07-02-2013 09:00 PM - edited 03-11-2019 07:06 PM
Hi all,
Im doing a testing in my lab.
I have an ASA act as HQ ASA while a router act as a remote router. I have configured both device. below is the topology.
Remote LAN(10.2.2.x/24)----->Router <----(192.168.1.x/30)----> ASA<---LAN(10.1.1.x/24)
the problem is from remote LAN i could not ping to ASA LAN while from ASA, i was able to ping remote LAN.
is there a problem with my configuration?
REMOTE#
REMOTE#ping 10.1.1.254 so fa0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.254
.....
Success rate is 0 percent (0/5)
REMOTE#
HQ-FW#
HQ-FW# ping 10.2.2.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
HQ-FW#
Attached is the configuration.
07-03-2013 12:20 AM
Hi,
Its not possible to ICMP or connect to an ASA interface IP address from behind another ASA interface. So this wont work.
The only situation where this will work is if you had a L2L VPN between the devices. In that case the ASA would allow the connection coming through the VPN connection to reach the "inside" interface provided you had the below configuration.
management-access inside
Hope this clarifies things
Please do remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
07-03-2013 12:53 AM
HI Anuar,
Jouni is right ,Your config is wrong you have not confignured Site-2-site VPN. later on there are multiple things which you need to look after like NAT Exemptionm, ACLs etc.
Regards
Pankaj
07-03-2013 03:29 AM
Thank you Jouni and Pankaj,
I've configured the IPsec tunnel to the ASA,
below is the configuration of the router
REMOTE(config)#do sh run
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key labtest address 192.168.1.2
!
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
!
crypto map TUNNEL 1 ipsec-isakmp
description to HQ
set peer 192.168.1.2
set transform-set MYSET
match address 101
!
!
!
!
!
!
interface FastEthernet0/0
description P2P with FW
ip address 192.168.1.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
description connect to SW port 0/1
ip address 10.2.2.254 255.255.255.0
duplex auto
speed auto
crypto map TUNNEL
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip route 10.1.1.0 255.255.255.0 192.168.1.2
!
!
ip http server
ip http secure-server
!
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
!
!
------------------------------------------------------------------------------------
here is the ASA
REMOTE#ssh -l cisco 192.168.1.2
Password:
Type help or '?' for a list of available commands.
HQ-FW> en
Password: *****
HQ-FW# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname HQ-FW
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description P2P with router
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.252
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description Connect to SW-port 0/19
nameif inside
security-level 100
ip address 10.1.1.254 255.255.255.0
!
!
ftp mode passive
access-list IN extended permit ip 10.2.2.0 255.255.255.0 any
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0
access-group IN in interface outside
access-group IN out interface outside
access-group IN in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map MYMAP 1 set transform-set MYSET
crypto dynamic-map MYMAP 1 set reverse-route
crypto map dyn-map 10 ipsec-isakmp dynamic MYMAP
crypto map dyn-map interface outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
: end
=============================
the problem here, when i ping to ASA Lan, i keep on seeing this message in the router.
*Jul 3 10:06:13.890: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.2.2.254, src_addr= 10.1.1.1, prot= 1
when i do this, it did not show any tunnel established. any suggestion?
REMOTE#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
REMOTE#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: TUNNEL, local addr 10.2.2.254
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.2.2.254, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
REMOTE#
07-03-2013 04:00 AM
Thats great!!!!
Please mark the correct reply as answer.
Regards
Pankaj
07-03-2013 04:03 AM
Hi pankaj,
im still seeing the ipsec is not established between asa and router.
the problem here, when i ping to ASA Lan, i keep on seeing this message in the router.
*Jul 3 10:06:13.890: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.2.2.254, src_addr= 10.1.1.1, prot= 1
when i do show crypto isakmp sa, it did not show any tunnel established. same goes to ASA
HQ-FW(config)# sh isakmp sa
There are no isakmp sas
HQ-FW(config)# sh ipse
HQ-FW(config)# sh ipsec sa
There are no ipsec sas
any suggestion?
thank you.
07-03-2013 04:11 AM
Hi,
You have incomplete L2L VPN configurations on the ASA
Please remove these
no crypto map dyn-map interface outside
no crypto dynamic-map MYMAP 1 set transform-set MYSET
no crypto dynamic-map MYMAP 1 set reverse-route
no crypto map dyn-map 10 ipsec-isakmp dynamic MYMAP
Then configure the following
access-list L2LVPN extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
crypto map OUTSIDE-MAP 10 match address L2LVPN
crypto map OUTSIDE-MAP 10 set peer 192.168.1.1
crypto map OUTSIDE-MAP 10 set transform-set MYSET
crypto map OUTSIDE-MAP interface outside
crypto isakmp enable outside
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
pre-shared-key
And then try again
- Jouni
07-03-2013 04:28 AM
Jouni Sir has answered it , please do the changes.
07-03-2013 04:51 AM
EDIT: Gah, seems you have 3DES in ISAKMP policy and DES in the transform-set. Though naturally you dont really use DES anymore and not that much 3DES even.
Hi,
Actually the transform-set on the ASA it different from the router
no crypto map OUTSIDE-MAP 10 set transform-set MYSET
no crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto map OUTSIDE-MAP 10 set transform-set MYSET
The difference was that router is using 3DES while the ASA has DES configured.
- Jouni
07-03-2013 05:18 AM
Jouni,
I did the changes in the ASA as per your configuration and the Router to match the both policy 1. I can see both sites are now matching each other.
here is the curreny config
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map OUTSIDE-MAP 10 match address L2LVPN
crypto map OUTSIDE-MAP 10 set peer 192.168.1.1
crypto map OUTSIDE-MAP 10 set transform-set MYSET
crypto map OUTSIDE-MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
pre-shared-key *****
------------------------
Router config
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key labtest address 192.168.1.2
!
!
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
!
crypto map TUNNEL 1 ipsec-isakmp
description to HQ
set peer 192.168.1.2
set transform-set MYSET
match address 101
!
!
interface FastEthernet0/0
description P2P with FW
ip address 192.168.1.1 255.255.255.252
duplex auto
speed auto
crypto map TUNNEL <----added this part as tunnel start point.
!
from the show crypto ipsec sa
REMOTE#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: TUNNEL, local addr 192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
REMOTE#
from ASA
HQ-FW# sh ipsec stats
IPsec Global Statistics
-----------------------
Active tunnels: 0
Previous tunnels: 0
Inbound
Bytes: 0
Decompressed bytes: 0
Packets: 0
Dropped packets: 0
Replay failures: 0
Authentications: 0
Authentication failures: 0
Decryptions: 0
Decryption failures: 0
Decapsulated fragments needing reassembly: 0
Outbound
Bytes: 0
Uncompressed bytes: 0
Packets: 0
Dropped packets: 0
Authentications: 0
Authentication failures: 0
Encryptions: 0
Encryption failures: 0
Fragmentation successes: 0
Pre-fragmentation successses: 0
Post-fragmentation successes: 0
Fragmentation failures: 0
Pre-fragmentation failures: 0
Post-fragmentation failures: 0
Fragments created: 0
PMTUs sent: 0
PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0
HQ-FW#
07-03-2013 05:31 AM
Hi,
You can use the same "show crypto ipsec sa" command on the ASA also.
Or "show vpn-sessiondb l2l"
It seems to me that the L2L VPN is up but so far no traffic has come from the ASA or left for the ASA through the L2L VPN.
Issue the following command TWICE on the ASA and share the second output with us
packet-tracer input inside tcp 10.1.1.100 12345 10.2.2.200 12345
This is just meant to check what rules the traffic hits on the ASA.
Naturally you could attach some host behind the router or ASA and generate traffic and see if the connections work.
To my understanding the router shouldnt require NAT0 configuration in a situation where there is no other NAT/PAT being done on the router.
- Jouni
07-03-2013 05:41 AM
Here is the output. Seems like drop by ACL
HQ-FW# packet-tracer input inside tcp 10.1.1.100 12345 10.2.2.200 12345
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
HQ-FW#
07-03-2013 05:46 AM
Hi,
Not even looking at the ACL again myself.
Seems you have an incorrect ACL
You should remove the current configurations
no access-group IN in interface outside
no access-group IN out interface outside
no access-group IN in interface inside
no access-list IN extended permit ip 10.2.2.0 255.255.255.0 any
access-list IN permit ip 10.1.1.0 255.255.255.0 any
access-group IN in interface inside
You essentially had an ACL that allowed traffic but the source network was defined as 10.2.2.0/24 which is the LAN of the router and not the ASA.
- Jouni
07-03-2013 05:51 AM
yea, i noticed that too. i already removed it. will try again.
Thanks jouni,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: