Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Site-To_Site_DMZ

Hello all,

I worked with you a few days back on a site-to-site using to 5505 ASA's in a lab before deploying, with your help that is working.

We are moving to deploy into production with some different settings, as the customers site remains the same but we will move from using the local interface nameif inside to our DMZ - first thing is will this work through site-to-site?

We have the ASA on our end configured to use site-to-site through our DMZ interface, we created the ACL, then the NAT, we can't ping anything on their local subnet or they ping our local subnet.

I really need you help to show what I missed or failed to implement

Thank you

Everyone's tags (1)
5 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Re: Site-To_Site_DMZ

Hi,

PCS-EW-VPN ASA is missing a "crypto map" related command

Add this

crypto map outside_map 1 match address outside_1_cryptomap

- Jouni

Super Bronze

Re: Site-To_Site_DMZ

Hi,

Can you issue the "packet-tracer" command again on that same ASA unit (twice)

Could you also tell us between which devices are you attempting to ICMP? This cant be done from the ASA directly atleast so I assume that you are ICMP between hosts? Have you confirmed that those hosts are attached to the correct ports and have the correct IP addresses and gateways if you have change the INSIDE -> DMZ for this setup on the other ASA?

I cant see no problem with the configurations at the moment. They should enable the L2L VPN negotiation to go through. But as you saw, you didnt have the configuration above on the other ASA that defines the local and remote networks on the L2L VPN connection so I think the ASDM might have removed that during some configurations.

You can naturally add the following commands on both ASAs for ICMP

fixup protocol icmp

fixup protocol icmp error

Those are old format commands but should convert to "inspect" command

Alternatively you can add them in the following way

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

Can the ASAs ping eachothers WAN interfaces at the moment?

When you issue the "packet-tracer" command or have a continuous ICMP from some host behind the "EWVPN" interface or "inside" on the other ASA, what can you see with the command

show crypto ikev1 sa

Try to issue it several times during testing to see what it shows

You could also use the command

show crypto ipsec sa

To view if the Phase2 has gone through and if packets have gone through the L2L VPN in either direction.

There is always a chance that something else than the ASA is stopping the ICMP traffic.

- Jouni

Super Bronze

Site-To_Site_DMZ

Hi,

The ASA PCS-lab-EW-VPN with the "packet-tracer" is not even matching to the VPN Phase

Either we are still talking about a configuration error or some wierd bug

Can you issue the command "show run" on this ASA and share the configuration again.

This just doesnt make any sense.

- Jouni

Super Bronze

Re: Site-To_Site_DMZ

Hi,

Typo in the configuration

Remove

crypto map outside-map 1 match address outside_1_cryptomap

Add

crypto map outside_map 1 match address outside_1_cryptomap

Current one has - in the "outside-map" while it should have _ , as in "outside_map"

The typo in the Crypto Map name basically attached the L2L VPN ACL to a different Crypto Map which was not used. This is why on the other ASA the traffic is not matching to any VPN configuration.

- Jouni

Super Bronze

Site-To_Site_DMZ

Hi.

Good to hear

Took some time but finally got it working

Please do remember to mark a reply as the correct answer.

- Jouni

29 REPLIES
Super Bronze

Re: Site-To_Site_DMZ

Hi,

So I assume that on the ASA PCS-EW-VPN you want to use the "EWVPN" interface instead of "inside"?

Notice that you have to modify the NAT rule there

no nat (inside,outside) source static net-local net-local destination static net-remote net-remote

nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote

This is because it still has the old source interface. The current rule only applies between "inside" and "outside" interface. Since you want to change the local interface for the VPN you will also have to change the local interface for the NAT configuration.

Also I would suggest changing this NAT configuration also to avoid future problems

no nat (EWVPN,outside) source dynamic any interface

nat (EWVPN,outside) after-auto source dynamic any interface

The configuration I suggest removing is at so high priority that you might have problems in the future if you try to configure some additional NAT rules for interface "EWVPN". So a bit pre-emptive change to the configuration.

- Jouni

Community Member

Site-To_Site_DMZ

Hello Jouni, I'm very sorry to bother you with this again my friend, really nice to have your expertise...

I made the changes as shown for both NAT's, we still can't ping local network.

I'm running packet tracer on both with ASA -PCS-lab-EW-VPN completes with all green check marks, the ASA-PCS-EW-VPN fails to complete the trace route at VPN.

Thank you

Super Bronze

Re: Site-To_Site_DMZ

Hi,

Do you mean a "packet-tracer" fails on some ASA or a Traceroute? Traceroute to what?

If you mean "packet-tracer" then can you share the output from the CLI.

- Jouni

Community Member

Site-To_Site_DMZ

My Bad, should read Packet-tracer

Re: Site-To_Site_DMZ

In addition to what Jouni has said, you might also need to clear the xlate table to get this working right away instead of having to wait for it to timeout.

--

Please remember to rate and select a correct answer
Community Member

Site-To_Site_DMZ

Jouni,

I figured out how to run the Packet-tracer from the command-line as shown below

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:
NAT divert to egress interface outside
Untranslate 10.10.10.10/21 to 10.10.10.10/21

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:
Static translate 172.16.5.2/21 to 172.16.5.2/21

Phase: 5
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: EWVPN
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Site-To_Site_DMZ

You will need to run the packet tracer twice.  The first time it will show as drop because the VPN tunnel is most likely not up. The first trace will bring the tunnel up, and the second trace should give you the real result of the trace.

--

Please remember to rate and select a correct answer
Super Bronze

Re: Site-To_Site_DMZ

Hi,

Can you issue the command twice.

Usually when we have a L2L VPN connection and we use the "packet-tracer" to simulate a packet going to the L2L VPN the first "packet-tracer" will always produce a drop.

So can you issue the command again. Also mention the command used.

Though then again if you have issued a corresponding "packet-tracer" command on the other side and it goes through it doesnt make sense.

In that case you could perhaps try issue this command on both ASAs and then issue the "packet-tracer" commands again.

clear crypto ikev1 sa

- Jouni

Community Member

Site-To_Site_DMZ


Packet-trace 2 complete - looks good with green check marks - still not able to ping remote local network on either side

PCS-EW-VPN(config)# packet-tracer input EWVPN tcp 172.16.5.2 21 10.10.10.10 21

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:
NAT divert to egress interface outside
Untranslate 10.10.10.10/21 to 10.10.10.10/21

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:
Static translate 172.16.5.2/21 to 172.16.5.2/21

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2525, packet dispatched to next module

Result:
input-interface: EWVPN
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Super Bronze

Re: Site-To_Site_DMZ

Hi,

It doesnt seem to mention a VPN phase.

As if it was just sending the traffic to the Internet.

But on the VPN configurations it seemed to me that the networks matched on each side so there should be some phase.

If you are making configurations through the ASDM I would double check that no essential configurations were removed.

- Jouni

Community Member

Site-To_Site_DMZ

What should I do - wipe both ASA's then start over?

Super Bronze

Re: Site-To_Site_DMZ

Hi,

You can try to attach the current configurations to the post.

Naturally if there is a chance that there is just some wierd problem with the ASAs you can save the configuration and reboot both devices since this is still a lab setup.

Though looking through your current CLI format configuration should tell what the problem is.

- Jouni

Site-To_Site_DMZ

Is this lab setup using GNS3,  If so, this can at time be a bit quirky and trashing the whole setup and rebuilding will resolve the problem most of the time.

--

Please remember to rate and select a correct answer
Community Member

Site-To_Site_DMZ

Nope , using two brand new ASA's 5505, will deploy them next week - with one at my current location and the other at customer site

Community Member

Site-To_Site_DMZ

Sure - both ASA rebooted, we still can't ping or use anything like RDP to local network, sending both configs

ASA1

ASA Version 8.4(5)

!

hostname PCS-lab-EW-VPN

domain-name sccul.org

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 209.177.212.103 255.255.255.0

!

interface Vlan3

nameif EWVPN

security-level 98

ip address 172.16.17.1 255.255.255.0

!

boot system disk0:/asa845-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 4.2.2.1

domain-name sccul.org

object network obj_any

subnet 0.0.0.0 0.0.0.0

description PAT_inside_Outside_on_TW_Circuit

object network net-local

subnet 10.10.10.0 255.255.255.0

object network net-remote

subnet 172.16.5.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip object net-local object net-remote

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu EWVPN 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static net-local net-local destination static net-remote net-remote

!

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 209.177.212.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 10.10.10.0 255.255.255.0 inside

http 172.16.1.0 255.255.255.0 EWVPN

http 70.61.194.0 255.255.255.240 outside

http 209.177.212.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside-map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 70.61.194.178

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.10.10.0 255.255.255.0 inside

telnet timeout 60

ssh 10.10.10.0 255.255.255.0 inside

ssh 209.177.212.0 255.255.255.0 outside

ssh 172.16.1.0 255.255.255.0 EWVPN

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 208.87.104.40 source outside

ntp server 64.113.32.9 source outside

ntp server 50.22.155.163 source outside

webvpn

username ssisson password 1U3WSDowu/mxWWcx encrypted privilege 15

username admin1 password mNquohzwaXofLKzA encrypted privilege 15

tunnel-group 70.61.194.178 type ipsec-l2l

tunnel-group 70.61.194.178 ipsec-attributes

ikev1 pre-shared-key cisco123

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:6865776390ce5bf69108b5f69386eb65

: end

ASA2

ASA Version 8.4(5)

!

hostname PCS-EW-VPN

domain-name sccul.org

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.248 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 70.61.194.178 255.255.255.240

!

interface Vlan3

nameif EWVPN

security-level 98

ip address 172.16.5.1 255.255.255.0

!

boot system disk0:/asa845-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 4.2.2.1

domain-name sccul.org

object network obj_any

subnet 0.0.0.0 0.0.0.0

description PAT_inside_Outside_on_TW_Circuit

object network net-local

subnet 172.16.5.0 255.255.255.0

object network net-remote

subnet 10.10.10.0 255.255.255.0

access-list EWVPN_access-in extended permit ip any any

access-list outside_1_cryptomap extended permit ip object net-local object net-remote

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu EWVPN 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote

!

object network obj_any

nat (inside,outside) dynamic interface

!

nat (EWVPN,outside) after-auto source dynamic any interface

route outside 0.0.0.0 0.0.0.0 70.61.194.177 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 172.16.5.0 255.255.255.0 EWVPN

http 70.61.194.0 255.255.255.240 outside

http 209.177.212.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 209.177.212.103

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 60

ssh 192.168.1.0 255.255.255.0 inside

ssh 209.177.212.0 255.255.255.0 outside

ssh 172.16.5.0 255.255.255.0 EWVPN

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 208.87.104.40 source outside

ntp server 64.113.32.9 source outside

ntp server 50.22.155.163 source outside

webvpn

username ssisson password 1U3WSDowu/mxWWcx encrypted privilege 15

username admin1 password mNquohzwaXofLKzA encrypted privilege 15

tunnel-group 209.177.212.103 type ipsec-l2l

tunnel-group 209.177.212.103 ipsec-attributes

ikev1 pre-shared-key cisco123

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:bccba008500a803d23f0933a87c0a791

: end

Thank you

Super Bronze

Re: Site-To_Site_DMZ

Hi,

PCS-EW-VPN ASA is missing a "crypto map" related command

Add this

crypto map outside_map 1 match address outside_1_cryptomap

- Jouni

Site-To_Site_DMZ

If that doesn't solve it, please provide which license is installed on your ASAs

--

Please remember to rate and select a correct answer
Community Member

Site-To_Site_DMZ

Applied the crypto map outside_map 1 match address outside_1_cryptomap to PCS-EW_VPN ASA still not able to ping.

License on both ASA's

Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 20             DMZ Unrestricted
Dual ISPs                         : Enabled        perpetual
VLAN Trunk Ports                  : 8              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Standby perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 25             perpetual
Total VPN Peers                   : 25             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5505 Security Plus license.

Thank you

Super Bronze

Re: Site-To_Site_DMZ

Hi,

Can you issue the "packet-tracer" command again on that same ASA unit (twice)

Could you also tell us between which devices are you attempting to ICMP? This cant be done from the ASA directly atleast so I assume that you are ICMP between hosts? Have you confirmed that those hosts are attached to the correct ports and have the correct IP addresses and gateways if you have change the INSIDE -> DMZ for this setup on the other ASA?

I cant see no problem with the configurations at the moment. They should enable the L2L VPN negotiation to go through. But as you saw, you didnt have the configuration above on the other ASA that defines the local and remote networks on the L2L VPN connection so I think the ASDM might have removed that during some configurations.

You can naturally add the following commands on both ASAs for ICMP

fixup protocol icmp

fixup protocol icmp error

Those are old format commands but should convert to "inspect" command

Alternatively you can add them in the following way

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

Can the ASAs ping eachothers WAN interfaces at the moment?

When you issue the "packet-tracer" command or have a continuous ICMP from some host behind the "EWVPN" interface or "inside" on the other ASA, what can you see with the command

show crypto ikev1 sa

Try to issue it several times during testing to see what it shows

You could also use the command

show crypto ipsec sa

To view if the Phase2 has gone through and if packets have gone through the L2L VPN in either direction.

There is always a chance that something else than the ASA is stopping the ICMP traffic.

- Jouni

Community Member

Site-To_Site_DMZ

Hello

I'm trying to ping from local subnet and not the ASA firewall - from laptops on each local network - one in the DMX 172.16.5.2 to remote lan 10.10.10.10

Packet-trace from both ASA's run twice on both

ASA1

PCS-EW-VPN(config)# packet-trace input EWVPN tcp 172.16.5.2 21 10.10.10.10 21

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:
NAT divert to egress interface outside
Untranslate 10.10.10.10/21 to 10.10.10.10/21

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:
Static translate 172.16.5.2/21 to 172.16.5.2/21

Phase: 5
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: EWVPN
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA2

PCS-lab-EW-VPN# packet-trace input inside tcp 10.10.10.10 21 172.16.5.2 21

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:
NAT divert to egress interface outside
Untranslate 172.16.5.2/21 to 172.16.5.2/21

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:
Static translate 10.10.10.10/21 to 10.10.10.10/21

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 674, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Community Member

Site-To_Site_DMZ

Jouni,

Please let me know if this standard config for Site-To-Site is correct, let me know if something else is needed

this is what I used on each ASA

confirm you can ping both external IP addresses from the ASA's

config t
crypto isakmp enable outside
object network net-local
subnet w.x.y.z 255.255.255.0
object network net-remote
subnet w.x.y.z 255.255.255.0
exit
access-list outside_1_cryptomap permit ip object net-local object net-remote
tunnel-group w.x.y.z type ipsecL2L
tunnel-group w.x.y.z ipsec-attributes
pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2
exit
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer w.x.y.z
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside

Nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
route outside 0 0 your default gateway

thanks

Super Bronze

Site-To_Site_DMZ

Hi,

The ASA PCS-lab-EW-VPN with the "packet-tracer" is not even matching to the VPN Phase

Either we are still talking about a configuration error or some wierd bug

Can you issue the command "show run" on this ASA and share the configuration again.

This just doesnt make any sense.

- Jouni

Community Member

Site-To_Site_DMZ

Sure thing

ASA1

ASA Version 8.4(5)

!

hostname PCS-lab-EW-VPN

domain-name sccul.org

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 209.177.212.103 255.255.255.0

!

interface Vlan3

nameif EWVPN

security-level 98

ip address 172.16.17.1 255.255.255.0

!

boot system disk0:/asa845-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 4.2.2.1

domain-name sccul.org

object network obj_any

subnet 0.0.0.0 0.0.0.0

description PAT_inside_Outside_on_TW_Circuit

object network net-local

subnet 10.10.10.0 255.255.255.0

object network net-remote

subnet 172.16.5.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip object net-local object net-remote

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu EWVPN 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static net-local net-local destination static net-remote net-remote

!

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 209.177.212.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 10.10.10.0 255.255.255.0 inside

http 172.16.1.0 255.255.255.0 EWVPN

http 70.61.194.0 255.255.255.240 outside

http 209.177.212.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside-map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 70.61.194.178

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.10.10.0 255.255.255.0 inside

telnet timeout 60

ssh 10.10.10.0 255.255.255.0 inside

ssh 209.177.212.0 255.255.255.0 outside

ssh 172.16.1.0 255.255.255.0 EWVPN

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 208.87.104.40 source outside

ntp server 64.113.32.9 source outside

ntp server 50.22.155.163 source outside

webvpn

username ssisson password 1U3WSDowu/mxWWcx encrypted privilege 15

username admin1 password mNquohzwaXofLKzA encrypted privilege 15

tunnel-group 70.61.194.178 type ipsec-l2l

tunnel-group 70.61.194.178 ipsec-attributes

ikev1 pre-shared-key cisco123

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:6865776390ce5bf69108b5f69386eb65

: end

Super Bronze

Re: Site-To_Site_DMZ

Hi,

Typo in the configuration

Remove

crypto map outside-map 1 match address outside_1_cryptomap

Add

crypto map outside_map 1 match address outside_1_cryptomap

Current one has - in the "outside-map" while it should have _ , as in "outside_map"

The typo in the Crypto Map name basically attached the L2L VPN ACL to a different Crypto Map which was not used. This is why on the other ASA the traffic is not matching to any VPN configuration.

- Jouni

Community Member

Site-To_Site_DMZ

Do you see that we have confetti falling from the sky and the birds are sing – that’s it my friend, nice job

Community Member

Site-To_Site_DMZ

Please help me as I'm working on a script for configuring Site-To-site as listed below, to remove Typos like the one you found. Please let me know if anything lese is needed.

confirm you can ping both external IP addresses from the ASA's

config t
crypto isakmp enable outside
object network net-local
subnet w.x.y.z 255.255.255.0
object network net-remote
subnet w.x.y.z 255.255.255.0
exit
access-list outside_1_cryptomap permit ip object net-local object net-remote
tunnel-group w.x.y.z type ipsecL2L
tunnel-group w.x.y.z ipsec-attributes
pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2
exit
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer w.x.y.z
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside

Nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
route outside 0 0 your default gateway

Super Bronze

Re: Site-To_Site_DMZ

The configuration depends on the software level

If I were to go by the newest software version then the above is missing some parameters or using old format commands (that might be accepted but naturally better to use the new format)

object network LOCAL-NAME

subnet w.x.y.z 255.255.255.0

object network REMOTE-NAME

subnet w.x.y.z 255.255.255.0

exit

access-list L2LVPN-NAME-ACL permit ip object LOCAL-NAME object REMOTE-NAME

tunnel-group w.x.y.z type ipsecL2L

tunnel-group w.x.y.z ipsec-attributes

ikev1 pre-shared-key cisco123

crypto ikev1 enable

crypto ikev1 policy x

authentication pre-share

encrypt 3des

hash sha

group 2

lifetime 86400

crypto ipsec transform-set ikev1 ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map CRYPTOMAP x match address L2LVPN-NAME-ACL

crypto map CRYPTOMAP x set pfs group1

crypto map CRYPTOMAP x set peer w.x.y.z

crypto map CRYPTOMAP x set ikev1 transform-set ESP-3DES-SHA

crypto map CRYPTOMAP interface

nat (sourceint,destinationint) 1 source static net-local net-local destination static net-remote net-remote

In the above what you have to notice is that some configurations are only needed once. There is no need to issue them again if for example you configure a new L2L VPN on an ASA that already has a L2L VPN connection.

Those are for example these commands

crypto ikev1 enable

crypto map CRYPTOMAP interface

crypto ikev1 policy x

authentication pre-share

encrypt 3des

hash sha

group 2

lifetime 86400

The above commands are global commands/settings that dont need to be issued again. Once they are on the device there is no need to modify them. Naturally you might need some other parameters for the "ikev1 policy" with some other remote location. In that case you use another priority number and add that to the configuration.

For example

crypto ikev1 policy 20

authentication pre-share

encrypt aes-256

hash sha

group 2

lifetime 28800

Both the original and this new one can be there at the same time.

Also you will have to notice that each L2L VPN ACL needs a different name otherwise the configuration will get messed up and possibly affect the existing VPNs.

object network LOCAL-NAME-2

subnet w.x.y.z 255.255.255.0

object network REMOTE-NAME-2

subnet w.x.y.z 255.255.255.0

exit

access-list L2LVPN-NAME-ACL-2 permit ip object LOCAL-NAME-2 object REMOTE-NAME-2

Also the "crypto map" lines will need their own priority number for a new connection

For example

crypto map CRYPTOMAP 2 match address L2LVPN-NAME-ACL2

crypto map CRYPTOMAP 2 set pfs group1

crypto map CRYPTOMAP 2 set peer w.x.y.z

crypto map CRYPTOMAP 2 set ikev1 transform-set ESP-3DES-SHA

And finally you will need to check that the source and destination interfaces on the "nat" configuration match the interface where the actual source and destination network for the L2L VPN are located at.

nat (sourceint,destinationint) 1 source static LOCAL-NAME-2 LOCAL-NAME-2 destination static REMOTE-NAME-2 REMOTE-NAME-2

Notice that both in the ACL and the Object configuration I have added the "NAME". I would suggest you replace this with something that gives a descriptive name to which L2L VPN connection this object or ACL is related to. It will become a lot easier to troubleshoot later when the ACL and Object names arent cryptic themselves

Hope this made any sense.

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

Super Bronze

Site-To_Site_DMZ

Hi.

Good to hear

Took some time but finally got it working

Please do remember to mark a reply as the correct answer.

- Jouni

Community Member

Site-To_Site_DMZ

Yes Sir - you are the best

Please confirm this site-to-site config I'm creating to prevent typos - do I need anything else in this script

confirm you can ping both external IP addresses from the ASA's

config t
crypto isakmp enable outside
object network net-local
subnet w.x.y.z 255.255.255.0
object network net-remote
subnet w.x.y.z 255.255.255.0
exit
access-list outside_1_cryptomap permit ip object net-local object net-remote
tunnel-group w.x.y.z type ipsecL2L
tunnel-group w.x.y.z ipsec-attributes
pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2
exit
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer w.x.y.z
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside

Nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
route outside 0 0 your default gateway

Thank you Sir

272
Views
0
Helpful
29
Replies
CreatePlease to create content