remote LAN could not ping ASA inside interface

Anuar Shahrin · ‎07-02-2013

Hi all,

Im doing a testing in my lab.

I have an ASA act as HQ ASA while a router act as a remote router. I have configured both device. below is the topology.

Remote LAN(10.2.2.x/24)----->Router <----(192.168.1.x/30)----> ASA<---LAN(10.1.1.x/24)

the problem is from remote LAN i could not ping to ASA LAN while from ASA, i was able to ping remote LAN.

is there a problem with my configuration?

REMOTE#

REMOTE#ping 10.1.1.254 so fa0/1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:

Packet sent with a source address of 10.2.2.254

.....

Success rate is 0 percent (0/5)

REMOTE#

HQ-FW#

HQ-FW# ping 10.2.2.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.2.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

HQ-FW#

Attached is the configuration.

Jouni Forss · ‎07-03-2013

Hi,

Its not possible to ICMP or connect to an ASA interface IP address from behind another ASA interface. So this wont work.

The only situation where this will work is if you had a L2L VPN between the devices. In that case the ASA would allow the connection coming through the VPN connection to reach the "inside" interface provided you had the below configuration.

management-access inside

Hope this clarifies things

Please do remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

pankaj29in · ‎07-03-2013

HI Anuar,

Jouni is right ,Your config is wrong you have not confignured Site-2-site VPN. later on there are multiple things which you need to look after like NAT Exemptionm, ACLs etc.

Regards

Pankaj

Anuar Shahrin · ‎07-03-2013

Thank you Jouni and Pankaj,

I've configured the IPsec tunnel to the ASA,

below is the configuration of the router

REMOTE(config)#do sh run

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key labtest address 192.168.1.2

!

crypto ipsec transform-set MYSET esp-des esp-md5-hmac

!

crypto map TUNNEL 1 ipsec-isakmp

description to HQ

set peer 192.168.1.2

set transform-set MYSET

match address 101

!

interface FastEthernet0/0

description P2P with FW

ip address 192.168.1.1 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

description connect to SW port 0/1

ip address 10.2.2.254 255.255.255.0

duplex auto

speed auto

crypto map TUNNEL

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.1.2

ip route 10.1.1.0 255.255.255.0 192.168.1.2

!

ip http server

ip http secure-server

!

access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

!

------------------------------------------------------------------------------------

here is the ASA

REMOTE#ssh -l cisco 192.168.1.2

Password:

Type help or '?' for a list of available commands.

HQ-FW> en

Password: *****

HQ-FW# sh run

: Saved

:

ASA Version 8.2(2)

!

hostname HQ-FW

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description P2P with router

nameif outside

security-level 0

ip address 192.168.1.2 255.255.255.252

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

description Connect to SW-port 0/19

nameif inside

security-level 100

ip address 10.1.1.254 255.255.255.0

!

ftp mode passive

access-list IN extended permit ip 10.2.2.0 255.255.255.0 any

access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 10.1.1.0 255.255.255.0

access-group IN in interface outside

access-group IN out interface outside

access-group IN in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set MYSET esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map MYMAP 1 set transform-set MYSET

crypto dynamic-map MYMAP 1 set reverse-route

crypto map dyn-map 10 ipsec-isakmp dynamic MYMAP

crypto map dyn-map interface outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

: end

=============================

the problem here, when i ping to ASA Lan, i keep on seeing this message in the router.

*Jul 3 10:06:13.890: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.2.2.254, src_addr= 10.1.1.1, prot= 1

when i do this, it did not show any tunnel established. any suggestion?

REMOTE#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

REMOTE#show crypto ipsec sa

interface: FastEthernet0/1

Crypto map tag: TUNNEL, local addr 10.2.2.254

protected vrf: (none)

local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

current_peer 192.168.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 10.2.2.254, remote crypto endpt.: 192.168.1.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

REMOTE#

pankaj29in · ‎07-03-2013

Thats great!!!!

Please mark the correct reply as answer.

Regards

Pankaj

Anuar Shahrin · ‎07-03-2013

Hi pankaj,

im still seeing the ipsec is not established between asa and router.

the problem here, when i ping to ASA Lan, i keep on seeing this message in the router.

*Jul 3 10:06:13.890: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.2.2.254, src_addr= 10.1.1.1, prot= 1

when i do show crypto isakmp sa, it did not show any tunnel established. same goes to ASA

HQ-FW(config)# sh isakmp sa

There are no isakmp sas

HQ-FW(config)# sh ipse

HQ-FW(config)# sh ipsec sa

There are no ipsec sas

any suggestion?

thank you.

Jouni Forss · ‎07-03-2013

Hi,

You have incomplete L2L VPN configurations on the ASA

Please remove these

no crypto map dyn-map interface outside

no crypto dynamic-map MYMAP 1 set transform-set MYSET

no crypto dynamic-map MYMAP 1 set reverse-route

no crypto map dyn-map 10 ipsec-isakmp dynamic MYMAP

Then configure the following

access-list L2LVPN extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

crypto map OUTSIDE-MAP 10 match address L2LVPN

crypto map OUTSIDE-MAP 10 set peer 192.168.1.1

crypto map OUTSIDE-MAP 10 set transform-set MYSET

crypto map OUTSIDE-MAP interface outside

crypto isakmp enable outside

tunnel-group 192.168.1.1 type ipsec-l2l

tunnel-group 192.168.1.1 ipsec-attributes

pre-shared-key

And then try again

- Jouni

pankaj29in · ‎07-03-2013

Jouni Sir has answered it , please do the changes.

Jouni Forss · ‎07-03-2013

EDIT: Gah, seems you have 3DES in ISAKMP policy and DES in the transform-set. Though naturally you dont really use DES anymore and not that much 3DES even.

Hi,

Actually the transform-set on the ASA it different from the router

no crypto map OUTSIDE-MAP 10 set transform-set MYSET

no crypto ipsec transform-set MYSET esp-des esp-md5-hmac

crypto ipsec transform-set MYSET esp-3des esp-md5-hmac

crypto map OUTSIDE-MAP 10 set transform-set MYSET

The difference was that router is using 3DES while the ASA has DES configured.

- Jouni

Anuar Shahrin · ‎07-03-2013

Jouni,

I did the changes in the ASA as per your configuration and the Router to match the both policy 1. I can see both sites are now matching each other.

here is the curreny config

crypto ipsec transform-set MYSET esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map OUTSIDE-MAP 10 match address L2LVPN

crypto map OUTSIDE-MAP 10 set peer 192.168.1.1

crypto map OUTSIDE-MAP 10 set transform-set MYSET

crypto map OUTSIDE-MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group 192.168.1.1 type ipsec-l2l

tunnel-group 192.168.1.1 ipsec-attributes

pre-shared-key *****

------------------------

Router config

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key labtest address 192.168.1.2

!

crypto ipsec transform-set MYSET esp-3des esp-md5-hmac

!

crypto map TUNNEL 1 ipsec-isakmp

description to HQ

set peer 192.168.1.2

set transform-set MYSET

match address 101

!

interface FastEthernet0/0

description P2P with FW

ip address 192.168.1.1 255.255.255.252

duplex auto

speed auto

crypto map TUNNEL <----added this part as tunnel start point.

!

from the show crypto ipsec sa

REMOTE#sh crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: TUNNEL, local addr 192.168.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

current_peer 192.168.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

REMOTE#

from ASA

HQ-FW# sh ipsec stats

IPsec Global Statistics

-----------------------

Active tunnels: 0

Previous tunnels: 0

Inbound

Bytes: 0

Decompressed bytes: 0

Packets: 0

Dropped packets: 0

Replay failures: 0

Authentications: 0

Authentication failures: 0

Decryptions: 0

Decryption failures: 0

Decapsulated fragments needing reassembly: 0

Outbound

Bytes: 0

Uncompressed bytes: 0

Packets: 0

Dropped packets: 0

Authentications: 0

Authentication failures: 0

Encryptions: 0

Encryption failures: 0

Fragmentation successes: 0

Pre-fragmentation successses: 0

Post-fragmentation successes: 0

Fragmentation failures: 0

Pre-fragmentation failures: 0

Post-fragmentation failures: 0

Fragments created: 0

PMTUs sent: 0

PMTUs rcvd: 0

Protocol failures: 0

Missing SA failures: 0

System capacity failures: 0

HQ-FW#

Jouni Forss · ‎07-03-2013

Hi,

You can use the same "show crypto ipsec sa" command on the ASA also.

Or "show vpn-sessiondb l2l"

It seems to me that the L2L VPN is up but so far no traffic has come from the ASA or left for the ASA through the L2L VPN.

Issue the following command TWICE on the ASA and share the second output with us

packet-tracer input inside tcp 10.1.1.100 12345 10.2.2.200 12345

This is just meant to check what rules the traffic hits on the ASA.

Naturally you could attach some host behind the router or ASA and generate traffic and see if the connections work.

To my understanding the router shouldnt require NAT0 configuration in a situation where there is no other NAT/PAT being done on the router.

- Jouni

Anuar Shahrin · ‎07-03-2013

Here is the output. Seems like drop by ACL

HQ-FW# packet-tracer input inside tcp 10.1.1.100 12345 10.2.2.200 12345

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

HQ-FW#

Jouni Forss · ‎07-03-2013

Hi,

Not even looking at the ACL again myself.

Seems you have an incorrect ACL

You should remove the current configurations

no access-group IN in interface outside

no access-group IN out interface outside

no access-group IN in interface inside

no access-list IN extended permit ip 10.2.2.0 255.255.255.0 any

access-list IN permit ip 10.1.1.0 255.255.255.0 any

access-group IN in interface inside

You essentially had an ACL that allowed traffic but the source network was defined as 10.2.2.0/24 which is the LAN of the router and not the ASA.

- Jouni

Anuar Shahrin · ‎07-03-2013

yea, i noticed that too. i already removed it. will try again.

Thanks jouni,