Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
957
Views
0
Helpful
10
Replies

ASA 5505 difficulties

cworsham80
Level 1
Level 1

‎04-09-2012 11:45 AM

I have a cisco ASA 5505 that i have been using for a demo network. I have users that can vpn in and depending on their user credentials they get a static ip address. All that has been working ok for some time. Today I am working with another company (raytheon)that wants to setup a bridge between my asa and their cisco box (70.62.100.14) I have setup everything as best i can tell and i see the IPSec tunnel is now in place, however, somewhere along the way i have hosed my asa so from a box on my inside i cannot ping across the network, the asa sends me outside.  I use the packet tracer tool in asdm and it says that i have been blocked by an implicit access list rule that i can't delete.


please help, as always i have a big time crunch and my boss says "we've got dollars waiting on dimes here"

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1)
!
hostname DemoASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.10.20.0 VPN_Pool description Assigned when coming from outside world
name 192.168.2.0 raytheon description Raytheon Demo
!
interface Vlan1
description Inside
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
description Outside
nameif outside
security-level 0
ip address 206.248.243.101 255.0.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 216.12.23.231
name-server 209.145.84.131
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list demo_splitTunnelAcl standard permit VPN_Pool 255.255.255.0
access-list demo_splitTunnelAcl standard permit host 0.0.0.0
access-list demo_splitTunnelAcl standard permit raytheon 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 VPN_Pool 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_4 any VPN_Pool 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_2 192.168.3.0 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_3 any 192.168.3.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any
access-list outside_access_in extended permit esp any raytheon 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip any 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip VPN_Pool 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 any
access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
access-list nonat extended permit ip any VPN_Pool 255.255.255.0
access-list nonat extended permit ip any 192.168.3.0 255.255.255.0
access-list nonat extended permit ip VPN_Pool 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip VPN_Pool 255.255.255.0 VPN_Pool 255.255.255.0
access-list nonat extended permit ip any any
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
access-list nonat extended permit ip raytheon 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
access-list inside_access_in extended permit ip raytheon 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 10.10.20.100-10.10.20.149 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.248.243.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 20 match address outside_1_cryptomap
crypto map outside_map 20 set pfs group1
crypto map outside_map 20 set peer 70.62.100.14
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 28800
vpn-addr-assign local reuse-delay 1
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd update dns both
!
dhcpd address 192.168.3.100-192.168.3.149 inside
dhcpd dns 209.145.84.131 216.12.23.231 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!

no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy demo internal
group-policy demo attributes
dns-server value 192.168.3.1 209.145.84.131
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value inside_nat0_outbound
group-policy DfltGrpPolicy attributes
vpn-filter value nonat
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy StaticGroupPolicy internal
group-policy StaticGroupPolicy attributes
dns-server value 192.168.3.1 209.145.84.131
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value inside_nat0_outbound
username demo password XjFBA5DVYjFLLcDW encrypted privilege 0
username demo attributes
vpn-group-policy demo
username canned password sWQy7bl2cuq.v.v2 encrypted privilege 0
username canned attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.132 255.255.255.0
username radio password ye4nx3CdgBd7/S0Z encrypted privilege 0
username radio attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.131 255.255.255.0
username verizon password mmJzopA9lPGcK6W6 encrypted privilege 0
username verizon attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.130 255.255.255.0
username fleet password sDCT4W0GjcdKsxZZ encrypted privilege 0
username fleet attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.130 255.255.255.0
username chris password EBjiypjrtLaG.WFn encrypted privilege 0
username chris attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.20 255.255.255.0
username vzwsales password LaxsmuczZdHXa/DN encrypted privilege 0
username vzwsales attributes
vpn-group-policy demo
tunnel-group demo type remote-access
tunnel-group demo general-attributes
address-pool VPN_Pool
default-group-policy demo
tunnel-group demo ipsec-attributes
pre-shared-key *
tunnel-group 70.62.100.14 type ipsec-l2l
tunnel-group 70.62.100.14 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 70.62.100.14
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:30e73add26875f1c3da12b49652f46bc
: end

Labels:
0 Helpful
10 Replies 10

Jouni Forss
VIP Alumni
VIP Alumni

‎04-09-2012 12:25 PM

Hi,

You will atleast have to remove this line from the NAT0 rules

access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 any

This line basically tells your ASA to pass all traffic from your LAN 192.168.3.0/24 to ANY destination network WITHOUT NAT

It should be enough to have the NAT0 access-list lines with the destination address of the remote LAN and remote VPN Client pool addresses.

Also the following line seems useless to me

access-list inside_nat0_outbound_1 extended permit ip any 192.168.3.0 255.255.255.0

This is because your NAT0 rule is attached to your inside interface and the destination network in the above rule is the inside network.

To me it seems that these are the 2 access-list lines regarding NAT0 you NEED to have

access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 VPN_Pool 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0

The other one tells that ASA doesnt NAT the traffic between VPN Client users and the LAN. Other tells the ASA that traffic between LAN and the remote site (Raytheon) isnt NATed. In other words this traffic passes ASA with their original source and destination addresses in both direction.

Also please add this command to the ASA

policy-map global_policy

class inspection_default

inspect icmp

This will let the ICMP replys come through the ASA wihtout opening the access-list

If your Lan to Lan VPN to Raytheon is working at the moment ICMP accross the VPN should work now. Provided the remote end has allowed it.

Let me know if this helps or ask any additional questions.

And as always please rate if the information was helpfull

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎04-09-2012 12:36 PM

Also,

I suggest you delete all the access-list that are useless. Seems you have some old access-list used for NAT0 configurations that you have left on the ASA.

Atleast for me they make the configuration abit harder to read as they look the same.

I tend to name the access-list with all capital letters to make them stand out in the CLI format.

For example inside access-list I usually name INSIDE-IN

outside access-list I usually name OUTSIDE-IN

NAT0 access-list I usually name INSIDE-NAT0

But all this is ofcourse down to personal preference

- Jouni

0 Helpful

cworsham80
Level 1
Level 1
In response to Jouni Forss

‎04-09-2012 12:44 PM

Made suggested changes and still cannot ping from my inside (192.168.3.1) to client pc @ raytheon 192.168.2.100.

0 Helpful

cworsham80
Level 1
Level 1
In response to cworsham80

‎04-09-2012 12:46 PM

updated  sh run

I'll work on those naming conventions +1 for that

thnx for the help so far, i really need to get this thing up

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1)
!
hostname DemoASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.10.20.0 VPN_Pool description Assigned when coming from outside world
name 192.168.2.0 raytheon description Raytheon Demo
!
interface Vlan1
description Inside
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
description Outside
nameif outside
security-level 0
ip address 206.248.243.101 255.0.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 216.12.23.231
name-server 209.145.84.131
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list demo_splitTunnelAcl standard permit VPN_Pool 255.255.255.0
access-list demo_splitTunnelAcl standard permit host 0.0.0.0
access-list demo_splitTunnelAcl standard permit raytheon 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 VPN_Pool 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_4 any VPN_Pool 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_2 192.168.3.0 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_3 any 192.168.3.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any
access-list outside_access_in extended permit esp any raytheon 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip VPN_Pool 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
access-list nonat extended permit ip any VPN_Pool 255.255.255.0
access-list nonat extended permit ip any 192.168.3.0 255.255.255.0
access-list nonat extended permit ip VPN_Pool 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip VPN_Pool 255.255.255.0 VPN_Pool 255.255.255.0
access-list nonat extended permit ip any any
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
access-list nonat extended permit ip raytheon 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
access-list inside_access_in extended permit ip raytheon 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 10.10.20.100-10.10.20.149 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.248.243.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 20 match address outside_1_cryptomap
crypto map outside_map 20 set pfs group1
crypto map outside_map 20 set peer 70.62.100.14
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 28800
vpn-addr-assign local reuse-delay 1
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd update dns both
!
dhcpd address 192.168.3.100-192.168.3.149 inside
dhcpd dns 209.145.84.131 216.12.23.231 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!

no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy demo internal
group-policy demo attributes
dns-server value 192.168.3.1 209.145.84.131
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value inside_nat0_outbound
group-policy DfltGrpPolicy attributes
vpn-filter value nonat
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy StaticGroupPolicy internal
group-policy StaticGroupPolicy attributes
dns-server value 192.168.3.1 209.145.84.131
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value inside_nat0_outbound
username demo password XjFBA5DVYjFLLcDW encrypted privilege 0
username demo attributes
vpn-group-policy demo
username canned password sWQy7bl2cuq.v.v2 encrypted privilege 0
username canned attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.132 255.255.255.0
username radio password ye4nx3CdgBd7/S0Z encrypted privilege 0
username radio attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.131 255.255.255.0
username verizon password mmJzopA9lPGcK6W6 encrypted privilege 0
username verizon attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.130 255.255.255.0
username fleet password sDCT4W0GjcdKsxZZ encrypted privilege 0
username fleet attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.130 255.255.255.0
username chris password EBjiypjrtLaG.WFn encrypted privilege 0
username chris attributes
vpn-group-policy demo
vpn-framed-ip-address 10.10.20.20 255.255.255.0
username vzwsales password LaxsmuczZdHXa/DN encrypted privilege 0
username vzwsales attributes
vpn-group-policy demo
tunnel-group demo type remote-access
tunnel-group demo general-attributes
address-pool VPN_Pool
default-group-policy demo
tunnel-group demo ipsec-attributes
pre-shared-key *
tunnel-group 70.62.100.14 type ipsec-l2l
tunnel-group 70.62.100.14 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 70.62.100.14
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:067a91790275fbdaf24c7fee5553a666
: end

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to cworsham80

‎04-09-2012 12:48 PM

Hi,

This might be related to the fact that you are using the ASA interface IP address (not 100% sure). ASA is pretty picky about when you are taking connections to its interface and also using them as source address.

Can you try some random source address like 192.168.3.100 for example and see what it gives. Or better yet some computer behind the ASA.

- Jouni

0 Helpful

cworsham80
Level 1
Level 1
In response to Jouni Forss

‎04-09-2012 12:55 PM

my pc is static at 192.168.3.100 255.255.255.0 i cannot ping or tracert to 192.168.2.100

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to cworsham80

‎04-09-2012 01:02 PM

Hi,

Can you confirm that the actual Lan to Lan VPN is up?

You can confirm this on the ASDM

or use the following commands on the CLI

show vpn-sessiondb l2l

If the L2L VPN is up and working, the following command should show if traffic is beeing encrypted/decrypted on the L2L VPN connection.

show crypto ipsec sa peer 70.62.100.14

At the moment I can't see anything that would otherwise prevent the traffic youre trying.

- Jouni

0 Helpful

cworsham80
Level 1
Level 1
In response to Jouni Forss

‎04-09-2012 01:05 PM

Result of the command: "show vpn-sessiondb l2l"

Session Type: LAN-to-LAN

Connection   : 70.62.100.14
Index        : 12                     IP Addr      : raytheon
Protocol     : IKE IPsec
Encryption   : 3DES                   Hashing      : SHA1
Bytes Tx     : 11614                  Bytes Rx     : 0
Login Time   : 15:03:44 EDT Mon Apr 9 2012
Duration     : 0h:57m:00s


Result of the command: "show crypto ipsec sa peer 70.62.100.14"

peer address: 70.62.100.14
    Crypto map tag: outside_map, seq num: 20, local addr: 206.248.243.101

      access-list outside_1_cryptomap permit ip 192.168.3.0 255.255.255.0 raytheon 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (raytheon/255.255.255.0/0/0)
      current_peer: 70.62.100.14

      #pkts encaps: 129, #pkts encrypt: 129, #pkts digest: 129
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 129, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 206.248.243.101, remote crypto endpt.: 70.62.100.14

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: F2426E10

    inbound esp sas:
      spi: 0x7728536E (1999131502)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 49152, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 25380
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xF2426E10 (4064439824)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 49152, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 25380
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to cworsham80

‎04-09-2012 01:09 PM

Hi,

Seems the L2L VPN is up and running.

It seems your ICMP or whatever traffic you have generated is going to the VPN connection but its beeing blocked at the remote end or the host just isnt responding. Or there just isn't any device with your mentioned IP on the remote network (perhaps turned off?)

Below highlighted in RED you can see that there is no return traffic on the L2L VPN connection.

Session Type: LAN-to-LAN

Connection   : 70.62.100.14
Index        : 12                     IP Addr      : raytheon
Protocol     : IKE IPsec
Encryption   : 3DES                   Hashing      : SHA1
Bytes Tx     : 11614                  Bytes Rx     : 0
Login Time   : 15:03:44 EDT Mon Apr 9 2012
Duration     : 0h:57m:00s

Is there any other traffic you can generate that could confirm the connection? Are you using some service with TCP on the remote site you could access?

And also to be sure. Have you tried connections and ICMP directly from your computer behind the ASA and not just the ASA itself?

But as I said, considering the above output it would seem to me that your end is now configured correctly. I dont know if you can do anything with this until you or someone else has confirmed the other ends access rules and made sure that theres some host on the remote network that will respond to your connection attempts.

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎04-09-2012 01:29 PM

Also,

I'm not sure if its needed but I have the habit of attaching an access-list to my inside interface also. Even if it was just to allow all traffic.

You could for example just add (to the existing list)

access-list inside_access_in permit ip 192.168.3.0 255.255.255.0 any

and attach the access-list to your inside interface with

access-group inside_access_in in interface inside

Also, you can remove this line from the mentioned access-list

no access-list inside_access_in extended permit ip raytheon 255.255.255.0 192.168.3.0 255.255.255.0

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents