations.

How have you tested the connectivity so far and how has it failed?

- Jouni

Stephen Sisson · ‎09-03-2013

Thanks

Jouni Forss · ‎09-03-2013

Hi,

The problem might have been using wrong target IP addresses or perhaps something related to the translations on the ASA.

All the traffic between hosts on the L2L VPN will be using the public IP address to which the hosts are Static NATed to on their ASA firewalls.

So when using the PC 10.10.10.10 it should be able to connect to the IP address 70.61.194.182

When using the PC 172.16.5.50 it should be able to connect to the IP address 209.177.212.104

So both hosts should be connecting to the remote ends public NAT IP address and not the real/local IP address

I would try ICMP from both hosts and monitor the counters in "show crypto ipsec sa" output. This should tell if traffic is flowing both directions.

You should also consider that when using ICMP or something else to test connectivity that the actual hosts might be blocking this traffic and therefore it might seem that the VPN is not working.

- Jouni

mvsheik123 · ‎09-03-2013

Hi,

Jouni will nail it down in min or two ;), but can you try by applying 'outside_map' to interface outside on both end ASA?

no crypto map cryptomap interface outside

crypto map outside_map interface outside

Thx

MS

Jouni Forss · ‎09-03-2013

Hi,

Please dont change the crypto map as the correct ones are already applied to the correct interfaces.

If you change the crypto map configuration then the configuration wont match the requiments anymore.

As the above "packet-tracer" output already showed, the L2L VPN goes up as a result of the command issued and that tells us that the L2L VPN configurations themselves are already correct.

The current configurations in use are

crypto map cryptomap 1 match address EARLY-WARNING-L2LVPN

crypto map cryptomap 1 set peer 70.61.194.178

crypto map cryptomap 1 set ikev1 transform-set EARLY-WARNING-TS

crypto map cryptomap 1 set security-association lifetime seconds 3600

crypto map cryptomap interface outside

crypto map cryptomap 1 match address EARLY-WARNING-L2LVPN

crypto map cryptomap 1 set peer 209.177.212.103

crypto map cryptomap 1 set ikev1 transform-set EARLY-WARNING-TS

crypto map cryptomap 1 set security-association lifetime seconds 3600

crypto map cryptomap interface outside

- Jouni

mvsheik123 · ‎09-03-2013

Got it. Thanks Jouni.

Thx

MS

Stephen Sisson · ‎09-03-2013

Hi,

Packet-trace showing the same results on both, like you mentioned they show the VPN tunnel online.

After running both commands

show vpn-sessiondb l2l

show crypto ipsec sa

They show the tunnel is online for both sides.

Commands I'm using for testing show crypto isakmp sa - before I opened this ticket with you this command showing no results.

Command two Show crypto IPsec sa - before I opened this ticket with you this command showing no results.

Now I'm seeing results.

The only thing I can think of - maybe I should have cleared the Xlate after the configs are saved to each ASA.

I'm not sure about the Public IP's you mentioned - we have one ASA 10.10.10.10 Natted to 209.177.212.104, should be able to ping this address from 172.16.5.50? Right

We also have 172.16.5.50 Natted to 70.61.194.182, we should be able to ping 10.10.10.10 from 172.16.5.50? Right

With the Early Warning project they will have a server assigned a Public IP address, so I believe - can be natted, think they are using Public addresses. Now for PCS we have a virtual PC with private IP address 172.16.5.50 natted to 209.177.212.104.

Thanks

Stephen Sisson · ‎09-03-2013

Jouni,

I’m very sorry for wasting your time with this post – as you have shown the VPN tunnel is online, we also confirm we can ping the public address for each side, confirm each location has access to the other. I’m also able to access files at each location from the other.

I can’t say it was a total waste for me – you continue to show how awesome you are, complete understanding for Cisco equipment and firewalls. Teaching me that right way to deploy any VPN site-to-site connection, from LAN to Lan or using public IP’s, showing how to work through connections issues with packet-tracer – show crypto ipsec sa, show vpn-sessiondb l2l commands.

Thanks for the help Jouni, as always I really appreciate your guidance and patience as we work through the problem, for showing me the right way for doing this.

Thank you my friend

Jouni Forss · ‎09-03-2013

Hi,

No problem at all Stephen,

Without finding the specific documents and having no prior knowledge of the situation at hand I would imagine it would be really hard to find the correct commands to troubleshoot a situation or implement a configuration that you need.

I am also here to learn. Trying to troubleshoot here on the forums and test setups that people are asking about is a great way to learn something new and also make it easier to troubleshoot situations in my actual work.

Dont hesitate to post here if you have some problems or want to double check something.

Please do remember to mark a reply as the correct answer if it answered your question and/or rate helpfull answers

- Jouni

Stephen Sisson · ‎09-03-2013

Thanks