cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2206
Views
0
Helpful
25
Replies

ASA to ASA Site to Site VPN

backpage1
Level 1
Level 1

Have an ASA 5510 9.1(2) and ASA 5505 9.1(2)

The 5510 is located in the main office and the 5505 is located at a remote facility.  I want to create a tunnel that will allow the main office to access the subnets at the remote facility while allowing the devices at the remote facility to access the devices at the main office.  Example below.

5510

10.2.0.0/16

     /\

     ||

     \/

5505

172.16.0.0/16

10.166.0.0/16

Currently, I have one of the interfaces on the 5510 configured for a vlan for our wifi.  Another interface is configured for our backup ISP.  That setup works fantastic.  When I run the site to site vpn wizard according to this video "https://supportforums.cisco.com/videos/5933" but I'm confused with a couple of the settings.

Do I enable nat exempt?  Do I do this on both devices or just one and if so which one?

Do I need to setup static routes to access these different subnets?

There is a router involved but it's for the primary ISP.  It's currently set to forward any packets destined for the 2 subnets at the remote facility to the 5510.  So the packets do get forwarded but seem to die once they hit the 5510.

25 Replies 25

Well I think I'm getting ahead of myself.  I'm able to ping the remote office on the 10.166.0.0/16 network but that's all.  I'm unable to rdp, telnet, and ssh into any of the boxes on that network.  The ACL's say IP is permitted.  Any ideas?

Hi,

In the previous configurations I can't see anything that should cause this. I guess we can also look at the current configurations on both devices.

I guess you could use TCP Ping on the ASAs to test if any of the hosts ports answer to TCP SYN.

The one run from ASA5510 should send the traffic through the L2L VPN. Use different ports and host IPs to test connections to your devices.

The one run from ASA5505 sends the traffic directly from the ASA that is in the same network as the hosts

ASA5510

ping tcp 10.2.100.100 12345

ASA5505

ping tcp

- Jouni

I can ping hosts on the network the asa is on.  For example, on the 5505(10.166.1.10), I can ping other hosts in the same subnet.  If I try to ping any host on the 10.2.0.0/16 I get the following message.

from the 5505

ping tcp 10.2.2.10 3389

No source specified. Pinging from identity interface.

Sending 5 TCP SYN requests to 10.2.2.10 port 3389

from 69.x.x.x, timeout is 2 seconds:

?????

Success rate is 0 percent <0/5>

Same thing when I do the reverse from the 5510.

from the 5510

ping tcp 10.166.1.190 3389

No source specified. Pinging from identity interface.

Sending 5 TCP SYN requests to 10.2.2.10 port 3389

from 64.x.x.x, timeout is 2 seconds:

?????

Success rate is 0 percent <0/5>

If I configure a pc to use the 5510 as it's gateway, I can ping hosts on the 10.166.0.0 range but that's all.

Hi,

The commands you used dont really follow the instructions.

The first one I listed is meant to send TCP SYN from the ASA5510 with a certain source address. If you dont specify it will source the TCP SYN from the wrong IP address.

The second one I listed is meant to test the port connectivity directly from the ASA5505 unit and that doesnt need a source address specified since it will use the connected networks interface

Your test from the ASA5505 would probably fail because the ASA would probably use its "outside" interface as source and that traffic would not even match the L2L VPN configurations.

Same thing with the test on ASA5510

- Jouni

Sorry I did misread your answer.  When I run the ping from the 5510 it complains of invalid input.

ping 10.166.1.190 3389 10.2.100.100 12345

                               ^

ERROR: % Invalid input detected at '^' marker.

When I run it like the following it does complete but still 0% rate.

From the 5510

dalasa# ping tcp

Interface: private

Target IP address: 10.166.1.190

Destination port: [80] 3389

Specify source? [n]: y

Source IP address: 10.2.100.100

Source port: [0] 12345

Repeat count: [5]

Timeout in seconds: [2]

Type escape sequence to abort.

Sending 5 TCP SYN requests to 10.166.1.190 port 3389

from 10.2.100.100 starting port 12345, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

dalasa#

Hi,

In the original command you atleast left out the "tcp" in the "ping" command.

I actually forgot to add one parameter to the other command

ASA5510

ping tcp source 10.2.100.100 12345

Can you take the output of the following command from both ASAs after you have tested some actual connections

show crypto ipsec sa

We might need to take a look at the current configurations of the ASAs also.

- Jouni

From the 5510

dalasa> ping tcp 10.166.1.190 3389 source 10.2.100.100 12345

Type escape sequence to abort.

Sending 5 TCP SYN requests to 10.166.1.190 port 3389

from 10.2.100.100 starting port 12345, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

From the 5510

dalasa# show crypto ipsec sa

interface: tw

    Crypto map tag: tw_map, seq num: 1, local addr: 64.x.x.x

      access-list L2LVPN-ACL extended permit ip 10.2.0.0 255.255.0.0 10.166.0.0 255.255.0.0

      local ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.166.0.0/255.255.0.0/0/0)

      current_peer: 69.x.x.x

      #pkts encaps: 292, #pkts encrypt: 292, #pkts digest: 292

      #pkts decaps: 5649, #pkts decrypt: 5649, #pkts verify: 5649

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 292, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.x.x.x./500, remote crypto endpt.: 69.x.x.x/500

      path mtu 1500, ipsec overhead 58(36), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: D3A8F8E2

      current inbound spi : 5265B21A

    inbound esp sas:

      spi: 0x5265B21A (1382396442)

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv2, }

         slot: 0, conn_id: 20389888, crypto-map: tw_map

         sa timing: remaining key lifetime (kB/sec): (4007801/22921)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0xD3A8F8E2 (3551066338)

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv2, }

         slot: 0, conn_id: 20389888, crypto-map: tw_map

         sa timing: remaining key lifetime (kB/sec): (3962859/22921)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

dalasa#

From the 5505

5505asa# show crypto ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 1, local addr: 69.x.x.x

      access-list L2LVPN-ACL extended permit ip 10.166.0.0 255.255.0.0 10.2.0.0 255.255.0.0

      local ident (addr/mask/prot/port): (10.166.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)

      current_peer: 64.x.x.x

      #pkts encaps: 5649, #pkts encrypt: 5649, #pkts digest: 5649

      #pkts decaps: 292, #pkts decrypt: 292, #pkts verify: 292

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 5649, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 69.x.x.x/500, remote crypto endpt.: 64.x.x.x/500

      path mtu 1500, ipsec overhead 58(36), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: 5265B21A

      current inbound spi : D3A8F8E2

    inbound esp sas:

      spi: 0xD3A8F8E2 (3551066338)

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv2, }

         slot: 0, conn_id: 92712960, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4239339/22735)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x5265B21A (1382396442)

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv2, }

         slot: 0, conn_id: 92712960, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4007801/22735)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

5505asa#

Hi,

There seems to be traffic in both directions on the L2L VPN so that is strange. You said that the ICMP works but nothing else.

Is there any TCP based services that you could enable in the remote hosts like installing VNC server on the hosts and trying connections like that. Just to make sure that there is no actual problem with the remote end hosts, for example related to software firewall.

When traffic only flows to one directions then its sometimes problem with routing but it doesnt seem to be the case with this setup as we clearly see that both ends have generated traffic towards the other remote end.

You could configure a traffic capture on the ASA5505 if you want to confirm that it sees the traffic coming from the site with ASA5510 and if it sees any return traffic coming from the LAN.

You could configure this on the ASA5505

access-list L2LVPN-CAP permit ip host 10.2.x.x host 10.166.x.x

access-list L2LVPN-CAP permit ip host 10.66.x.x host 10.2.x.x

capture L2LVPN-CAP type raw-data access-list L2LVPN-CAP interface inside buffer 2000000

Replace the above IP addresses with the actual IP address of the host you are using the attempt the connection with and naturally replace the destination host IP address with the actual host IP you are trying to connect to.

Then after the capture is configured and you have tested the connection once or twice then issue the following commands. Also send ICMP since you mention it works but nothing else.

show capture

show capture L2LVPN-CAP

And show us the output

- Jouni

I think the tunnel is just fine.  When I configure a pc at the main office with it's gateway set to use the 5510 and setup a pc at the remote office to use the 5505 as it's gateway, everything communicates across all ports.  I'm able to rdp from the 5510 to the pc behind the 5505 and vice versa.

The issue I think now is that there's a routing issue from the 5505 and it's "router" which is a juniper firewall.  I have a static route setup on it to forward any traffic for the 10.2.0.0/16 network to the 5505.

The same goes for the 5510.  The router here is a cisco that forwards any traffic destined for any of the subnets I listed before to the 5510.

I think it's a routing issue.  What about you?

Hi,

If the ASA firewalls arent the actual default gateway of the networks they are connected at (as you mention you have to separately route the remote networks towards the ASA at that location) then it is/was a routing problem.

I was not aware the the ASAs were not actually the devices through which ALL traffic was forwarded.

- Jouni

Hi,

So were you able to get the network setup so that the connections between the 2 locations work without making actual changes on the hosts?

If there are no more problems then please remember to mark a reply as the correct answer if it answered your question and/or rate helpfull answers.

You can naturally ask more questions if there is still some problems with the setup.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: