Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

UC520 Site-to-Site VPN

Hi All

I have this very weird problem (at least for me)

I have a UC520 connected to an ASA5510 via Site-to-Site VPN.

I can ping from clients behind UC520 to client behind ASA5510.

I can ping from clients behind ASA5510 to client behind UC520

I can access services (like RDP) from clients behind UC520 to client behind ASA5510

I can't access services (like RDP, HTTP) from clients behind ASA5510 to client behind UC520

Does anyone have a clue where i need to look? I tried to rule out all access list by (temporarily) making a permit ip any any line in these.

I think it must be some kind of NAT issue, but im not sure.

Thanks in advance

Everyone's tags (7)
1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: UC520 Site-to-Site VPN

You said your UC logs showed nothing when trying to connect to .11 and .12,   this means the traffic either never got to the UC at all, got to the UC and was dropped before entering the LAN, or the traffic got to the hosts but was never returned.

Do the internal hosts have other outbound routes defined on them (doubtful but possible), and can you verify the traffic is through the UC outside interface at least?

33 REPLIES
Community Member

Re: UC520 Site-to-Site VPN

It's hard to say without looking at the configs but the first things I would look at is the ACL for the policy. This should be under "Crypto-map" > "match address". This ACL determines which traffic is to be encrypted and placed into the tunnel. Since you can already ping from the ASA to the UC it must be built but make sure the ACL's are permitting IP (all protocolls) and not just ICMP in the proper source-to-destination direction. You may have a problem with the ACL defined on the "nat0" as well (make sure it is permiting IP like above). When you ruled out the ACL's for the firewalls, did you place the permit any any at the top of the ACL. And did you do this on all filters (inbound to ASA and outbound of ASA...inbound to UC and outbound of UC)? If not the filters may still be killing the traffic.

Community Member

Re: UC520 Site-to-Site VPN

Thanks for your answer - i have attached the running-config, figured that might be a lot easier.

I checked that all access-list was not only icmp, but ip

Community Member

Re: UC520 Site-to-Site VPN

It sounds like the problem may be on the ASA side not necessarily the UC side. At quick glance everything looked good to me for the UC config.

Community Member

Re: UC520 Site-to-Site VPN

I was taking another look at your config and there are a few possibilities. First of all I hope that all of your tests from the ASA side to the UC are from the 10.10.0.75 host because that is the only host defined in the ACL 199 for the policy. So assuming that is indeed how you are testing, here is my assumed scenario:

Host 10.10.0.75 trys to establish an RDP session to 192.168.10.X,

I noticed your ACL 104 is permiting RDP to the 87.63.xxx.70. According to my assumptions, you are trying to establish this session to a destination address of 192.168.10.x, not 87.63.xxx.70. So the this destination value would have to change on the protocols that you want to get THROUGH the router not TO the router.

It could be too that these protocols are not even being filtered seperately by ACL 104 because their within the tunnel thats already being allowed through and maybe there is an issue on the ASA side.

I would start by isolating ACL 104 by removing it completely from the interface and see where you stand.

Community Member

Re: UC520 Site-to-Site VPN

Simon,

What are the logs on the ASA telling you?

I assume you have a NAT exception for the subnet inside the ASA going to the subnet inside the UC?

If you still cannot get it post a cleaned ASA config and I can take a look.

Bob James

Community Member

Re: UC520 Site-to-Site VPN

Thanks alot for taking the time to help - i appreciate it alot.

Yes, every testing is being done from the client having 10.10.0.75 as IP on the ASA-side

I tried to remove access-list 104 completely. Still the same symptoms (as in, cant access RDP to 192.168.10.5, but i can ping it)

The lines allowing RDP to 87.xxxx is leftovers from older configuration without VPN

Do you think we need to have a look at things on the ASA-side ? The reason for me thinking that this should be a UC500-issue is, that i can easily access RDP from say 192.168.10.5 to 10.10.0.75, but not the other way around.

Community Member

Re: UC520 Site-to-Site VPN

Need ASA config to see for sure

Make sure on the ASA side the crypto map addressing matches the UC exactly;

example: access-list inside_nat0_outbound extended permit ip host 10.10.0.75 192.168.10.0 255.255.255.0

Community Member

Re: UC520 Site-to-Site VPN

Thanks alot, i have attached the ASA config here

Community Member

Re: UC520 Site-to-Site VPN

I take a harder look in a couple of minutes, but a quick glance shows me you are also using the IP as a static PAT on the outside interface:

static (Inside,Outside) tcp 77.66.XX.XX 3389 10.10.0.75 3389 netmask 255.255.255.255

Try removing this entry and try RDP again, let me know what happens

Bob

Community Member

Re: UC520 Site-to-Site VPN

Hi Bob

I tried to remove the static PAT (both for 3389 aswell as ftp), however no luck.

Just to be clear, it is not only RDP from 10.10.0.75 to say 192.168.10.5 that is failing. It is basically everything from 10.10.0.75 to 192.168.10.x, except from ICMP-packets

Community Member

Re: UC520 Site-to-Site VPN

No prob, good to hear.

Community Member

Re: UC520 Site-to-Site VPN

Also, one thing worth noting (perhaps), is that i can access the UC520 via SSH from 10.10.0.75 - kinda weird, more and more looks like a problem with accessing clients behind the UC520

Community Member

Re: UC520 Site-to-Site VPN

What IP can you access on the UC via SSH?

Is there anything showing up in the log files?

I will look at the configs more in a little while

Community Member

Re: UC520 Site-to-Site VPN

UC520 has an internal IP address of 192.168.10.1, which i can access via SSH from 10.10.0.75

The logs from ASA when doing this is:

6Jun 18 201022:49:36302013192.168.10.12210.10.0.7550092Built outbound TCP connection 46378447 for Outside:192.168.10.1/22 (192.168.10.1/22) to Inside:10.10.0.75/50092 (10.10.0.75/50092)

Which matches the log entries i get when trying to RDP to 192.168.10.5 or access HTTP on 192.168.10.11:

6Jun 18 201022:50:56302013192.168.10.5338910.10.0.7550099Built outbound TCP connection 46378681 for Outside:192.168.10.5/3389 (192.168.10.5/3389) to Inside:10.10.0.75/50099 (10.10.0.75/50099)

6Jun 18 201022:50:34302013192.168.10.118010.10.0.7550096Built outbound TCP connection 46378631 for Outside:192.168.10.11/80 (192.168.10.11/80) to Inside:10.10.0.75/50096 (10.10.0.75/50096)

Community Member

Re: UC520 Site-to-Site VPN

Can you http to 192.168.10.5?

I would also recommend adding logging to the inside ACL's of the UC so you can see what it's doing.

You can test the packet size theory by increasing your ICMP packet sizes to see where it kaks

Community Member

Re: UC520 Site-to-Site VPN

Yes, i actually can.. This is getting more and more weird

The HTTP-service responds with a small error-page (as intended, i'm not accessing a page that exists). I can't access HTTP-service on 192.168.10.11 though

Could it be some kind of packet-size related problem?

Community Member

Re: UC520 Site-to-Site VPN

Hmm, nevermind my packet-size speculations. Tried to access a page that actually exists (plenty of graphics) - worked without any problems.

Can't access HTTPS to 192.168.10.5 though

Community Member

Re: UC520 Site-to-Site VPN

The packet size one I have had before the MTU should be set lower on the inside to accomodate the

overhead of IPSEC 1430 or something. Anyway I think the only way to know for sure what is happening is to

get logs off the UC that's why I suggested adding a deny any any log on the inside ACL's

Bob

Community Member

Re: UC520 Site-to-Site VPN

I just added a 5 permit ip any any log to the access-list 101 (for inside interface) - here is what i get when accessing

HTTP on 192.168.10.5:

000743: Jun 18 21:18:14.463: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.10.5(0) -> 10.10.0.75(0), 1 packet

Here is what i get when accessing HTTPS or RDP on 192.168.10.5: (Which doesnt work)

000765: Jun 18 21:20:24.831: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.10.5(0) -> 10.10.0.75(0), 1 packet

However, the logs show nothing when i try to access 192.168.10.11 (or .31 and .12) via HTTP.

Any clue?

Community Member

Re: UC520 Site-to-Site VPN

Nothing shows up when adding 5 deny ip any any log and then trying to access 192.168.10.11 via HTTP

This is showing up when doing RDP to 192.168.10.5:

000947: Jun 18 21:36:27.907: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.10.5(0) -> 10.10.0.75(0), 1 packet

As well as HTTPS to 192.168.10.5:

000954: Jun 18 21:37:02.923: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.10.5(0) -> 10.10.0.75(0), 1 packet

But nothing with HTTP 192.168.10.11 or 192.168.10.31

Community Member

Re: UC520 Site-to-Site VPN

Take a look at your " ip nat inside source static" statements. There are entries for the .5 and so on that may be nating the source addresses to the address of your public interface. Remove them and give it a try.

Community Member

Re: UC520 Site-to-Site VPN

Thanks, clearing all ip nat entries except this one:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload

Made everything to 192.168.10.5 work.

However, i still can't access 192.168.10.11, .12, .31 through HTTP

Community Member

Re: UC520 Site-to-Site VPN

I am sure you have already, but have you removed any firewalls from the hosts themselves?

Community Member

Re: UC520 Site-to-Site VPN

Yes, 192.168.10.11 is actually a printer with a webinterface - so no firewall here

Community Member

Re: UC520 Site-to-Site VPN

Did you say you could ping the .11, .12, and .31 from the host on the ASA side?

Community Member

Re: UC520 Site-to-Site VPN

Yes, no problems pinging those

Community Member

Re: UC520 Site-to-Site VPN

Do you still have the statics for 10.10.0.75 defined on the ASA?

static (Inside,Outside) tcp 77.66.XX.XX www 10.10.0.75 www netmask 255.255.255.255

Community Member

Re: UC520 Site-to-Site VPN

No, those are all gone now

Community Member

Re: UC520 Site-to-Site VPN

You said your UC logs showed nothing when trying to connect to .11 and .12,   this means the traffic either never got to the UC at all, got to the UC and was dropped before entering the LAN, or the traffic got to the hosts but was never returned.

Do the internal hosts have other outbound routes defined on them (doubtful but possible), and can you verify the traffic is through the UC outside interface at least?

2390
Views
0
Helpful
33
Replies
CreatePlease to create content