04-09-2012 11:45 AM
I have a cisco ASA 5505 that i have been using for a demo network. I have users that can vpn in and depending on their user credentials they get a static ip address. All that has been working ok for some time. Today I am working with another company (raytheon)that wants to setup a bridge between my asa and their cisco box (70.62.100.14) I have setup everything as best i can tell and i see the IPSec tunnel is now in place, however, somewhere along the way i have hosed my asa so from a box on my inside i cannot ping across the network, the asa sends me outside. I use the packet tracer tool in asdm and it says that i have been blocked by an implicit access list rule that i can't delete.
please help, as always i have a big time crunch and my boss says "we've got dollars waiting on dimes here"
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(1)
!
hostname DemoASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.10.20.0 VPN_Pool description Assigned when coming from outside world
name 192.168.2.0 raytheon description Raytheon Demo
!
interface Vlan1
description Inside
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
description Outside
nameif outside
security-level 0
ip address 206.248.243.101 255.0.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 216.12.23.231
name-server 209.145.84.131
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list demo_splitTunnelAcl standard permit VPN_Pool 255.255.255.0
access-list demo_splitTunnelAcl standard permit host 0.0.0.0
access-list demo_splitTunnelAcl standard permit raytheon 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 VPN_Pool 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_4 any VPN_Pool 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_2 192.168.3.0 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_3 any 192.168.3.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any
access-list outside_access_in extended permit esp any raytheon 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip any 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip VPN_Pool 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 any
access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
access-list nonat extended permit ip any VPN_Pool 255.255.255.0
access-list nonat extended permit ip any 192.168.3.0 255.255.255.0
access-list nonat extended permit ip VPN_Pool 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip VPN_Pool 255.255.255.0 VPN_Pool 255.255.255.0
access-list nonat extended permit ip any any
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
access-list nonat extended permit ip raytheon 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
access-list inside_access_in extended permit ip raytheon 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 10.10.20.100-10.10.20.149 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.248.243.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 20 match address outside_1_cryptomap
crypto map outside_map 20 set pfs group1
crypto map outside_map 20 set peer 70.62.100.14
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 28800
vpn-addr-assign local reuse-delay 1
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd update dns both
!
dhcpd address 192.168.3.100-192.168.3.149 inside
dhcpd dns 209.145.84.131 216.12.23.231 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy demo internal
group-policy demo attributes
dns-server value 192.168.3.1 209.145.84.131
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value inside_nat0_outbound
group-policy DfltGrpPolicy attributes
vpn-filter value nonat
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy StaticGroupPolicy internal
group-policy StaticGroupPolicy attributes
dns-server value 192.168.3.1 209.145.84.131
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value inside_nat0_outbound
username demo password XjFBA5DVYjFLLcDW encrypted privilege 0
username demo attributes
vpn-group-policy demo
username canned password sWQy7bl2cuq.v.v2 encrypted privilege 0
username canned attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.132 255.255.255.0
username radio password ye4nx3CdgBd7/S0Z encrypted privilege 0
username radio attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.131 255.255.255.0
username verizon password mmJzopA9lPGcK6W6 encrypted privilege 0
username verizon attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.130 255.255.255.0
username fleet password sDCT4W0GjcdKsxZZ encrypted privilege 0
username fleet attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.130 255.255.255.0
username chris password EBjiypjrtLaG.WFn encrypted privilege 0
username chris attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.20 255.255.255.0
username vzwsales password LaxsmuczZdHXa/DN encrypted privilege 0
username vzwsales attributes
vpn-group-policy demo
tunnel-group demo type remote-access
tunnel-group demo general-attributes
address-pool VPN_Pool
default-group-policy demo
tunnel-group demo ipsec-attributes
pre-shared-key *
tunnel-group 70.62.100.14 type ipsec-l2l
tunnel-group 70.62.100.14 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 70.62.100.14
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:30e73add26875f1c3da12b49652f46bc
: end
04-09-2012 12:25 PM
Hi,
You will atleast have to remove this line from the NAT0 rules
access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 any
This line basically tells your ASA to pass all traffic from your LAN 192.168.3.0/24 to ANY destination network WITHOUT NAT
It should be enough to have the NAT0 access-list lines with the destination address of the remote LAN and remote VPN Client pool addresses.
Also the following line seems useless to me
access-list inside_nat0_outbound_1 extended permit ip any 192.168.3.0 255.255.255.0
This is because your NAT0 rule is attached to your inside interface and the destination network in the above rule is the inside network.
To me it seems that these are the 2 access-list lines regarding NAT0 you NEED to have
access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
The other one tells that ASA doesnt NAT the traffic between VPN Client users and the LAN. Other tells the ASA that traffic between LAN and the remote site (Raytheon) isnt NATed. In other words this traffic passes ASA with their original source and destination addresses in both direction.
Also please add this command to the ASA
policy-map global_policy
class inspection_default
inspect icmp
This will let the ICMP replys come through the ASA wihtout opening the access-list
If your Lan to Lan VPN to Raytheon is working at the moment ICMP accross the VPN should work now. Provided the remote end has allowed it.
Let me know if this helps or ask any additional questions.
And as always please rate if the information was helpfull
- Jouni
04-09-2012 12:36 PM
Also,
I suggest you delete all the access-list that are useless. Seems you have some old access-list used for NAT0 configurations that you have left on the ASA.
Atleast for me they make the configuration abit harder to read as they look the same.
I tend to name the access-list with all capital letters to make them stand out in the CLI format.
For example inside access-list I usually name INSIDE-IN
outside access-list I usually name OUTSIDE-IN
NAT0 access-list I usually name INSIDE-NAT0
But all this is ofcourse down to personal preference
- Jouni
04-09-2012 12:44 PM
Made suggested changes and still cannot ping from my inside (192.168.3.1) to client pc @ raytheon 192.168.2.100.
04-09-2012 12:46 PM
updated sh run
I'll work on those naming conventions +1 for that
thnx for the help so far, i really need to get this thing up
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(1)
!
hostname DemoASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.10.20.0 VPN_Pool description Assigned when coming from outside world
name 192.168.2.0 raytheon description Raytheon Demo
!
interface Vlan1
description Inside
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
description Outside
nameif outside
security-level 0
ip address 206.248.243.101 255.0.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 216.12.23.231
name-server 209.145.84.131
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list demo_splitTunnelAcl standard permit VPN_Pool 255.255.255.0
access-list demo_splitTunnelAcl standard permit host 0.0.0.0
access-list demo_splitTunnelAcl standard permit raytheon 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 VPN_Pool 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_4 any VPN_Pool 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_2 192.168.3.0 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_3 any 192.168.3.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any
access-list outside_access_in extended permit esp any raytheon 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip VPN_Pool 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
access-list nonat extended permit ip any VPN_Pool 255.255.255.0
access-list nonat extended permit ip any 192.168.3.0 255.255.255.0
access-list nonat extended permit ip VPN_Pool 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip VPN_Pool 255.255.255.0 VPN_Pool 255.255.255.0
access-list nonat extended permit ip any any
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
access-list nonat extended permit ip raytheon 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
access-list inside_access_in extended permit ip raytheon 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 10.10.20.100-10.10.20.149 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.248.243.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 20 match address outside_1_cryptomap
crypto map outside_map 20 set pfs group1
crypto map outside_map 20 set peer 70.62.100.14
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 28800
vpn-addr-assign local reuse-delay 1
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd update dns both
!
dhcpd address 192.168.3.100-192.168.3.149 inside
dhcpd dns 209.145.84.131 216.12.23.231 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy demo internal
group-policy demo attributes
dns-server value 192.168.3.1 209.145.84.131
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value inside_nat0_outbound
group-policy DfltGrpPolicy attributes
vpn-filter value nonat
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy StaticGroupPolicy internal
group-policy StaticGroupPolicy attributes
dns-server value 192.168.3.1 209.145.84.131
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value inside_nat0_outbound
username demo password XjFBA5DVYjFLLcDW encrypted privilege 0
username demo attributes
vpn-group-policy demo
username canned password sWQy7bl2cuq.v.v2 encrypted privilege 0
username canned attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.132 255.255.255.0
username radio password ye4nx3CdgBd7/S0Z encrypted privilege 0
username radio attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.131 255.255.255.0
username verizon password mmJzopA9lPGcK6W6 encrypted privilege 0
username verizon attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.130 255.255.255.0
username fleet password sDCT4W0GjcdKsxZZ encrypted privilege 0
username fleet attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.130 255.255.255.0
username chris password EBjiypjrtLaG.WFn encrypted privilege 0
username chris attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.20 255.255.255.0
username vzwsales password LaxsmuczZdHXa/DN encrypted privilege 0
username vzwsales attributes
vpn-group-policy demo
tunnel-group demo type remote-access
tunnel-group demo general-attributes
address-pool VPN_Pool
default-group-policy demo
tunnel-group demo ipsec-attributes
pre-shared-key *
tunnel-group 70.62.100.14 type ipsec-l2l
tunnel-group 70.62.100.14 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 70.62.100.14
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:067a91790275fbdaf24c7fee5553a666
: end
04-09-2012 12:48 PM
Hi,
This might be related to the fact that you are using the ASA interface IP address (not 100% sure). ASA is pretty picky about when you are taking connections to its interface and also using them as source address.
Can you try some random source address like 192.168.3.100 for example and see what it gives. Or better yet some computer behind the ASA.
- Jouni
04-09-2012 12:55 PM
my pc is static at 192.168.3.100 255.255.255.0 i cannot ping or tracert to 192.168.2.100
04-09-2012 01:02 PM
Hi,
Can you confirm that the actual Lan to Lan VPN is up?
You can confirm this on the ASDM
or use the following commands on the CLI
show vpn-sessiondb l2l
If the L2L VPN is up and working, the following command should show if traffic is beeing encrypted/decrypted on the L2L VPN connection.
show crypto ipsec sa peer 70.62.100.14
At the moment I can't see anything that would otherwise prevent the traffic youre trying.
- Jouni
04-09-2012 01:05 PM
Result of the command: "show vpn-sessiondb l2l"
Session Type: LAN-to-LAN
Connection : 70.62.100.14
Index : 12 IP Addr : raytheon
Protocol : IKE IPsec
Encryption : 3DES Hashing : SHA1
Bytes Tx : 11614 Bytes Rx : 0
Login Time : 15:03:44 EDT Mon Apr 9 2012
Duration : 0h:57m:00s
Result of the command: "show crypto ipsec sa peer 70.62.100.14"
peer address: 70.62.100.14
Crypto map tag: outside_map, seq num: 20, local addr: 206.248.243.101
access-list outside_1_cryptomap permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (raytheon/255.255.255.0/0/0)
current_peer: 70.62.100.14
#pkts encaps: 129, #pkts encrypt: 129, #pkts digest: 129
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 129, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 206.248.243.101, remote crypto endpt.: 70.62.100.14
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F2426E10
inbound esp sas:
spi: 0x7728536E (1999131502)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 49152, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 25380
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xF2426E10 (4064439824)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 49152, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 25380
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
04-09-2012 01:09 PM
Hi,
Seems the L2L VPN is up and running.
It seems your ICMP or whatever traffic you have generated is going to the VPN connection but its beeing blocked at the remote end or the host just isnt responding. Or there just isn't any device with your mentioned IP on the remote network (perhaps turned off?)
Below highlighted in RED you can see that there is no return traffic on the L2L VPN connection.
Session Type: LAN-to-LAN
Connection : 70.62.100.14
Index : 12 IP Addr : raytheon
Protocol : IKE IPsec
Encryption : 3DES Hashing : SHA1
Bytes Tx : 11614 Bytes Rx : 0
Login Time : 15:03:44 EDT Mon Apr 9 2012
Duration : 0h:57m:00s
Is there any other traffic you can generate that could confirm the connection? Are you using some service with TCP on the remote site you could access?
And also to be sure. Have you tried connections and ICMP directly from your computer behind the ASA and not just the ASA itself?
But as I said, considering the above output it would seem to me that your end is now configured correctly. I dont know if you can do anything with this until you or someone else has confirmed the other ends access rules and made sure that theres some host on the remote network that will respond to your connection attempts.
- Jouni
04-09-2012 01:29 PM
Also,
I'm not sure if its needed but I have the habit of attaching an access-list to my inside interface also. Even if it was just to allow all traffic.
You could for example just add (to the existing list)
access-list inside_access_in permit ip 192.168.3.0 255.255.255.0 any
and attach the access-list to your inside interface with
access-group inside_access_in in interface inside
Also, you can remove this line from the mentioned access-list
no access-list inside_access_in extended permit ip raytheon 255.255.255.0 192.168.3.0 255.255.255.0
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: