11-06-2013 05:28 AM
Have an ASA 5510 9.1(2) and ASA 5505 9.1(2)
The 5510 is located in the main office and the 5505 is located at a remote facility. I want to create a tunnel that will allow the main office to access the subnets at the remote facility while allowing the devices at the remote facility to access the devices at the main office. Example below.
5510
10.2.0.0/16
/\
||
\/
5505
172.16.0.0/16
10.166.0.0/16
Currently, I have one of the interfaces on the 5510 configured for a vlan for our wifi. Another interface is configured for our backup ISP. That setup works fantastic. When I run the site to site vpn wizard according to this video "https://supportforums.cisco.com/videos/5933" but I'm confused with a couple of the settings.
Do I enable nat exempt? Do I do this on both devices or just one and if so which one?
Do I need to setup static routes to access these different subnets?
There is a router involved but it's for the primary ISP. It's currently set to forward any packets destined for the 2 subnets at the remote facility to the 5510. So the packets do get forwarded but seem to die once they hit the 5510.
Solved! Go to Solution.
11-07-2013 07:38 AM
Well I think I'm getting ahead of myself. I'm able to ping the remote office on the 10.166.0.0/16 network but that's all. I'm unable to rdp, telnet, and ssh into any of the boxes on that network. The ACL's say IP is permitted. Any ideas?
11-07-2013 08:01 AM
Hi,
In the previous configurations I can't see anything that should cause this. I guess we can also look at the current configurations on both devices.
I guess you could use TCP Ping on the ASAs to test if any of the hosts ports answer to TCP SYN.
The one run from ASA5510 should send the traffic through the L2L VPN. Use different ports and host IPs to test connections to your devices.
The one run from ASA5505 sends the traffic directly from the ASA that is in the same network as the hosts
ASA5510
ping tcp
ASA5505
ping tcp
- Jouni
11-07-2013 08:29 AM
I can ping hosts on the network the asa is on. For example, on the 5505(10.166.1.10), I can ping other hosts in the same subnet. If I try to ping any host on the 10.2.0.0/16 I get the following message.
from the 5505
ping tcp 10.2.2.10 3389
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 10.2.2.10 port 3389
from 69.x.x.x, timeout is 2 seconds:
?????
Success rate is 0 percent <0/5>
Same thing when I do the reverse from the 5510.
from the 5510
ping tcp 10.166.1.190 3389
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 10.2.2.10 port 3389
from 64.x.x.x, timeout is 2 seconds:
?????
Success rate is 0 percent <0/5>
If I configure a pc to use the 5510 as it's gateway, I can ping hosts on the 10.166.0.0 range but that's all.
11-07-2013 08:33 AM
Hi,
The commands you used dont really follow the instructions.
The first one I listed is meant to send TCP SYN from the ASA5510 with a certain source address. If you dont specify it will source the TCP SYN from the wrong IP address.
The second one I listed is meant to test the port connectivity directly from the ASA5505 unit and that doesnt need a source address specified since it will use the connected networks interface
Your test from the ASA5505 would probably fail because the ASA would probably use its "outside" interface as source and that traffic would not even match the L2L VPN configurations.
Same thing with the test on ASA5510
- Jouni
11-07-2013 08:49 AM
Sorry I did misread your answer. When I run the ping from the 5510 it complains of invalid input.
ping 10.166.1.190 3389 10.2.100.100 12345
^
ERROR: % Invalid input detected at '^' marker.
When I run it like the following it does complete but still 0% rate.
From the 5510
dalasa# ping tcp
Interface: private
Target IP address: 10.166.1.190
Destination port: [80] 3389
Specify source? [n]: y
Source IP address: 10.2.100.100
Source port: [0] 12345
Repeat count: [5]
Timeout in seconds: [2]
Type escape sequence to abort.
Sending 5 TCP SYN requests to 10.166.1.190 port 3389
from 10.2.100.100 starting port 12345, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
dalasa#
11-07-2013 08:55 AM
Hi,
In the original command you atleast left out the "tcp" in the "ping" command.
I actually forgot to add one parameter to the other command
ASA5510
ping tcp
Can you take the output of the following command from both ASAs after you have tested some actual connections
show crypto ipsec sa
We might need to take a look at the current configurations of the ASAs also.
- Jouni
11-07-2013 09:11 AM
From the 5510
dalasa> ping tcp 10.166.1.190 3389 source 10.2.100.100 12345
Type escape sequence to abort.
Sending 5 TCP SYN requests to 10.166.1.190 port 3389
from 10.2.100.100 starting port 12345, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
From the 5510
dalasa# show crypto ipsec sa
interface: tw
Crypto map tag: tw_map, seq num: 1, local addr: 64.x.x.x
access-list L2LVPN-ACL extended permit ip 10.2.0.0 255.255.0.0 10.166.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.166.0.0/255.255.0.0/0/0)
current_peer: 69.x.x.x
#pkts encaps: 292, #pkts encrypt: 292, #pkts digest: 292
#pkts decaps: 5649, #pkts decrypt: 5649, #pkts verify: 5649
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 292, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 64.x.x.x./500, remote crypto endpt.: 69.x.x.x/500
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: D3A8F8E2
current inbound spi : 5265B21A
inbound esp sas:
spi: 0x5265B21A (1382396442)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 20389888, crypto-map: tw_map
sa timing: remaining key lifetime (kB/sec): (4007801/22921)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xD3A8F8E2 (3551066338)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 20389888, crypto-map: tw_map
sa timing: remaining key lifetime (kB/sec): (3962859/22921)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
dalasa#
From the 5505
5505asa# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 69.x.x.x
access-list L2LVPN-ACL extended permit ip 10.166.0.0 255.255.0.0 10.2.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.166.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
current_peer: 64.x.x.x
#pkts encaps: 5649, #pkts encrypt: 5649, #pkts digest: 5649
#pkts decaps: 292, #pkts decrypt: 292, #pkts verify: 292
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5649, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 69.x.x.x/500, remote crypto endpt.: 64.x.x.x/500
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 5265B21A
current inbound spi : D3A8F8E2
inbound esp sas:
spi: 0xD3A8F8E2 (3551066338)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 92712960, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4239339/22735)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x5265B21A (1382396442)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 92712960, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4007801/22735)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
5505asa#
11-07-2013 10:31 AM
Hi,
There seems to be traffic in both directions on the L2L VPN so that is strange. You said that the ICMP works but nothing else.
Is there any TCP based services that you could enable in the remote hosts like installing VNC server on the hosts and trying connections like that. Just to make sure that there is no actual problem with the remote end hosts, for example related to software firewall.
When traffic only flows to one directions then its sometimes problem with routing but it doesnt seem to be the case with this setup as we clearly see that both ends have generated traffic towards the other remote end.
You could configure a traffic capture on the ASA5505 if you want to confirm that it sees the traffic coming from the site with ASA5510 and if it sees any return traffic coming from the LAN.
You could configure this on the ASA5505
access-list L2LVPN-CAP permit ip host 10.2.x.x host 10.166.x.x
access-list L2LVPN-CAP permit ip host 10.66.x.x host 10.2.x.x
capture L2LVPN-CAP type raw-data access-list L2LVPN-CAP interface inside buffer 2000000
Replace the above IP addresses with the actual IP address of the host you are using the attempt the connection with and naturally replace the destination host IP address with the actual host IP you are trying to connect to.
Then after the capture is configured and you have tested the connection once or twice then issue the following commands. Also send ICMP since you mention it works but nothing else.
show capture
show capture L2LVPN-CAP
And show us the output
- Jouni
11-07-2013 01:14 PM
I think the tunnel is just fine. When I configure a pc at the main office with it's gateway set to use the 5510 and setup a pc at the remote office to use the 5505 as it's gateway, everything communicates across all ports. I'm able to rdp from the 5510 to the pc behind the 5505 and vice versa.
The issue I think now is that there's a routing issue from the 5505 and it's "router" which is a juniper firewall. I have a static route setup on it to forward any traffic for the 10.2.0.0/16 network to the 5505.
The same goes for the 5510. The router here is a cisco that forwards any traffic destined for any of the subnets I listed before to the 5510.
I think it's a routing issue. What about you?
11-07-2013 01:20 PM
Hi,
If the ASA firewalls arent the actual default gateway of the networks they are connected at (as you mention you have to separately route the remote networks towards the ASA at that location) then it is/was a routing problem.
I was not aware the the ASAs were not actually the devices through which ALL traffic was forwarded.
- Jouni
11-07-2013 02:09 PM
Hi,
So were you able to get the network setup so that the connections between the 2 locations work without making actual changes on the hosts?
If there are no more problems then please remember to mark a reply as the correct answer if it answered your question and/or rate helpfull answers.
You can naturally ask more questions if there is still some problems with the setup.
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: